Daniel Roesler is the co-founder and CTO of UtilityAPI, an energy data software service. In his spare time, he develops security and privacy applications and volunteers for the privacy advocacy group Restore the Fourth. He's giving a talk called, If you're not using HTTPS, your website is bad, and you should feel bad!, at this year's Texas Linux Fest.
Learn more in this interview.
First of all, in your own words, why is HTTPS important? What's the advantage to using it?
HTTPS protects both website owners and users from interference by network operators. It provides three protections: data authentication, integrity, and confidentiality. HTTPS makes sure that the website you loaded was sent by the real owner of that website, that nothing was injected or censored on the website, and that no one else is able to read the contents of the data being transmitted. We are seeing more and more evidence of manipulation of websites to inject things that the website owners and users didn't intend. Additionally, browsers are starting to deprecate HTTP as non-secure, so in the coming years non-HTTPS websites will start throwing warnings by both Chrome and Firefox.
Is it still appropriate not to use it for any kind of website?
No. All websites should use HTTPS by default. Network operators are starting to manipulate non-HTTPS requests, which means that even if you have a static read-only blog or non-privacy-sensitive website, the network operator can still inject contents into your website to track or show ads to your users without your consent. For example, if you visit http://www.redhat.com while on a Southwest Airlines flight, you will see an ad banner at the top of the website. If your website is ad-revenue driven, a network operator can replace your ads with ads of their own, thus stealing your ad revenue.
What seems to be the biggest problem in adapting it in all of the websites?
Two major problems exist for two different classes of websites. First, for larger websites that use many third-party services (ad networks, CDNs, etc.), all of those services need to support HTTPS before the main website can switch to HTTPS. Slowly, these services are starting to support HTTPS, which means it will be easier and easier for larger websites to switch to HTTPS. Second, for smaller/non-profit websites the process of getting and installing an HTTPS certificate is a pretty confusing process. New tools like SSLMate and Let's Encrypt are starting to make that process easier and more automated, so that making your small website HTTPS is a fast and easy process.
Is implementing HTTPS easy?
Yes, and it's getting easier. There are many tutorials online for getting a free HTTPS certificate and installing it on your server. Additionally, many web frameworks have documentation on how to use HTTPS with their framework. Finally, with the advent of Let's Encrypt, getting and installing an HTTPS certificate will be built into the default setup process for a web server. In my talk, I will setup HTTPS on my server step-by-step in less than 20 minutes.
Does implementing it mean that the site is completely secure?
No, but it helps a lot. Like all software, HTTPS implementations may contain bugs and need to be updated periodically, which is easy on Linux when using a package manager. However, while HTTPS protects data in-transit, hackers can still attack either end of the connection (i.e. server or client) with traditional malware or attacks. Website owners and users still need to keep their systems up to date to prevent theses types of attacks from compromising their systems.
This article is part of the Speaker Interview Series for Texas Linux Fest. Texas Linux Fest is the first state-wide, annual, community-run conference for Linux and open source software users and enthusiasts from around the Lone Star State.