Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Why Can’t We Use https for Everything?

//
Why couldn’t all websites that are genuine, like microsoft.com or hotmail.com or yahoo.com, be https?

They could.

In fact, more and more sites are slowly making the switch. Even Ask Leo! is now an https site.

The problem is that it’s not a simple switch. Besides the technology, there are some costs and ramifications. And it may not solve all the problems you think it does.

Become a Patron of Ask Leo! and go ad-free!

HTTPS is…

Https is an acronym for “HyperText Transfer Protocol – Secure”. It’s the “language” used when web browsers ask for a web page, and web servers return their content. It performs two basic functions:

  1. It verifies the identity of the remote site. Https uses cryptographic information called “certificates”, which allow the browser to positively confirm that the site you’re connecting to is, in fact, the site it claims to be.
  2. It encrypts the data flowing between your browser and the remote site. All the data sent is strongly encrypted such that only the recipient can decrypt it to view its contents.

Verification and encryption: that’s all https really does, but those are two very important and useful things.

Identity verification

Positively verifying a site’s identity is important because of a couple of different approaches that malicious entities sometimes use to cause problems.

A “man in the middle” attack is where someone sits between you and the site you’re attempting to connect to. When your browser asks for, say, paypal.com, the interloper sends you to their fake site, which looks like paypal.com but is not. If present, https will warn you that the security certificate is somehow incorrect for the site you finally reach.

httpsDNS poisoning” operates similarly. DNS is the system that maps domain names – like “paypal.com” – to the IP address of the physical servers that house the associated web site. DNS poisoning inserts incorrect information, once again routing you to a fake site instead of your intended destination. Https would again warn you that the site’s security information is incorrect.

Data encryption

Data transferred between a web browser and web site over an https connection is strongly encrypted. That means no one listening in on the conversation can understand it.

All internet traffic travels across multiple devices, and while the vast majority are trustworthy, there’s actually nothing preventing any of them from listening in as described. Https ensures your communications are private, no matter what path they take.

The most common admonition for https comes when using open Wi-Fi hotspots, such as those found in coffee shops and other public places. When using open Wi-Fi, anyone within range can listen in to the data flowing between your wireless device and the wireless access point. Once again, https ensures that your conversations are private.

Problem #1: We’ve been trained to ignore errors

It’s our own fault – and by “our own”, I mean the fault of website owners, myself included. We’ve misused https, or allowed errors to happen often enough, such that people have been “trained” to ignore those errors when they encounter them, and proceed to our sites anyway.

Some common examples:

  • Https certificates have a renewal date. It’s not uncommon for site owners to forget to renew in time. Thus, people are told to ignore the error if they want to get to the site until the renewal has been processed. (I’ve even done this.)
  • Not all browsers support current https standards. Right now, if you visit https://newsletter.askleo.com in an older browser, such as IE 8, you’ll get a warning. If you want to proceed using that browser, the “right” thing to do is to ignore the warning. (The truly right thing to do is to use a supported browser, but not everyone is willing or able to do so.)
  • Because setting up https takes effort and money, there are free alternatives. The most common example is a “self-signed certificate”. Since it’s free, there is no vetting process; anyone can create one themselves. As a result, such a certificate does not prove the identity of the site you are connecting to, but does encrypt your connection. It’s fine when encryption is all you need. However, most browsers will display an error of some sort when accessing a site using a self-signed certificate. To proceed, you must ignore or bypass the error.

As you can see, there are several scenarios in which ignoring the error is the recommended course of action. The result is that, having been “trained” that sometimes it’s OK to do so, it’s now too easy to accidentally ignore an error when you shouldn’t.

Problem #2: We don’t check what we click on anyway

If you click on this link – https://microsoft.com – you will not be taken to Microsoft.com. But it looks like you will, and besides, it says “https”, so it must be safe, right? While my example is safe, it easily could not be. There are some issues that phishers count on:

  • The link looks perfectly safe.
  • The link does not go to where it says it does.
  • The destination does not use https.
  • There is no resulting https error.

If the landing site looks like microsoft.com, but is not microsoft.com, many people will never notice the difference.

