HTTP Must Die, Security Experts Tell Hackers

NEW YORK — HTTP must die, two staffers from the Electronic Frontier Foundation told attendees at the HOPE X hacker conference in here Friday (July 18).

Yan Zhu and Parker Higgins argued that there are fewer and fewer reasons why anything should be transmitted across the Internet unencrypted in 2014. But two large reasons still exist: advertising networks and content-delivery networks.

MORE: 12 Mobile Privacy and Security Apps

Ad networks, which are responsible for the banner ads, text ads and "you might be interested in..." story links you see on many Web pages, don't use encrypted Web protocols, better known by the acronym HTTPS.

"If you want to secure it, put an S on it," joked Higgins, whose "Portlandia" reference made Zhu cringe a little.

Unencrypted ads mean that many news sites, such as Tom's Guide, can't deliver encrypted content.

Content-delivery networks, or CDNs, are the hidden fast lanes of the Internet, making sure high-bandwidth data such as YouTube clips or Netflix movies get to your computer quickly and efficiently by bypassing the way stations regular text has to traverse. CDNs don't like HTTPS because it slows down their networks, and slow equals death in their line of work.

HTTPS equals freedom

That's a shame, Zhu and Higgins said. Not only does HTTPS secure your credit-card transactions from cybercriminals and your Webmail from spy agencies, but it also helps defeat censorship in places like Iran and China.

The so-called Great Firewall of China, Higgins explained, works by searching for key phrases such as "4-6-89" (the date of the Tiananmen Square massacre) and then blocking Web pages that contain them. However, when HTTPS is enabled, the Great Firewall can't read the content, so Chinese censors can either block the entire Web domain, or none of it.

In early 2013, Zhu and Higgins said, all of the code-sharing site Github — which uses HTTPS throughout — was blocked in China because a few pages were deemed to have inappropriate content. Backlash from Chinese developers, who needed to see Github, grew so high, however, that the censors had to back down — and decided to let the whole site come through. A Chinese commentator, Higgins said, likened the censors' approach to Github as "catching a mouse by burning down the house."

In Iran, Zhu said, as many as a third of all websites are blocked. But the HTTPS-enabled Google Reader news aggregator, when it still existed, offered links to any and all of the blocked news sites, and Iran couldn't block Google Reader without blocking all of Google. Many Iranians used the service to reach otherwise forbidden content. Sadly, Google Reader shut down a year ago and Iranians were left in the dark.

Encryption explosion

It's not only websites that need to be encrypted, the pair argued — email needs to be as well. Unfortunately, email servers need to establish "opportunistic" one-on-one relationships with each other in order to make sure messages that travel between them are encrypted. If one server offer to encrypt and the other doesn't respond, then the messages will travel in plaintext.

Fortunately, Google has begun a "name and shame" campaign to force other large email service providers to agree to encrypt messages all the time. Since the company began its campaign, other providers have begun to encrypt all their traffic, including Yahoo and, just this week, Apple.

The real person to thank for increasing use of encrypted Internet connections, Zhu and Higgins said, is Edward Snowden. Since the former National Security Agency contractor began leaking the agency's documents in June 2013, encrypted Web traffic has doubled worldwide.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • jasonelmore
    meh they just wanna sell more SSL certificates
  • velocityg4
    Not sure if the Google analogy is apt. Since you can simply go to
  • techguy911
    https is still not safe and can be still hacked security certificates can be stolen and used for bad purposes.