We Must Improve the HTTPS Message

HTTPS is as important today as it has ever been. If you are transferring sensitive data you should use HTTPS to encrypt data in transit, that is not up for debate. Understand though that it is but one piece of a larger security conversation, and that’s where the message falls flat on it’s face.

I shared my thoughts last year on how HTTPS does not secure websites, and in the time since the message has only grown as to be expected. You’ve seen exponential growth of the LetsEncrypt initiative which we fully support at Sucuri (making us one of the first cloud CDN / Firewall solutions to do so). Additionally, organizations of all sizes have been adamantly pushing the importance of SSL, including both hosting and service providers alike. The WordPress Foundation, the organization spearheading the growth of the WordPress platform (currently at 27% market share of all websites), also recently announced that it would only be promoting hosting companies that offer SSL by default:

First, early in 2017, we will only promote hosting partners that provide a SSL certificate by default in their accounts.

The genesis of this stems from the Encrypt All Things campaign, a campaign built around idea of protecting our privacy on-line. This campaign came about after the Edward Snowden revelations, which revealed massive nation state surveillance back in 2013:

In the wake of the continued disclosures regarding government mass surveillance, the majority of the reform conversation has revolved around the need for increased transparency…. Robust encryption is the next step toward protecting our networks and data from unauthorized surveillance.

In 2014, Google announced that using HTTPS was being considered as a potential ranking signal. This piggy backed Google’s #HTTPSEverywhere on the web campaign, initiated at the 2014 Google I/O event.  This small snowflake has now turned into a monumental avalanche with potentially catastrophic implications to the security industry. It has introduced more confusion amongst website owners and we find ourselves having philosophical / ideological debates on the importance of encryption, of which is far removed from today’s reality. I anticipate that, that one emphasis on the use of HTTPS as ranking signal will be seen as the pivotal point in the history of HTTPS, and the point at which it became common terminology.

Unfortunately, HTTPS is the most popular security “upsell” sold to web site owners, generally misleading them into thinking that HTTPS alone will secure/protect their sites. What is even worse is that non-technical people do think that the browser padlock relates to a secure site. – Daniel Cid, Founder Sucuri / OSSEC (2014)

The Effectiveness of HTTPS in Website Security

Does HTTPS help with your privacy? Yes, it does. Does it do anything to keep you safe on the web? Well, if your concern is nation state surveillance, then it can to some extent. If your concern is website security (i.e., malware distribution, spam campaigns, phishing, malicious redirects, etc..) then the answer is no.

If you asked a website owner and consumer what their security concern are, they’d say something to this affect:

[table width =”100%” style =”table-striped table-hover” responsive =”true”]
[table_head]
[th_column]Website Owner[/th_column]
[th_column]Consumer[/th_column]
[/table_head]
[table_body]
[table_row]
[row_column]I don’t want to get hacked[/row_column]
[row_column]I don’t want to get malware (i.e., drive by downloads, etc..)[/row_column]
[/table_row]
[table_row]
[row_column]I don’t want to get blacklisted[/row_column]
[row_column]I don’t want to get my information stolen (i.e., phishing)[/row_column]
[/table_row]
[table_row]
[row_column]I don’t want to lose my sites availability[/row_column]
[row_column]I don’t want my data to be stolen (i.e., MiTM attacks and data ex-filtration)[/row_column]
[/table_row]
[/table_body]
[/table]

Of these, HTTPS is able to address one concern, and it does so partially – protecting you against Man in The Middle (MiTM) attacks. MiTM attacks are where an attacker is able to intercept communication between point A (your browser) and point B (the web server for the website you’re visiting). It’s this scenario that you hear presenters leverage when making their case for HTTPS.

HTTPS is the tool you need when you’re at Starbucks and you’re sending information in the clear. There can be a hacker sitting on the public WiFi intercepting all your traffic. They can steal your most sensitive data and use that to hack you. This is why you need HTTPS!!!! – Random HTTPS Presenter

This is what you would call leveraging the FUD factor to make a point.

The problem with this argument is it’s talking to isolated events that are not a realistic representation of today’s realities, and completely contradictory to the original intent (think back to the Encrypt All Things initiative which was designed around privacy). Can bad actors be parked on public wifi’s stealing your data? Yes. Have bad actors broken into systems with the data they’ve stolen via MiTM techniques? Yes. Is this something that is affecting the masses? No. Is this something that organizations like Google have to spend countless hours thinking about? Yes.