This is just one way that phishing attempts work. By tricking you into thinking you’re going to a safe and secure site, which matches your expectations when you arrive, phishers can get you to enter your security credentials and more, and then they can log in into your account.

And https? The fact that the real microsoft.com might use https is completely irrelevant, since that connection was never even attempted. You were sent to a completely unrelated site.

Https still adds value

As you might expect, web sites that request sensitive information from you should be https. Banking sites, as just one example, should always have an https connection to enforce both identity verification (you really are connected to your bank), and data encryption (no one “listening in” will be able to see your information).

What’s not as obvious is that https technology can add value even to sites like Ask Leo! For example, because the connection is encrypted, no one “listening in” could see what kinds of things you’re searching for when you visit the site. The terms you search on specific sites, and on Google in general, have been shown to be a relatively effective way of identifying not just who you are, but what your concerns, issues, and activities might involve.

If you’re about to take a download from a site that provides downloads, https ensures you’re connected to the site you think you are. This prevents a man-in-the-middle attacker from substituting his own malware-laden version of whatever it is you’re downloading.

As an additional way to help improve your privacy, as well as secure your connection, https to just about any site can, indeed, make sense.

Https cost

There’s a cost to website owners for https to be done properly.

The site owner needs to purchase an https certificate. Much like domain registration, this is an ongoing annual cost. Purchasing a certificate also requires that the owner prove his or her ownership of the site and provide a certain amount of information about themselves. Https certificate cost has been coming down in recent years, and basic validation can be as inexpensive as domain registration itself. Extended validation – the more secure form of https used by banks and other highly sensitive sites – costs a fair amount more, because it requires checking a fair amount more about the site and its owner.

The other “cost” is the intangible one: by its nature, setting up https is somewhat technical, a tad finicky, and can be time consuming, especially if it’s something you do only once every few years.

Https performance

One of the classic objections to using https is performance. The concern is that the overhead of encrypting all the data would affect both the web server and the client browser.

That’s simply no longer true.

Current computers have more than enough computational power to make encryption work negligible. In addition, while the initial connection set up involves computationally expensive cryptography, once established, the vast majority of data transmitted is actually encrypted using a relatively simple cipher.

Podcast audio

Play

24 comments on “Why Can’t We Use https for Everything?”

  1. From what I understand about https and signed certificates, that transactions are as about as secure as they can get. So can you please explain to me what is the purpose of PayPal when the above mentioned securities are in place? I really resent PayPal as the only option to pay (or give) on a website, and I have not read good things about them at all. Right now my master gardening group is encouraging us to pay with check because paying online uses PayPal, and they take a few dollars every transaction! Since we are pretty much self-funding, self-supporting, non-profit, I resent it.

    • Hi Lee,
      The thing to understand about Paypal is that it is a very easy solution for the small business or non-profit. Setting up a secure website correctly is very difficult and expensive – it is out of reach for the little guy. Paypal makes the setup so easy that practically anyone can do it. Along with their ease is their top security. I don’t know what you hear about Paypal, but they have a great history of security. Of course Paypal takes a fee. All credit card merchant solutions do.

  2. Plus I always pay with a debit card, not a charge card. So once again, what is the purpose of PayPay “stepping” in to grab a few dollars under the guise of “protecting” me, when they are doing nothing of the sort!

    • How about this sample because I do a lot of business on the internet I have been caught a couple of times once for a debit card transaction for about $500 dollars it took numerous emails and a couple of months for the bank to finally fix it up and return my money. Another time I was caught in a similar incident when using Paypal I wont go into all the details but the amount ended up over $1000 I rang paypal and after around 15 minutes on the phone sorting it out the money was back in my account within 30 minutes. I also like the idea that I get an SMS to confirm any payment from my account. unlike a bank where you have no idea until you get your statement. Personallythese days I will not do any business on the internet unless I can use Paypal.

  3. First, *any* credit/debit card processor is going to take a piece (from the seller) of each transaction. This is true online as well as a “brick and mortar” store. PayPal is no different here, other than every merchant account provider has different fees they charge

    Second, the “protection” they are offering the buyer is that the seller never gets your credit/debit card information.

  4. “Even Ask Leo! is now an https site.”

