Over the past 20 years of the internet's development, we've become overly accustomed to entering HTTP format URLs in our browser address bar. But HTTPS has gradually began replacing HTTP to become the new favorite transfer protocol.
In 2014, the "Let's Encrypt" project, run by the Internet Security Research Group (ISRG) was established to promote full HTTPS for websites around the world. In June of this year, Apple also requested that all iOS Apps use HTTPS by the end of 2016. Google also announced in November that it would begin marking any site "unsafe if not encrypted by January of next year.
Last year, Taobao and Tmall started a massive migration of data with the goal of switching millions of web pages from HTTP to HTTPS for encrypted and trusted Internet access.
The "S" behind the "HTTP" stands for "More secure and more trusted". HTTPS adds the SSL/TLS protocol to HTTP so that the identity of the server may be verified via SSL certificate. This also allows an "SSL encryption channel" to be established between the client and the server, to ensure that the user's data is encrypted during transmission, and also prevents the server from being impersonated by a phishing website.
Why is HTTP obsolete?
Many internet users may not understand why their access data and private information leaked, even though they entered the correct domain name. The internet is full of danger, wrought with data leaks, data tampering, traffic hijacking, phishing attacks, and other security incidents.
Network links on the Internet are increasingly complicated, thereby aggravating security threats. Hackers sitting next to you in Starbucks can sniff your passwords, hacked home routers can eavesdrop on your emails, or Internet Service Providers can secretly inject ads on your browser. All of these threats are caused by the fact that connections have been free and open over HTTP since the inception of the internet.
1.HTTP data is streaking through the Internet- The fact that HTTP is a plain text protocol is one of the main causes of issues like data leaks, data tampering, traffic hijacking, and phishing attacks. As HTTP cannot encrypt data, all communication data is essentially "streaking" across the Internet in plain text form. HTTP message content can be restored through network sniffer devices and some other technical means.
2.Website tampering and hijacking is everywhere- Tampering with websites to push ads can achieve commercial interests, and stealing user information can be used for precision marketing or even telecom fraud. The gray industry chain based on traffic hijacking and data trafficking is already quite developed. Even for well-known high-tech internet companies, hijacking attempts and data tampering are inevitable among the billions of requests handled over a short period of time. Smaller websites are at a greater risk.
3.Smart phones are gaining popularity and WiFi connections are everywhere- Popularity of WIFI hotspots and addition of mobile networks have magnified the risks of data hijacking and tampering. The Starbucks and home router examples mentioned in the beginning of the article are interesting examples.
4.Free networks cannot verify the identity of a website-HTTP cannot verify the identity of a server, so anyone can use a counterfeit server to deceive users and commit phishing fraud.
What are the advantages of HTTPS?
We can significantly reduce the above security risks through HTTPS.
The above figure demonstrates that when the client encrypts the data, even if it is hijacked on its way to the server, all that hijackers will be able to see is encrypted gibberish that cannot be restored to the original data.
The effects on browsers after deployment of various certificates:
Free SSL digital certificate (up IE, down Chrome)
OV SSL digital certificate (up IE, down Chrome)
EV SSL digital certificate (up IE, down Chrome)
HTTPS is being used all over the world
1.The browser shows red flags for the HTTP pages- Going forward, mainstream browsers such as Chrome and Firefox will issue warnings for HTTP pages. Firefox will warn about pages that "submit passwords without using HTTPS" with a red stop icon, and Google Chrome plans to highlight all HTTP sites as "Not secure".
Image source: Googleblog
Normal users may turn away from the site if they see the above icon.
2.Apple forces the ATS standard in iOS- Apple has announced that all apps submitted to the App Store must enable the ATS security standard (App Transport Security) starting January 1, 2017, and all connections must use HTTPS encryption. Android has also issued similar HTTPS requirements.
3.HTTP/2 only supports HTTPS-Browsers such as Chrome, Firefox, Safari, Opera, IE, and Edge all require HTTPS encrypted connections to use HTTP/2.
4.HTTPS improves search rankings-In 2014, Google announced that HTTPS will be an important factor for gaining priority in search rankings. Baidu has also announced that they will start collecting HTTP sites and count HTTP and HTTPS versions of the same domain as the same site. The HTTPS version will then be given priority when the domain is accessed.
