The State of HTTPS
The importance of securing all web traffic and why Utah should take the lead
SecureUtah.org is dedicated to working within Utah to promote HTTPS as the only delivery method for all web traffic. The primary purpose will be to track the HTTPS usage and configuration of websites for a selected group of Utah companies and organizations along with local governments and the subdomains of Utah.gov.
Currently the website content and tracking features are being finalized with a target beta deployment in February, 2016.
Why choose HTTPS?
All web traffic should to be delivered securely between a website and its visitors. HTTPS is the network protocol that, when properly implemented, creates a secure, encrypted communications channel that protects the data as it travels over an insecure Internet.
Integrity & Authenticity
HTTPS provides a way for a website owner to deliver their content to the visitor exactly as it was designed and without any code inserted or removed by a third party. The security components within HTTPS require that the website authenticate itself to the visitor’s browser at the very beginning of a connection while also allowing the visitor to perform validation checks against the server’s authentication claims.
The Network is Hostile
The path that web traffic takes across the Internet is often unpredictable and increasingly unsafe. Unencrypted web traffic is regularly intercepted, shamelessly manipulated, and arbitrarily censored, often without the visitor or website owner knowing that these actions are taking place. With HTTPS the website can only be delivered whole or not at all. HTTPS encloses all of a website’s data, defending against in-transit snooping and tampering as it moves through an unfortunately adverse environment.
All Traffic is Sensitive
Regular HTTP connections to unencrypted websites are a privacy vulnerability and they often expose potentially sensitive information. Such information could include physical location identifiers, camera and audio feeds, search terms, medical conditions, political interests, family problems, or personal reading material. Extensive correlation of visited websites is done and deep databases are created in an attempt to uniquely identify each user and classify their individual personalities. Content that is accessed and read as part of scholarly research or even because of simple curiosity could be misconstrued as indicative of a person’s true beliefs. HTTPS helps prevent third parties from gleaning insight into the specific content a website visitor looks at. All websites should be given an equally high level of privacy and protection, whether they be social, financial, medical, legal, political, or religious.
You Love Your Users
It is the ethical duty of a website owner to provide their visitors with the most secure and safest connection method available. Enabling HTTPS directly benefits a website’s users while indirectly helping the larger Internet — encrypting a website’s traffic removes a number of malicious avenues of attack often used by bad actors. With an abundance of online forums, resources and guides, the technical process of adding HTTPS is a solved problem for the large majority of websites. The dollar cost to a website owner to obtain the required HTTPS authentication certificates has dropped to zero. With clear security benefits and the prevailing technical and financial hurdles of the past all but gone, choosing to provide HTTPS is now a matter of principle that should be eagerly embraced.
Two of the major web browsers have announced plans to move away from insecure HTTP connections and embrace an all-HTTPS web. Mozilla announced they will gradually reduce the features that Firefox can use over an insecure connection. Google wants to flag HTTP connections as actively non-secure. They are also working on developing and promoting a number of other background technical processes that help make HTTPS connections happen quickly, reliably, and more securely.
Two of the Internet’s primary technical standards bodies have recently released statements in support of ubiquitous HTTPS. The IETF/IAB and W3C help define the development and construction of Internet communication and web traffic. Their strong support for HTTPS serves as a bellweather for how the Internet of the near future will take shape, and it would be wise to start planning now in order to follow their guidelines:
May ’14 — IETF RFC 7258: Pervasive Monitoring Is an Attack
Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.
Nov ’14 — IAB: Statement on Internet Confidentiality :
The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic.
Jan ’15 — W3C TAG: Securing the Web
The Web platform should be designed to actively prefer secure communication.
July ’15 — W3C TAG: End-to-End Encryption and the Web
[We support] the pervasive use of strong end-to-end encryption for web communications.
Utah’s established IT companies, booming software startup scene, and profitable VC industry are earning well-deserved attention due to their high quality services and smart business practices. Implementing the current best methods for securing their customers’ web traffic is a natural fit for companies that seek to distinguish themselves as technical leaders.
Utah’s social culture places great value on personal responsibility, preparedness for the unforeseen, doing what’s morally right, and proactively giving service to our neighbors and fellow citizens. Choosing HTTPS provides an opportunity for website owners to apply these attributes to the online realm and do what they can to protect the activity and data of their visitors.