    That may be so, but Chrome is warning me that, “This page is trying to load scripts from unauthenticated sources.” Learn more.

  5. >the vast majority of data transmitted is actually encrypted using a relatively simple cipher.

    This last line of the article is very scary. Is this true of things like my banking information?

    • The relatively simple cypher doesn’t mean less secure. It means that creating the keys takes a lot more computational power than encrypting or decrypting with those keys. If you’ve ever created PGP keys or other encryption method, you’d have noticed it takes a long time to create those keys.

    • This is true of all HTTPS and should not be considered “scarey” in the least. The WAY the encryption is performed is computationally simple, but the TECHNIQUE that generates the keys used is both complex and very secure.

  6. I have heard over and over on major TV network newscasts of the danger of using public Wi-Fi systems in coffee houses, hotels, etc. I understand the danger when communicating with unsecure websites, but what about with https websites? If I am using a hotel Wi-Fi network to communicate with my bank’s https site, am I at risk?

      • I guess it’s typical of how the media go for the sizzle instead of the substance. In several cautionary pieces about public Wi-Fi over the years I have never once heard them mention HTTPS–and I’ve listened carefully.

        • Yeah, it’d make for a less interesting story if they were to point out that all the important transactions – even Facebook logins – are relatively safe (I say “relatively” as nothing can ever be said to be 100% secure). The bottom line is that HTTPS over a public network is no more a less secure than HTTPs over your home network.

  7. Disadavanges of SSL:
    If your clients have any trouble with SSL, they just go away. They have no way of contacting you to get the problem resolved. This includes spidering search engines.
    It suppresses caching. This means every request has to be custom-generated by the server.
    It suppresses compression, other than that done by the server.
    If you don’t need the security, it wastes bandwidth on a massive scale.
    Servers must pay an exorbitant fee each year for an SSL certificate.
    Web masters frequently forget that their certificates expire each year and must be renewed. This means Chrome will block their sites for a week or two each year while they buy a new certificate.
    It slows things down. Every message must be encrypted and decrypted with intensive CPU (Central Processing Unit) processing. There is no point in doing this for information that is not confidential.
    It requires extra processing power at both the server and client. This mean more expensive computers and consuming more electricity. On a global level this is a blow at the environment.
    SSL/TLS/key exchange is a very complicated protocol with many variants, versions and configuring parameters. There is a good chance any random client will not be able to communicate with any random server, especially if one of the ends is Java. Tracking down and fixing these problem takes a significant amount of labour. Much of the time, you cannot solve the problem and have to live with a connection not working.
    It inhibits protocol sniffing with tools like Wireshark. This make the usual tools for debugging ineffective. It makes it very difficult to arrange screenscraping.

    • Prices have come WAY down for SSL certificates – they’re no longer “exorbitant”. And I debunked the “extra processing power required” myth explicitly in the article.

      • Yeah, it’s bogus: SSL creates minimal additional server/network overhead. Also bogus are the points about web crawlers, caching and that “a random client will not be able to communicate with any random server.”

    • You do realize that you are commenting on a SSL protected website httpS://askleo.com. Did you notice any slowdown in accessing this page? As Leo stated in the last paragraph, “Current computers have more than enough computational power to make encryption work negligible. In addition, while the initial connection set up involves computationally expensive cryptography, once established, the vast majority of data transmitted is actually encrypted using a relatively simple cipher.”

  8. Advantages of SSL
    It lets you send credit card information to a server without fear of anyone snooping. This is not quite true. Government agencies will still be able to snoop as will employees of the server company and anyone who manages to hack the server.
    It lets you be sure the party to whom you are disclosing sensitive information is indeed whom they claim to be.
    It drowns the spy agencies and industrial spies in encrypted data. They waste resources cracking the code to find out it is only something as mundane as a shopping list.

  9. I have a question…if i google something and as a result get for example http:// (some randome page) and decide to click on that page, will next time i google the same thing google show me result https:// (of the same randome page i clicked) just because i was once on that page? Will it change from http to https in my google search results? Example: if facebook were to use http and i click on it, next time i search for facebook would in my search result be https:// facebook

    • Probably not. The chances are greater that if a page is resolving to the https version that it will be showing that version the first time anyway.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.