Sign in with
Sign up | Sign in

HTTP Must Die, Security Experts Tell Hackers

By - Source: Tom's Guide US | B 16 comments
Tags :

NEW YORK — HTTP must die, two staffers from the Electronic Frontier Foundation told attendees at the HOPE X hacker conference in here Friday (July 18).

Yan Zhu and Parker Higgins argued that there are fewer and fewer reasons why anything should be transmitted across the Internet unencrypted in 2014. But two large reasons still exist: advertising networks and content-delivery networks.

MORE: 12 Mobile Privacy and Security Apps

Ad networks, which are responsible for the banner ads, text ads and "you might be interested in..." story links you see on many Web pages, don't use encrypted Web protocols, better known by the acronym HTTPS.

"If you want to secure it, put an S on it," joked Higgins, whose "Portlandia" reference made Zhu cringe a little.

Unencrypted ads mean that many news sites, such as Tom's Guide, can't deliver encrypted content.

Content-delivery networks, or CDNs, are the hidden fast lanes of the Internet, making sure high-bandwidth data such as YouTube clips or Netflix movies get to your computer quickly and efficiently by bypassing the way stations regular text has to traverse. CDNs don't like HTTPS because it slows down their networks, and slow equals death in their line of work.

HTTPS equals freedom

That's a shame, Zhu and Higgins said. Not only does HTTPS secure your credit-card transactions from cybercriminals and your Webmail from spy agencies, but it also helps defeat censorship in places like Iran and China.

The so-called Great Firewall of China, Higgins explained, works by searching for key phrases such as "4-6-89" (the date of the Tiananmen Square massacre) and then blocking Web pages that contain them. However, when HTTPS is enabled, the Great Firewall can't read the content, so Chinese censors can either block the entire Web domain, or none of it.

In early 2013, Zhu and Higgins said, all of the code-sharing site Github — which uses HTTPS throughout — was blocked in China because a few pages were deemed to have inappropriate content. Backlash from Chinese developers, who needed to see Github, grew so high, however, that the censors had to back down — and decided to let the whole site come through. A Chinese commentator, Higgins said, likened the censors' approach to Github as "catching a mouse by burning down the house."

In Iran, Zhu said, as many as a third of all websites are blocked. But the HTTPS-enabled Google Reader news aggregator, when it still existed, offered links to any and all of the blocked news sites, and Iran couldn't block Google Reader without blocking all of Google. Many Iranians used the service to reach otherwise forbidden content. Sadly, Google Reader shut down a year ago and Iranians were left in the dark.

Encryption explosion

It's not only websites that need to be encrypted, the pair argued — email needs to be as well. Unfortunately, email servers need to establish "opportunistic" one-on-one relationships with each other in order to make sure messages that travel between them are encrypted. If one server offer to encrypt and the other doesn't respond, then the messages will travel in plaintext.

Fortunately, Google has begun a "name and shame" campaign to force other large email service providers to agree to encrypt messages all the time. Since the company began its campaign, other providers have begun to encrypt all their traffic, including Yahoo and, just this week, Apple.

The real person to thank for increasing use of encrypted Internet connections, Zhu and Higgins said, is Edward Snowden. Since the former National Security Agency contractor began leaking the agency's documents in June 2013, encrypted Web traffic has doubled worldwide.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • -4 Hide
    jasonelmore , July 18, 2014 7:10 PM
    meh they just wanna sell more SSL certificates
  • 0 Hide
    velocityg4 , July 18, 2014 8:27 PM
    Not sure if the Google analogy is apt. Since you can simply go to https://www.google.com
  • 0 Hide
    techguy911 , July 18, 2014 8:42 PM
    https is still not safe and can be still hacked security certificates can be stolen and used for bad purposes.
  • Display all 16 comments.
  • 5 Hide
    Christopher1 , July 18, 2014 10:47 PM
    Quote:
    meh they just wanna sell more SSL certificates