5.Government websites in the UK and USA are forced to enable HTTPS- According to the American government guidelines, all government websites were required to enable HTTPS by December 31, 2016. As of July 15, 2016, 50% of government websites have already enabled HTTPS. The UK government also required that all government websites enabled HTTPS on or before October 1, 2016 and also planned to submit service.gov.uk to HSTS pre-load lists for browser vendors to be accessible only through HTTPS.
6.Applications with super high privileges may not be connected using HTTP- Google Chrome has prohibited certain features like geo-location, app caching, and requesting user media from being accessed by insecure connections. Geo-location APIs in web apps that do not use HTTPS do not work properly in Google Chrome versions 50 and later.
Only encrypting part of a web page isn't enough, full-site HTTPS is the best solution.
Many website owners think that HTTPS protection is only required for login and transaction pages. In fact, HTTPS is the best solution for ensuring that all user data is securely encrypted. There is still a risk of hijacking during the HTTP forward process or redirection to HTTPS if HTTPS is only partially implemented.
Case 1: Forward to the HTTPS page from the HTTP page
There are very few websites that offer direct HTTPS access on PC. For example: Alipay websites are mostly forwarded from Taobao, so if Taobao uses unsecured HTTP and XSS is injected to the Taobao page, then the user will never even access the secure HTTPS site.
Image source: EtherDream: The Harm of Traffic Hijacking
Although the word "HTTPS" does not appear in the address bar, the domain name appears to be correct, and most users will assume it is not a phishing site. In other words, as long as the entry page is not secure, it's useless for subsequent pages to be secure.
Case 2: Redirect to the HTTPS page from the HTTP page
Some users access the site by entering the URL www.alipay.com. However, the browser does not know that this is an HTTPS site and therefore uses the default HTTP to access it. However, though an HTTP version of Alipay does exist, its only function is to redirect to the HTTPS version. Once hackers discover a redirection to an HTTPS site, they will block the redirect command, and then reply to the user with the same data that should be returned by the redirection. As a result, users are always on the HTTP site, and their data will be permanently hijacked.
Image source: EtherDream: The Harm of Traffic Hijacking
Full site HTTPS ensures that users only access the site through HTTPS encryption and offers no opportunity for man-in-the-middle redirect hijacking. All well-known websites (like PayPal, Twitter, Facebook, Gmail, and Hotmail) guarantee the security of users' confidential transaction information through Always on SSL (full site HTTP), to prevent session hijacking and other man-in-the-middle attacks. [2]
Image source: Symantec Protects the Entire Online User Experience: with Always On SSL
So the question is, if HTTPS is so good, then why are half of the world's websites still using HTTP?
First of all, many people still think that HTTPS only needs to be implemented if the site needs an SSL digital certificate issued by the proper authority. For traditional models, selecting, purchasing, and deploying a certificate can take a lot of effort. Current mainstream CSPs integrate SSL certificates from multiple certification authorities by a relatively simple process. This reduces the number of users who give up the security of HTTPS due to the effort required or thinking it's not necessary.
The second reason is performance. It is a common misconception that implementing HTTPS causes reduced performance as compared to HTTP. However, users can solve this problem by optimizing performance and deploying certificates on SLB or CDN. To give a practical example, during Double 11 events, operations like accessing, browsing, and making transactions are still smooth and reliable on Taobao and Tmall, on both PCs and mobile terminals even with full site HTTPS. Tests show that the performance of many optimized pages is still equal to or even better than that of HTTP pages, so HTTPS is not a slowing factor after optimization.
The last reason is security awareness. Security awareness and technology in foreign internet industries are often more mature than in China, and the developmental trend of HTTPS is supported by society, companies, and governments together. However, with the popularization of encryption, network security, P2P regulatory measures, HTTPS is also expected to benefit more and more Internet users.
-End-
[1] Reference source: EtherDream: Harm of Traffic Hijacking
[2] Reference source: Symantec Protects the Entire Online User Experience: with Always On SSL
Visit Alibaba Cloud SSL Certificates service to learn more!