HTTP Vs. HTTPS – How Secure Is Your Connection?
As the next step in one of many initiatives to encourage the adoption of Secure HTTP connections (HTTPS), Google recently announced its intention to mark all websites that are not configured to serve traffic via HTTPS as “not secure” by July 2018.
HTTPS connectivity has often been a subject involving a significant deal of misunderstandings, duplicitous advertising and corporate misuse. Fundamentally, the difference between HTTP and HTTPS is that the latter is intended to prevent interception by third parties when web traffic is transmitted from/to your device and a remote website or service.
The ‘inter’ in ‘internet’ references the fact that most internet activity, whether it is sending an email, or visiting a website, or, in some cases, sending an instant message, is transmitted by your computer to its destination over a series of inter-connected devices between you and the destination. At a more local level, this may be devices in your own home, restaurant or office like a wireless hotspot, or router, or corporate proxy, or Internet Service Provider.
The lack of a secure connection between your computer and its intended destination implies that any of the devices on the route between your computer and the intended destination of traffic originating and returning from it, can be intercepted, stored and effectively be ‘snooped on’.
In a number of cases over the past few years, subscribers of Airtel, MTNL and BSNL have reported seeing advertisements and tracking scripts inserted into their web traffic. In visible cases, this manifests itself in the form of an advertisement somewhere on the page. Aside from the relatively greedy and benign implications of an internet service provider injecting an ad into one’s browsing experience, the underlying mechanism behind this kind of technique effectively results in total and complete access to the browsing session, with the ability to track what you click, your saved passwords for the site, where you scroll, what you type and the entire contents of the page. This kind of control renders the entire browser tab accessible to anyone with the ability to intercept web traffic. Of course, this is only ever possible if the traffic is not secured via HTTPS or some other form of secure encryption.
An advertisement injected by BSNL into a subscriber’s web traffic
At this point in time, the vast majority of popular web services and websites are accessible via HTTPS only, thereby minimizing the likelihood that a strange, creepy man in a room somewhere at your mobile or internet service provider is secretly spying on your internet activity.
What HTTPS does not do, however, is mask the addresses of the websites and services that you visit.
For instance, if you are connected to a WiFi hotspot while reading this post, whoever owns/controls the hotspot knows that you (and you specifically) are currently on this particular domain, but probably not know what exact address or URL you are visiting. In other words, if you were on Facebook.com, it’s unlikely that the specific profile that you are stalking would be known to a third party (besides Facebook), but if you were on FreePiratedMoviesThatNobodyWillKnowIDownload.com, everyone along the path between you and the website knows that you visited it, for academic and/or research purposes, no doubt.
For small businesses, personal blogs and folks with a modest web presence, switching to HTTPS has often been a common avenue for scamsters to peddle their often overpriced services with misinformation. To facilitate HTTPS, browsers trust a number of organizations who are tasked with two things:
1. (Optionally) Verifying that a particular domain belongs to a company claiming to be represented by it, AND
2. That traffic under the current connection is being encrypted.
In the vast majority of cases, web administrators will forego option #1 as it often involves a lengthy validation process. In the case of entities such as banks and financial institutions, it is often legally mandatory to have both.
Visitors to HDFC Bank’s website, for example, will be informed by their browser that the website is, in fact, owned by HDFC Bank Limited. This provides an additional layer of assurance to users that the website is in fact owned by the legal entity it claims to represent.
Unbeknownst to many, however, is the fact that securing HTTP connections and making a transition over to HTTPS is effectively free. Third party non-profit organizations such as Let’s Encrypt offer free services that issue HTTPS certificates to web administrators using a relatively simple, automated and instant verification process that takes place every few months. At this point in time, over 50 million HTTPS connections around the world are enabled by their service.
As a consequence of these subtleties and rampant misinformation, SSL certificates to enable HTTPS are often peddled to unsuspecting website owners, startups and small businesses for a range of unnecessary costs. Various certificate issues such as Comodo, GoDaddy, Verisign and their respective reseller networks create elaborate marketing campaigns to pawn these services, often at absurd prices, using a wide variety of jargon that amounts to virtually nothing from a technical point of view.
India’s own central and state government agencies are no exception to this. Despite numerous effective paid and free alternative options, to this day, the official website of Bengaluru’s Water Supply and Sewerage Board and a number of other government websites sometimes display a nasty, intimidating error message to Google Chrome and Firefox users, arising out of their use of a local, untrusted third party HTTPS certifier called e-Mudhra, which is not in the ‘trust network’ of most popular browsers.
At one point in time, even the UIDAI’s official website had a misconfigured HTTPS connection to its servers that prevented users from accessing it without seeing a nasty error message
In the specific case of internet access from work environments, particularly those of large corporations, or cases where a laptop or phone is issued by the company that you work for, HTTPS offers a relatively limited degree of protection from total and complete access to your web traffic from those devices.
This is largely due to the possibility that the company’s IT department may have set up measures that reside either on the device itself (your work issued laptop or phone), or along the company’s internet infrastructure, to intercept all internet traffic and effectively ‘fool’ browsers into believing that the connection is secure.
This is only ever achievable in such instances with the cooperation of the user, as it involves configuring the browsing device in a certain way that enables this kind of interception. If you access the internet from your workplace using a work computer, or any special configuration settings over and above logging in to the company’s WiFi hotspot or internet connection, it’s very likely that your internet activity is being monitored – potentially everything you transmit and receive, including passwords. If the office IT guy has been acting more weird than usual around you lately, now you know why.
HTTPS is not a silver bullet. Historically there have been notable instances of the ‘trusted’ third party networks that browsers are configured to recognize, having been breached by malicious actors, in an attempt to snoop on traffic from unsuspecting users. Despite its shortcomings, it remains one of the most simple and effective means of securing one’s internet traffic from third parties. Over the past few years, technology companies have attempted to enforce HTTPS adoption in numerous ways, such as Facebook mandating it in order to implement social logins. Google’s latest move is one of many to come, pushing for an eventual outcome where unsecured connections are no longer supported at some point in time.
All media for this piece is courtesy of the author