No other state has stepped up to promote and adopt HTTPS as a common-sense public safety initiative. Utah, like it has in many other areas of public policy, can and should set a good example and take the lead in advancing online safety. Utah.gov has received over 100 awards, more than any other state website, and it should continue this trend by moving the entire Utah.gov domain space to HTTPS.
What will be tracked?
SecureUtah.org will contain two publicly-viewable website tracking components. The first will track selected websites from a large variety of Utah-based public and private entities: law firms, prominent companies, startup incubators, coding clubs, media outlets, trade groups, banks and credit unions, non-profit organizations, charities, social services, healthcare, and many others. The second component will track some city and county government domains along with the many subdomains of Utah.gov.
The tracking components test if a website offers HTTPS, and if so it will evaluate if it has been correctly configured to meet current recommended best practices. Websites will be scored based upon the extent and quality of their configuration. Methodology for tracking and scoring will always be public.
SecureUtah.org will provide links to technical resources and guides for website owners to assist them with deploying and configuring HTTPS.
After a beta version of the site is launched, SecureUtah.org will begin contacting the owners of all tracked websites to notify them that they are included.
The code for SecureUtah.org will be maintained on GitHub.com and will always be open for review and comments.
The following articles and posts have directly inspired the creation and fueled the development of the SecureUtah.org project. For a deeper understanding of why HTTPS, secure communications, and user privacy are important for the modern web please click on the titles below.
Traditionally, the arguments in favor of HTTPS have been for integrity, privacy, and identity. If a message is encrypted by a server before it’s sent to your computer, and its done in such a way that only you can decrypt it, you can have a high level of confidence that the message you receive is the message the server sent (integrity), and that you’re the only one who opened it (privacy). Further still, because of the initial handshake that makes all this possible, you know that the server you’re talking to is the one you want to talk to, and not someone else pretending to be the server (identity).
Without HTTPS, there’s a couple of points in the route each request must take that could allow a third-party to intercept, or worse, modify your request or its response as it travels over the open internet.
— Ben Balter
Anyone who has taken a network security class knows that the first rule of Internet security is that there is no Internet security. Indeed, this assumption is baked into the design of the Internet and most packet-switched networks — systems where unknown third parties are responsible for handling and routing your data. There is no way to ensure that your packets will be routed as you want them, and there’s absolutely no way to ensure that they won’t be looked at.
Indeed, the implications of this were obvious as far back as ARPANET. If you connect from point A to point B, it was well known that your packets would traverse untrusted machines C, D and E in between. In the 1970s the only thing preserving the privacy of your data was a gentleman’s agreement not to peek. If that wasn’t good enough, the network engineers argued, you had to provide your own security between the endpoints themselves.
My take from the NSA revelations is that even though this point was ‘obvious’ and well-known, we’ve always felt it more intellectually than in our hearts. Even knowing the worst was possible, we still chose to believe that direct peering connections and leased lines from reputable providers like AT&T would make us safe. If nothing else, the NSA leaks have convincingly refuted this assumption.
— Matthew Green
HTTP has become central to today’s way of life. HTTP is currently the primary protocol for applications used on computers, tablets, smartphones, and many other devices.
As our dependency on the internet has grown, the risk to users’ privacy and safety has grown along with it.
Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace.
Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators.
When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services.
— White House Office of Management and Budget
Q. But there’s nothing secret on my site! Why should I bother with encryption?
A. HTTPS isn’t just about encryption. It also provides integrity, so your site can’t be modified, and authentication, so users know they’re connecting to you and not some attacker. Lacking any one of these three properties can cause problems…
In other words, as long as your site is not secure, it can be used as a weapon against your users and against other web sites. More nonsecure sites means more risk for the overall Web.
— Richard Barnes
I see companies and government asserting themselves over their network. I see a network that is not just overseen, but actively hostile. I see an internet being steadily drained of its promise to “interpret censorship as damage”.
In short, I see power moving away from the leafs and devolving back into the center, where power has been used to living for thousands of years.
What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.
— Eric Mill
People who want to access your site are at risk. You know how many people. If it’s reasonably cheap to do so — and it is reasonably cheap — are you willing to make an affordance for these people to be more secure and have a better experience when accessing your site?
— Alec Moffett