Threat Intelligence Blog

Posted July 16, 2013

“All Sites Should Deploy HTTPS”

Internet Security 101 teaches us that sites should use SSL to secure important transactions between visitors and websites. If any sort of transaction takes place where sensitive information is passed between a user and a website, it better be using HTTPS, as indicated by the little lock icon in the browser. That means that the data packets passed between you and the website are encrypted so anyone who’s “listening” to the conversation between your computer and, for example, your bank will only see encrypted gibberish instead of the original communication.

HTTPS costs little to implement and offers meaningful security benefits for your business and its customers.

But notice above we stated that all sites should deploy HTTPS. We believe this applies not just for banks, social media sites, or email providers that may sometimes exchange sensitive data with their visitors. (And we certainly do not endorse using HTTPS for a login and returning to normal HTTP traffic afterwards!)

padlock-zimpenfish
Image courtesy Zimpenfish.

The clear message demanding blanket SSL usage was stated by Google’s Adam Langley and others at least as far back as 2011. As Adam notes:

All sites should deploy HTTPS because attacks like Firesheep are too easy to do. Even sites where you don’t login should deploy HTTPS (imagine the effect of spoofing news websites at a major financial conference to headline “Market crashes”).

HTTPS connectivity alone should be the default setting for a website.

If You’re Going to Do SSL, Do It Right

You already offer HTTPS connections to your site? Great! That was step one.

Making HTTPS available is one thing; it’s another to ensure that visitors’ browsers use it. Enter HTTPS Strict Transport Security (HSTS). HSTS is a header that your corporate server should send to browsers because it will tell them that your site should only be accessed over HTTPS instead of simply having the option to do so. HSTS looks something like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains

This tells browsers to only connect over HTTPS for one year (31536000 seconds is 52 weeks) across all subdomains on the site.

As of this writing, Chrome, Firefox and Opera support HSTS. The good news is that there’s a rule of thumb that states that if the combined usage of Internet browsers which support a given feature exceeds 50%, the others browsers will eventually follow suit. We look forward to learning that the other browser makers have added support for HSTS!

Bonus Credit

If your site already offers SSL and is one of the admirable few that has also implemented HSTS, you can even hard-code SSL support for your website into a major browser… literally.

Google’s popular browser Chrome maintains a list of websites that the browser will always connect with using HTTPS. The Chrome team has even made it possible for members of the public to request that their sites be added to this list! It’s a very simple process and turnaround time is fast. Instructions on how to set up mandatory HTTPS access in Chrome can be found on Chromium.org.

Encryption by Default is the Future

The web currently runs off HTTP 1.1, and HTTP 2.0 is in very early development. Early indications are that HTTP 2.0 will be based on Google’s SPDY, which assumes data will be transported over HTTPS by default.

We are still some time away from this scenario and your users deserve secure communications in the meantime. Deploy HTTPS across your online properties and cement its benefit by enabling HSTS. Your users will thank you!

By Caleb Queern

Additional Posts

China Reports Increase in Trojan and Botnet Attacks

During the past year we have heard countless reports of U.S.-targeted web attacks coming from ...

New Apple iOS and Android Security Measures are on the Way – But Will They Work?

Our last few blog articles about rogue mobile apps have highlighted some of the methods criminals ...