The problem is that it’s not a simple switch. Besides the technology, there are some costs and ramifications. And it may not solve all the problems you think it does.
Https is an acronym for “HyperText Transfer Protocol – Secure”. It’s the “language” used when web browsers ask for a web page, and web servers return their content. It performs two basic functions:
Verification and encryption: that’s all https really does, but those are two very important and useful things.
Positively verifying a site’s identity is important because of a couple of different approaches that malicious entities sometimes use to cause problems.
A “man in the middle” attack is where someone sits between you and the site you’re attempting to connect to. When your browser asks for, say, paypal.com, the interloper sends you to their fake site, which looks like paypal.com but is not. If present, https will warn you that the security certificate is somehow incorrect for the site you finally reach.
“DNS poisoning” operates similarly. DNS is the system that maps domain names – like “paypal.com” – to the IP address of the physical servers that house the associated web site. DNS poisoning inserts incorrect information, once again routing you to a fake site instead of your intended destination. Https would again warn you that the site’s security information is incorrect.
Data transferred between a web browser and web site over an https connection is strongly encrypted. That means no one listening in on the conversation can understand it.
All internet traffic travels across multiple devices, and while the vast majority are trustworthy, there’s actually nothing preventing any of them from listening in as described. Https ensures your communications are private, no matter what path they take.
The most common admonition for https comes when using open Wi-Fi hotspots, such as those found in coffee shops and other public places. When using open Wi-Fi, anyone within range can listen in to the data flowing between your wireless device and the wireless access point. Once again, https ensures that your conversations are private.
Problem #1: We’ve been trained to ignore errors
It’s our own fault – and by “our own”, I mean the fault of website owners, myself included. We’ve misused https, or allowed errors to happen often enough, such that people have been “trained” to ignore those errors when they encounter them, and proceed to our sites anyway.
Some common examples:
- Https certificates have a renewal date. It’s not uncommon for site owners to forget to renew in time. Thus, people are told to ignore the error if they want to get to the site until the renewal has been processed. (I’ve even done this.)
- Not all browsers support current https standards. Right now, if you visit https://newsletter.askleo.com in an older browser, such as IE 8, you’ll get a warning. If you want to proceed using that browser, the “right” thing to do is to ignore the warning. (The truly right thing to do is to use a supported browser, but not everyone is willing or able to do so.)
- Because setting up https takes effort and money, there are free alternatives. The most common example is a “self-signed certificate”. Since it’s free, there is no vetting process; anyone can create one themselves. As a result, such a certificate does not prove the identity of the site you are connecting to, but does encrypt your connection. It’s fine when encryption is all you need. However, most browsers will display an error of some sort when accessing a site using a self-signed certificate. To proceed, you must ignore or bypass the error.
As you can see, there are several scenarios in which ignoring the error is the recommended course of action. The result is that, having been “trained” that sometimes it’s OK to do so, it’s now too easy to accidentally ignore an error when you shouldn’t.
Problem #2: We don’t check what we click on anyway
If you click on this link – https://microsoft.com – you will not be taken to Microsoft.com. But it looks like you will, and besides, it says “https”, so it must be safe, right? While my example is safe, it easily could not be. There are some issues that phishers count on:
- The link looks perfectly safe.
- The link does not go to where it says it does.
- The destination does not use https.
- There is no resulting https error.
If the landing site looks like microsoft.com, but is not microsoft.com, many people will never notice the difference.
This is just one way that phishing attempts work. By tricking you into thinking you’re going to a safe and secure site, which matches your expectations when you arrive, phishers can get you to enter your security credentials and more, and then they can log in into your account.
And https? The fact that the real microsoft.com might use https is completely irrelevant, since that connection was never even attempted. You were sent to a completely unrelated site.
Https still adds value
As you might expect, web sites that request sensitive information from you should be https. Banking sites, as just one example, should always have an https connection to enforce both identity verification (you really are connected to your bank), and data encryption (no one “listening in” will be able to see your information).
What’s not as obvious is that https technology can add value even to sites like Ask Leo! For example, because the connection is encrypted, no one “listening in” could see what kinds of things you’re searching for when you visit the site. The terms you search on specific sites, and on Google in general, have been shown to be a relatively effective way of identifying not just who you are, but what your concerns, issues, and activities might involve.
If you’re about to take a download from a site that provides downloads, https ensures you’re connected to the site you think you are. This prevents a man-in-the-middle attacker from substituting his own malware-laden version of whatever it is you’re downloading.
As an additional way to help improve your privacy, as well as secure your connection, https to just about any site can, indeed, make sense.
There’s a cost to website owners for https to be done properly.
The site owner needs to purchase an https certificate. Much like domain registration, this is an ongoing annual cost. Purchasing a certificate also requires that the owner prove his or her ownership of the site and provide a certain amount of information about themselves. Https certificate cost has been coming down in recent years, and basic validation can be as inexpensive as domain registration itself. Extended validation – the more secure form of https used by banks and other highly sensitive sites – costs a fair amount more, because it requires checking a fair amount more about the site and its owner.
The other “cost” is the intangible one: by its nature, setting up https is somewhat technical, a tad finicky, and can be time consuming, especially if it’s something you do only once every few years.
One of the classic objections to using https is performance. The concern is that the overhead of encrypting all the data would affect both the web server and the client browser.
That’s simply no longer true.
Current computers have more than enough computational power to make encryption work negligible. In addition, while the initial connection set up involves computationally expensive cryptography, once established, the vast majority of data transmitted is actually encrypted using a relatively simple cipher.