HTTPS All the Time!

Professionals of the internet industry advocate for enhanced security on the internet, and it is important for nontechnical users to acquire a basic understanding of the security mechanisms that underlay most of the internet today.

The major web browsers today support a security measure called HTTPS, which is the hypertext transfer protocol layered over the Transport Security Layer (TLS). Essentially, the hypertext transfer protocol is a way for web browsers, like Chrome, to communicate with web servers that host websites. When combined with the Transport Security Layer, it is possible to conceal data that a user may type or submit in a web form. The process of concealing that data is encryption, which is a concept of paramount importance on the modern internet.

HTTPS offers a multitude of layers of protection for data that users may enter onto a website. The first layer of protection is encryption, which is a process of concealing data such that it becomes a cipher that can only be understood if its reader has a specific key for that data. The mathematics behind encryption is sufficiently complex that it is nearly impossible to “hack” the encryption unless the interceptor already has the private key associated with it. In addition to encryption, the second layer of protection for users is that data will maintain its integrity throughout the entire transfer. In other words, it is impossible for an attacker to intercept the data, change or corrupt the data, and then resubmit it to the webserver. The last layer of security, which is perhaps the most important, protects against “man in the middle” attacks. The sneakiest of readers may come up with a loophole to the abovementioned layers of security to scam users. What if someone simply created a fake website that looked exactly like the real one a user was trying to access?

Fortunately, this has already been solved through an authentication protocol called SSL (secure socket layer). SSL is used to secure credit card and other transactions, and it ensures that users are giving their data to whomever they are intending. The SSL is a certificate that is granted by the government that essentially binds together a domain name, an organization, and a location. Once this connection is established, it is possible to send information securely due to public key cryptography. Essentially, in this form of cryptography, there is a public key and a private key that are used in conjunction with one another. The public key locks information away in a way that is public, and the private key opens that information in a way that is inherently private. The key point is that anyone without the private key will be unable to view the data secured by the public key. If this sounds like a bit of advanced trickery, you are right, but the bottom line is that all of the information is secured.

Some people may believe that individuals should not be required to make their websites HTTPS by default; rather, it should be up to the webmasters. While this seems like a sensible argument, especially if the skeptics believe the onus of security is on the user, there are a number of points that weigh in favor of mandating the use of HTTPS. The principle moral argument is that unwitting users should not be exposed to criminal attackers who want to collect private information. If the moral argument does not resonate in and of itself, though, it should be noted that increased security actually increases trust among users and has a positive return on profits in the long run. In addition to this financial argument, many search engines use HTTPS as a ranking criterion in their algorithms.

There is a large degree of subjectivity involved in determining what information is sensitive and what information should be released to the public. For this reason, most major companies and browsers require that their entire website be HTTPS by default. This protects them from attack, potential liability from said attacks, and ensures they maintain a happy costumer base whose information can be guaranteed to be secure.

It is unreasonable to assume that the onus of all security measures should be on the consumer. It is important to educate people about the dangers of the online marketplace, and it is important to educate people about the criminal activity that is ever-present on the internet, but a user should – by default – assume that basic information they expect to be secure, particularly from a legitimate company, is kept secure. If users can be attacked for engaging in common, every day tasks, the integrity of the internet is itself as risk. In fact, the Internet Engineering Task Force, which is an arm of the Internet Architecture Board, recommends that protocols be required for encrypting all traffic, and in 2014 even went so far as to indicate that “pervasive monitoring” constitutes an “attack” At all stages in the transmission of data, it is possible for such data to be breached; as a result, it is necessary to protect all of said data.

One business consideration that is worth noting is that whether a website uses HTTPS is one of the ranking criteria used by Google . Many companies spend money on research involving search engine optimization – that is, how far up in the ranking of results does the company show up under different keyword searches. Despite the relative controversy, one ranking factor is HTTPS since consumers care about the secure transmission of data and also care about the authenticity of the website they are visiting. It therefore makes sense that discoverability would, at least partially, be a factor of security.

There a myriad reasons that HTTPS should be mandated on the web – privacy is a right, not a privilege. The United States is based on principals and ideals of freedom and liberty, and privacy is one of the core tenants and promises that allow people to be more free. Criminal activity is relatively easy to accomplish on the internet if there are no security layers in place. However, with the addition of HTTPS – at a minimum – criminal activity becomes more difficult by several degrees of magnitude.

The next step in the evolution of the internet is to address how private companies who operate within these protocols, such as Facebook and Google, are using proprietary software to collect private and sensitive data on users in order to exploit them under the guise of improving their user experience. The internet itself is decentralized, and it makes sense that the continued evolution of the internet will be decentralized software and decentralized websites. In fact, there are already several emerging technologies that drastically improve security for users, such as Blockchain technology. Blockchain is a distributed ledger that can be used in the transfer of a type of currency that is immutable and intrinsically secure called cryptocurrency. Much like SSL, blockchain uses public and private keys to ensure that the currency is completely secure. In addition, there is a new protocol called DATT that is a peer-to-peer alternative to HTTP that makes it impossible to sell user data for profit. HTTPS 3 is even a future version of HTTPS that is already being discussed by the Internet Engineering Task Force and may supersede the current standards by introducing even stronger security measures.

With the emerging technologies that are inevitable, the trend towards open source software, increased education among users about corrupt data practices and criminal activity, and the straightforward increase of profit that can be achieved by switching to HTTPS, it is not a difficult argument to make that all web pages should be HTTPS by default. For users who do not believe that HTTPS should be mandatory, it is likely they will fall behind in the times and the natural evolution of web browsers will ensure that their websites are not supported. Rather than being behind the times, it is important for technologists and every day users alike, to advocate for the future, and advocate for security practices that satisfy the demands of every user equally.