Nowadays, almost every website requires me to login. And even those that don't, try to link to facebook or google, or store session information in cookies about my internet usage. Even though I am discerning about what websites I register on, the trust I have in the website is misguided if it fails to allow a secure (https) connection.
So now a bit of technical information. HTTP is a protocol (application layer of the TCP/IP stack) used for transferring web data. When a browser requests a web page, it sends a GET request over HTTP to the server, which responds and gives the details back. When a user logs in, the GET request also includes the username and password (or whatever details are part of that form). It doesn't matter how the website stores the database (see my previous blog post about not emailing passwords and MD5), the password is still sent in 'plain text'.
Wireshark can capture packets on a local network and can be used to see this. It's a bit scary actually, when you see your password in plain text inside a packet that is being sent across the internet. Wireshark works on the local network interface, and in a modern network with switches or encrypted wireless networks, it is generally quite difficult to be able to capture packets not intended for me. But does that itself mean I should no longer be concerned?
Certainly it should mean that we do NOT trust any unsecured / unencrypted wireless networks (such as Maccas free wifi etc.). Firesheep demonstrates the dangers of this. We also should take extreme care on networks we don't trust. When you plug your network cable in to a network (or connect via wifi) and access the internet, the packets are travelling via many computers / nodes / servers to get there. So maybe you trust the first server, but do you trust the others?
TraceRoute is a command line function (tracert on Windows) that shows the 'hops' that a packet takes to get to its destination. Using HTTP, it would only need one of those to be compromised and your information could be stolen.
 | |
| tracert www.facebook.com - showing the hops from my computer (cropped) to facebook, via internode etc. |
HTTPS is not actually a different protocol to HTTP, but rather it sets up an SSL (encrypted) connection between the server and client which then transmits the HTTP packets over that. This means that the packets are not able to be viewed along the way. This is the 'correct way' of ensuring that data being sent over the internet is not able to be viewed along the way. Wireshark can see the packets, but the contents of them is unintelligible because it is encrypted.
If HTTPS is the 'correct way' of transmitting data over the internet to avoid it being intercepted by other people, why isn't it implemented all the time?
- Performance - since https requires setting up an SSL encrypted channel there is a performance cost which for many webpages is not required. It is hard to say exactly what the performance cost is (it would depend on the size of pages / elements and many other factors) but I don't think it would be unfeasible to see a http page load in half of the time of the same page over https (or even less). This is a fairly significant performance hit for a website.
- Cost - because https is about 'trusting' a website, it costs a significant amount of money (hundreds or even thousands of dollars each year) to have a valid certificate via a company such as verisign etc. (Some companies advertise 'free ssl' certificates - personally I am dubious and want to trust that SSL certificates are quite hard to get, since I want to be able to trust 100% in a website with a valid SSL certificate). While this may sound like a small cost for security, it doesn't add anything to the implementation of https, but rather just avoids the 'warning screen' (as shown in the picture) which would most likely put visitors off actually continuing to use a website unless they definitely trust it (even though in 99% of cases it would be perfectly safe - and definitely safer than using the same website via http - I still wouldn't encourage this behaviour!).
 |
| This server does not have a valid SSL certificate. (Firefox browser) |
- Laziness / apathy / ignorance - once a website is 'working' it tends to be just left. Also, the potential for identity theft or loss is for the user of the website, not the company implementing the website. Join this to the fact that most web users aren't committed to security enough to refuse to use a website if they don't trust that it is secure, apart from perhaps a banking website, and you can understand why http is the 'ignored' security hole in our lives.
Twitter now defaults to using https. This is a good thing! Facebook still defaults to http, but it has an option (only as of January, 2011) to allow 'secure browsing' inside the settings (which you should change asap!). This only helps the situation is users are aware of it. Surely Facebook should be changing it from an 'opt-in' setting to a default setting, or even better, a mandated setting. I suspect this might be because of the way Facebook apps work (they are NOT on the Facebook server, even though they appear to be - they are on the developers server), and it is up to the developers of the apps to allow SSL (so many apps won't work over https).
Finally, a word of caution: be careful!! Using HTTPS doesn't mean you can do anything you like on the web and are protected! It's just one of the pieces in the security jigsaw puzzle. If you put your credit card number into a bogus https website, it will prevent anybody along the way from reading the credit card number, but the end server still gets your credit card number!! Remember all the other good advice about not clicking on links from emails etc.
Take an audit of the websites you use. What personal details are you risking via http, and is there an option to use https?