Adding HTTPS to your site will not make it more secure, will not “save the web” and will not protect you or your users against most of the attacks that we see live. You will be protecting it against “0.1%” of the threats, while ignoring the rest. If you ever heard about premature optimization, that’s exactly it, but applied to security. Daniel Cid, Founder Sucuri / OSSEC (2014)

This is like applying energy to solve the epidemic  that is shark fatalities. Here is the statistical risk of beach injuries and fatalities related to sharks encounters:

[table width =”100%” style =” table-hover” responsive =”true”]
[table_head]
[th_column]Category Types[/th_column]
[th_column]Risk Probability[/th_column]
[/table_head]
[table_body]
[table_row]
[row_column]Drowning and other beach-related fatalities:[/row_column]
[row_column]1 in 2 million[/row_column]
[/table_row]
[table_row]
[row_column]Drowning fatalities:[/row_column]
[row_column]1 in 3.5 million[/row_column]
[/table_row]
[table_row]
[row_column]Shark attacks:[/row_column]
[row_column]1 in 11.5 million[/row_column]
[/table_row]
[table_row]
[row_column]Shark attack fatalities:[/row_column]
[row_column]0 in 264.1 million[/row_column]
[/table_row]
[/table_body]
[/table]

­­The real threat is humans. For every one human killed by a shark, there are approximately 25 million sharks killed by humans. (Source Oceana Shark Attack Statistics)

If we really want to “create a more secure web” then we need to have a very different conversation. The decisions and technologies we deploy must be more applicable to today’s realities.

For instance, why is their overwhelming amount of focus on data in transit, rather than data at rest? Nowhere in the narrative are we discussing that the real problem affecting consumers around the world – Data at Rest. It’s the lack of encryption for Data at Rest that has been at the root of the problem with all the data breaches over the past 5 years. Organizations of all sizes falling flat on their face when it comes to the way they manage their data security.

The irony of all the data breaches over the past five years (Target, Last.FM, LinkedIn, etc..) was that the organizations were encrypting data in transit (i.e., they were utilizing HTTPS). Yet, the HTTPS implementation did little protect the web or it’s users.

It’s About How We Message Things

I would have never thought of me to be one that is so anal about how things are said, but today more so than ever before, I realize the importance of a message; specifically how it’s delivered and it’s intended and unintended interpretations. Such is the case when we’re talking about the use of HTTPS, especially the why.

Say what you mean, and mean what you say.

If the discussion we were having revolved around the importance of HTTPS, and the fact that we should use it, then I think we would all agree it’s an important piece of the puzzle. It’s not though. The discussion being had, the narrative being delivered and interpreted by website owners and consumers is that HTTPS is the silver bullet everyone has been waiting for in terms of website security. It’s devaluing real security discussions. It’s also introducing a false sense of security to consumers as the ultimate indicator to them that a website is secure.

Google wants everything on the web to be traveling over a secure channel. That’s why in the future your Chrome browser will flag unencrypted websites as insecure, displaying a red “x” over a padlock in the URL bar. (MotherBoard)

The problem with today’s communication though is in the way the need for HTTPS is being communicated. The confusion seems to stem from the small, but important, distinction that is communicating securely with a website, and securing a website. They are two fundamentally different points, that are being used interchangeably. This point is best illustrated when we look at what at it’s meaning: HTTP is a transfer protocol (it gets information from point A to point B), HTTPS is a  secure (encrypted) data transfer protocol (it gets information from point A to point B, securely).

It is like saying my server is secure because we use SSH. Yet, this is exactly what we’re saying when we talk about HTTPS and websites. My website is secure because I use HTTPS. – Daniel Cid, 2016

At Sucuri we clean hacked websites. We’ve been doing it for 7 years. We’ve worked on 10’s of thousands of sites over the years. I can assure you that the implementation of HTTPS on websites has done little to curve the websites that are getting hacked and being used for nefarious activities (i.e. SPAM campaigns, malware distribution, phishing, etc..). What is has done though is two things: a) confuse website owners and consumers alike of what security is and how to account for it, and b) securely distributed malware to the web users it was designed to protect.