    No, they want to make sure that it is not trivial to intercept someone's private communications over the internet.
  • 1 Hide
    Haravikk , July 19, 2014 1:04 AM
    While I agree in theory, it's worth mentioning that encrypting e-mail server connections only matters because so much e-mail is still sent as plaintext; it doesn't necessarily protect you against malicious servers, if you want secure e-mail you need to setup and use S/MIME. It's actually fairly easy, the difficult bit is trading public keys (or rather, convincing others to setup S/MIME for two-way encryption).
  • 1 Hide
    Pherule , July 19, 2014 3:38 AM
    Finally. This should have happened years ago. There was no reason not to have the entire Internet going over secure protocols back in 2008, let alone 2014. This move should have been accelerated years ago.
  • 2 Hide
    eriko , July 19, 2014 3:55 AM
    Well, the sites have to start USING https too!

    I run 'https everywhere', and have done for ages. Every site I access is first attempted via https, and if ssl is not negotiated, a http page then opens instead.

    Just like this site.
  • 0 Hide
    DRtheNerd , July 19, 2014 5:32 AM
    I surveyed Alexa Top 50 results for HTTPS-only functionality and published those results here: https://www.dnsthingy.com/blog/2014/06/alexa-top-50-https-results
  • 0 Hide
    ddpruitt , July 19, 2014 9:09 AM
    Or you only encrypt the portions of the connection you need to. No one ever said that you have to encrypt the entire site, http wasn't built that way. Encrypt what you need to forward the rest.
  • 0 Hide
    Pherule , July 19, 2014 11:45 AM
    @ddpruitt: why is there any reason to have a portion unencrypted? To allow your ISP to spy on you? They can already see which sites you go to, which is bad enough, even if they can't see what content you view on a secure site.

    Yeah yeah, what ISP spies on their users, I get it, it probably won't happen, and I don't care. I don't want to give them the possibility, whether they choose to use it or not.
  • 2 Hide
    waethorn , July 19, 2014 12:42 PM
    Quote:
    Or you only encrypt the portions of the connection you need to. No one ever said that you have to encrypt the entire site, http wasn't built that way. Encrypt what you need to forward the rest.


    Every security expert will tell you that mixing encrypted with unencrypted content is bad for security.
  • 0 Hide
    ddpruitt , July 19, 2014 1:47 PM
    Quote:
    @ddpruitt: why is there any reason to have a portion unencrypted? To allow your ISP to spy on you? They can already see which sites you go to, which is bad enough, even if they can't see what content you view on a secure site.

    Yeah yeah, what ISP spies on their users, I get it, it probably won't happen, and I don't care. I don't want to give them the possibility, whether they choose to use it or not.


    Stream compression, CDNs, Proxies to name a few reasons.
  • -1 Hide
    ddpruitt , July 19, 2014 1:47 PM
    Quote:
    Every security expert will tell you that mixing encrypted with unencrypted content is bad for security.


    And yet websites do it all the time. If it's done properly the encrypted portion is no less, or more secure, than the if the entire page is encrypted.
  • 0 Hide
    LORD_ORION , July 19, 2014 3:00 PM
    All SIP traffic for VoIP needs to be encrypted by default with TLS, as well the actually RTPs in VoiP needs to be secured with SRTP by default.

    Disabling TLS. SRTP and HTTPS should be for diagnostic purposes only.
  • 0 Hide
    dj christian , July 20, 2014 3:03 AM
    Quote:
    Well, the sites have to start USING https too!

    I run 'https everywhere', and have done for ages. Every site I access is first attempted via https, and if ssl is not negotiated, a http page then opens instead.

    Just like this site.

    Quote:


    How do you do that?
  • 0 Hide
    back_by_demand , July 21, 2014 4:28 AM
    More security = good
    Less security = bad

    Bit of a no-brainer, why are we even discussing this?
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS