Why every website should switch to HTTPS

No readers like this yet.
Is Occupy Wall St. really an "open source protest?"

Opensource.com

Daniel Roesler is the co-founder and CTO of UtilityAPI, an energy data software service. In his spare time, he develops security and privacy applications and volunteers for the privacy advocacy group Restore the Fourth. He's giving a talk called, If you're not using HTTPS, your website is bad, and you should feel bad!, at this year's Texas Linux Fest.

Learn more in this interview.

First of all, in your own words, why is HTTPS important? What's the advantage to using it?

HTTPS protects both website owners and users from interference by network operators. It provides three protections: data authentication, integrity, and confidentiality. HTTPS makes sure that the website you loaded was sent by the real owner of that website, that nothing was injected or censored on the website, and that no one else is able to read the contents of the data being transmitted. We are seeing more and more evidence of manipulation of websites to inject things that the website owners and users didn't intend. Additionally, browsers are starting to deprecate HTTP as non-secure, so in the coming years non-HTTPS websites will start throwing warnings by both Chrome and Firefox.

Is it still appropriate not to use it for any kind of website?

No. All websites should use HTTPS by default. Network operators are starting to manipulate non-HTTPS requests, which means that even if you have a static read-only blog or non-privacy-sensitive website, the network operator can still inject contents into your website to track or show ads to your users without your consent. For example, if you visit http://www.redhat.com while on a Southwest Airlines flight, you will see an ad banner at the top of the website. If your website is ad-revenue driven, a network operator can replace your ads with ads of their own, thus stealing your ad revenue.

What seems to be the biggest problem in adapting it in all of the websites?

Two major problems exist for two different classes of websites. First, for larger websites that use many third-party services (ad networks, CDNs, etc.), all of those services need to support HTTPS before the main website can switch to HTTPS. Slowly, these services are starting to support HTTPS, which means it will be easier and easier for larger websites to switch to HTTPS. Second, for smaller/non-profit websites the process of getting and installing an HTTPS certificate is a pretty confusing process. New tools like SSLMate and Let's Encrypt are starting to make that process easier and more automated, so that making your small website HTTPS is a fast and easy process.

Is implementing HTTPS easy?

Yes, and it's getting easier. There are many tutorials online for getting a free HTTPS certificate and installing it on your server. Additionally, many web frameworks have documentation on how to use HTTPS with their framework. Finally, with the advent of Let's Encrypt, getting and installing an HTTPS certificate will be built into the default setup process for a web server. In my talk, I will setup HTTPS on my server step-by-step in less than 20 minutes.

Does implementing it mean that the site is completely secure?

No, but it helps a lot. Like all software, HTTPS implementations may contain bugs and need to be updated periodically, which is easy on Linux when using a package manager. However, while HTTPS protects data in-transit, hackers can still attack either end of the connection (i.e. server or client) with traditional malware or attacks. Website owners and users still need to keep their systems up to date to prevent theses types of attacks from compromising their systems.

Read for more on how to do this on an Apache system. Read for NGINX instructions.

Texas Linux Fest
Speaker Interview

This article is part of the Speaker Interview Series for Texas Linux Fest. Texas Linux Fest is the first state-wide, annual, community-run conference for Linux and open source software users and enthusiasts from around the Lone Star State.

Aleksandar Todorović
I'm a part of the tech department for an awesome investigative journalism network called OCCRP. I'm really passionate about open source software, artificial intelligence and information security. My open source contributions are now merged with projects like reddit, elementary OS and the Tor Project. I'm running a personal blog where I share my personal stories.

12 Comments

I think woocommerce, gov & shopping websites MUST DO ,, but not every single site

Great Interview Aleksandar!

Sites that do use HTTPS should probably do it properly and avoid loading insecure content over HTTP, especially when the content trying to be loaded is active JavaScript for social media widgets.

Not looking at anyone in particular...

Well OK, https is MUST for e-shopping, e-banking, sites with confidential inputs, but I still don't see (even after reading this excellent interview) why https is MUST for personal blogs, simple web presentations and similar "privacy-free" web content.
...and yes, it isn't cheap for non-profit/non-commercial/non-corporate websites and free cert's have blocking "You try to connect to non-secure site" notifications

Well, I own a personal website and a blog and having HTTPS support guarantees me that the users will see exactly what I want them to see. Plus, I can be sure that nobody's going to MitM the connection between my server and my users. My good friend once told me that he was connected to a public WiFi and saw ads that interfered with my content (and I didn't put any ads on my site). After that happened, I immediately started looking for a way to support HTTPS by default. It's currently not implemented, but I'm working on it.

In reply to by Draza (not verified)

OK. So, we recently switched out site over to an HTTPS ourselves, for some of the reasons mentioned above. However, I notice that there are still major players in a variety of industries who still have http sites. What would be the single most compelling argument you could make to them that would convince them to change? Especially because, as pointed out above, it is not an easy process.

I would probably go with building user's trust as the #1 reason. I personally would never sign up for an account that has a sign up form over HTTP. And if I'm reading something over HTTP, for me, the publisher doesn't seem to take his job seriously. As a consequence, I will leave the site more quickly. As a sub-reason, I'd say keeping up with the competition or having an advantage over the competition if the competition does not support HTTPS.

In reply to by Disciples of Flight

How do we protect against the fact that HTTPS security is only as strong as the weakest of the hundreds of CAs out there? Most deep packet inspection network appliances can read and manipulate HTTPS traffic, and you can easily guess why.

oooh, nice information
i am a website designer, but there is points a have never heard before

will that affect website rank on Google?

That would be nice, but HTTPS as standard protocol is not going to happen until certs are free by default. I'm not saying that free certs are good, only that a standard protocol will only be adapted if it is part of the package.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.