SecureUtah.org
  • Home
  • Why HTTPS?
  • UtahWatch
  • Resources
  • About
Picture
All web traffic should be delivered securely between a website and its visitors.  HTTPS is the network protocol that creates an encrypted communication channel that protects your data as it travels over an insecure Internet.

Integrity & Authenticity

     HTTPS provides the best method for a website owner to deliver their content to their visitors exactly as it was designed and without any extra code inserted or removed by a third party.  The security components within HTTPS require that the website authenticate itself to the visitor’s browser at the very beginning of the connection while also allowing the browser to perform validation checks against the server’s authentication claims.

The Network is Hostile

     The path that web traffic takes across the Internet is often unpredictable and increasingly unsafe.  Unencrypted web traffic is regularly intercepted, shamelessly manipulated, and arbitrarily censored, usually without the visitor or website owner knowing that these actions are taking place.

​     With HTTPS the website can only be delivered whole or not at all.  HTTPS encloses all of a website’s data, defending against in-transit snooping and tampering as it moves through an unfortunately adverse environment.

All Traffic is Sensitive

     Regular unencrypted HTTP connections to websites are a privacy vulnerability and they will always expose sensitive personal information.  Third parties monitoring an HTTP connection will see a website visitor's physical location identifiers, login credentials, camera and audio feeds, search terms, medical conditions, political interests, and reading material.

   HTTPS helps stop third parties from seeing and tracking the specific content a website visitor looks at.  All Internet data should be given the same high level of privacy and protection, whether the website content be social, financial, medical, legal, political, scholarly, or religious.

You Love Your Users

     It is the ethical duty of a website owner to provide their visitors with the most secure and safest connection method available.  Enabling HTTPS directly benefits a website’s users while also helping the larger Internet — encrypting a website’s traffic removes a number of dangerous avenues of attack that are used by bad actors and malicious entities.

​     With an abundance of online resources and guides the technical process of adding HTTPS is a solved problem for the large majority of websites.  The dollar cost to obtain the required HTTPS authentication certificates has dropped to zero.  With clear security benefits and the prevailing technical and financial hurdles of the past all but gone, choosing to provide HTTPS is now a matter of principle that should be eagerly embraced.​

Best Practice

     Two of the major web browsers are already guiding web development away from insecure HTTP connections and towards an all-HTTPS web.  Mozilla announced in April 2015 that they will gradually reduce the website features that Firefox is allowed to access over HTTP connections.  Google will soon update Chrome to visually warn users that HTTP connections are not secure.  Both companies are working on developing and promoting a number of other background technical processes that will make HTTPS connections faster and more secure.

  Three of the Internet’s technical standards bodies have released statements in support of ubiquitous encryption to combat monitoring and manipulation. The IETF, IAB and W3C help define the development and construction of Internet communication and web traffic.  Their strong support for encrypted traffic serves as a bellweather for how the Internet of the near future will take shape.


 Further Reading

The following writings have directly inspired the creation and fueled the development of this website. For a deeper understanding of why HTTPS, secure communications, and user privacy are important for the modern web please continue reading. The authors' names provide links to their entire text.

Why you should care about HTTPS

Traditionally, the arguments in favor of HTTPS have been for integrity, privacy, and identity. If a message is encrypted by a server before it’s sent to your computer, and its done in such a way that only you can decrypt it, you can have a high level of confidence that the message you receive is the message the server sent (integrity), and that you’re the only one who opened it (privacy). Further still, because of the initial handshake that makes all this possible, you know that the server you’re talking to is the one you want to talk to, and not someone else pretending to be the server (identity).

Without HTTPS, there’s a couple of points in the route each request must take that could allow a third-party to intercept, or worse, modify your request or its response as it travels over the open internet.
​​

— Ben Balter

The Network is Hostile

Anyone who has taken a network security class knows that the first rule of Internet security is that there is no Internet security. Indeed, this assumption is baked into the design of the Internet and most packet-switched networks — systems where unknown third parties are responsible for handling and routing your data. There is no way to ensure that your packets will be routed as you want them, and there’s absolutely no way to ensure that they won’t be looked at.

Indeed, the implications of this were obvious as far back as ARPANET. If you connect from point A to point B, it was well known that your packets would traverse untrusted machines C, D and E in between. In the 1970s the only thing preserving the privacy of your data was a gentleman’s agreement not to peek. If that wasn’t good enough, the network engineers argued, you had to provide your own security between the endpoints themselves.

My take from the NSA revelations is that even though this point was ‘obvious’ and well-known, we’ve always felt it more intellectually than in our hearts. Even knowing the worst was possible, we still chose to believe that direct peering connections and leased lines from reputable providers like AT&T would make us safe. If nothing else, the NSA leaks have convincingly refuted this assumption.


— Matthew Green

Why HTTPS for Everything?

HTTP has become central to today’s way of life. HTTP is currently the primary protocol for applications used on computers, tablets, smartphones, and many other devices.

As our dependency on the internet has grown, the risk to users’ privacy and safety has grown along with it.

Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace.

Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators.

When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services.


— White House Office of Management and Budget

Deprecating Non-Secure HTTP

Q. But there’s nothing secret on my site! Why should I bother with encryption?

A. HTTPS isn’t just about encryption. It also provides integrity, so your site can’t be modified, and authentication, so users know they’re connecting to you and not some attacker. Lacking any one of these three properties can cause problems…

In other words, as long as your site is not secure, it can be used as a weapon against your users and against other web sites. More non­secure sites means more risk for the overall Web.


— Richard Barnes

We're Deprecating HTTP And It's Going to Be Okay

I see companies and government asserting themselves over their network. I see a network that is not just overseen, but actively hostile. I see an internet being steadily drained of its promise to “interpret censorship as damage”.

In short, I see power moving away from the leafs and devolving back into the center, where power has been used to living for thousands of years.

What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.


— Eric Mill

How to Get a Company or Organisation to implement an Onion Site

People who want to access your site are at risk. You know how many people. If it’s reasonably cheap to do so — and it is reasonably cheap — are you willing to make an affordance for these people to be more secure and have a better experience when accessing your site?
​
— Alec Muffett


  • Home
  • Why HTTPS?
  • UtahWatch
  • Resources
  • About