Go to the profile of John Teague
John Teague
Founder of GEMServers Hyper-Performance WordPress and DBaaS hosting.

HTTPS: Overcoming the culture of lazy security

Culture of lazy security

Hosting companies and developers have known for a long time about the benefits of HTTPS Strict Transport Protocol. Still, the majority of active websites don’t deploy HTTPS functionality. In fact, SSL (Secured Socket Layer) currently protects only 1.1% of all web sites, and fewer than 0.1% of all sites are SSL by default (meaning every page in the site is HTTPS). [1.”SSL by Default Usage Statistics,” last modified March 14, 2016, http://goo.gl/HP9WMY.]

The benefits of using SSL to protect web sites and servers are clear. So why does it remain such a low priority? The answer is that developers and hosting companies have undermined the broad use of SSL, using outdated arguments to avoid deploying HTTPS. To move web security into the 21st century, educated consumers must start demanding that their web sites get the protection they deserve, and better security for the entire web.

Historical objections to deploying HTTPS

Several objections have been historically used to undermine the broad use of SSL. Common arguments against deploying HTTPS by default include:

  • “If it ain’t broken, don’t fix it.”
  • “SSL certificates are too expensive.”
  • “Technical requirements are troublesome and complicated.”
  • “SSL is a performance killer.”
  • “Only certain kinds of sites or pages need SSL protection.”

These objections have lingered from the days when some of them were legitimate concerns. But now, when I see “experts” using stale objections that don’t apply to current web technology, I’m left with the feeling that such “experts” are creating and sustaining what I call the culture of lazy security. Believe me, there’s nothing good that comes out of lazy security. So, let’s overcome those debunked arguments, and get you on the security bandwagon.

Overcoming objections to implementing SSL by default

Myth: If it ain’t broke, don’t fix it!

No greater nonsense has ever been spoken or written in the world of technology. If it ain’t broke, don’t fix it is exactly the same as saying if you ain’t sick, don’t see your doctor! What these people are really saying is that they are willing to accept the odds of known problems. Preventive web security, like preventive medicine, catches issues when they’re easy to deal with, or avoids them altogether. Without prevention, a previously unknown issue can suddenly become deadly. In the websphere, the naive thought that bad things only happen to other people’s sites quite often leads to tears.

SSL is simply good preventive medicine.

At GEMServers, we don’t wait until a server breaks or a security vulnerability gets exploited before we take action. We also don’t ignore known problems. We constantly fix, update, and maintain our servers precisely to prevent serious problems before they occur. You might be shocked by the number of very large and popular hosting companies that wait for things to break instead of instead of taking preventive measures. These are the same companies that argue against broad-based deployment of HTTPS.

Myth: SSL certificates are too expensive.

SSL protection free of charge!

No, they’re really not. Not only can you find quality SSL certificates for under $10.00 a year, you can also take advantage of recently released no-cost options. GEMServers deploys Let’s Encrypt domain validated certificates that secure every site on our hosting platforms — at no cost to our clients. But whether you find a host that includes SSL as part of the package, use a hosting company that deploys Let’s Encrypt, or you purchase your certificate for a few dollars a year, SSL certificates are anything but expensive.

Now that we’ve put the cost factor to bed, let’s deal with the technical problem.

Myth:Technical requirements are troublesome and complicated.

The truth is that the list of technical, configuration, and ancillary setup tasks needed to add full SSL support for a web server is quite small. Moreover, nearly all mainstream Linux distributions, like Debian, Centos, Red Hat, and many others, include very easy installation and configurations for SSL. Configuring the latest Apache and NGINX web servers is something even a novice system administrator can handle with ease. It is true that older technologies required a dedicated IP address for each SSL enabled site. But with the introduction of SNI, that is no longer needed. Web hosts that claim that a dedicated IP is necessary are most likely selling it as an add-on revenue source, or they deploy out-of-date server stacks.

Are there technical requirements for SSL? Sure. Are they difficult? Hardly. But what about performance?

Myth: SSL is a performance killer.

Turbocharged CDN? Check out Highwinds!

Hosting companies traditionally squeeze resources until the server screams. Their profit is directly tied to how many accounts they can jam onto a given server before that server starts complaining. In the past, adding HTTPS increased CPU usage and prevented caching of certain file types. Because of this, hosting companies discouraged it.[2.”HTTPS & WordPress — Do You Really Need It?,” last modified September 23, 2014, http://goo.gl/ZQzV7x.]

In years past, SSL did have an adverse impact on server performance. This was primarily due to increased CPU load on less-than-beefy servers. But now, modern server hardware, operating systems, and web servers are barely impacted at all. Furthermore, with the development of HTTP/2, the impact of running your site under SSL has become miniscule.

There is one point on performance to be made against SSL. Sites running under SSL lose the capability to locally cache certain types of files, including images. If your site is image heavy, you should consider using a good Content Delivery Network (CDN) to serve your supporting files. I recommend Highwinds CDN. In fact, if your site falls into that category, you should use a CDN — with or without SSL.

And now we come to the objection I most love to hate.

Myth: Only certain kinds of sites or pages really need SSL protection.

One of the more common responses to questions about using SSL is that it only applies to sites that deal in certain types of data. Many developers claim that simple blogs, and low traffic sites, and those that don’t accept payments really don’t need SSL. [3.”Does Your Website Really Need SSL?,” last modified September 22, 2014, https://goo.gl/xpMOIu.] In fact, here is one from 2012, from a trusted name in the WordPress space, claiming to describe a nice way around SSL. Even though I respect this author, in my opinion, this was poor advice, and I’m hoping he’s changed his mind since then.

Yes. the sharks are watching.

I could write a single blog post on this fallacy alone because it should long ago have given up the ghost. But the fact that developers and web hosts still believe this is proof that we haven’t come very far when it comes to the bigger picture. Rather than embracing a proven technology that makes everyone’s websites more secure, the naysayers seem to do everything

they can to discourage site owners from taking a simple, inexpensive step to secure their sites and site visitors. This is that culture of lazy security I keep referring to, and it needs to change.

Just because you are not forced to do something that’s good for you and your neighbors doesn’t mean you shouldn’t do it. The level of sophistication cyber criminals use to glean information about users and site visitors is remarkable. Good hackers are patient hackers. So just because you don’t use forms that ask for personal information, or make direct sales from your website, it doesn’t mean there isn’t plenty of data that can be used as a piece of a hacker’s prize puzzle.

WordPress is the most used website CMS platform on the planet — we’re talking millions of active websites. By default, the open source version provides the grandaddy of security vulnerabilities. When you and your users log in, you send username and password over the open wire. It is very easy for hackers to use traffic sniffing software to grab that information. Want to see how easy it is? Check out this post for the lowdown:

And once they have one site username and password, statistically they have login credentials to many accounts. That’s because humans tend to use flat, simple login and password combinations. You can imagine, then, that it’s not a huge jump to get your Twitter account hacked…or your iTunes account…or your Google mail account. See where this is going? Again, we see the perfect collaborative pattern used: the culture of lazy security.

One note: WordPress.com (the commercial blogging company), forces SSL for logins and for all sites that use wordpress.com domain names. They also support the Let’s Encrypt project. That is a huge step in the right direction, and they are to be commended. Once they force SSL for personal domains on their service, they’re gold in my opinion.

Finally, there’s the utility aspect of security. The more people who use HTTPS by default, the greater the overall benefit for all good web folk. Encryption is not just a nice thing to have a around, or something for the online rich and famous. Encryption is absolutely necessary to combat a rapidly growing cyber crime problem that cause real, sometimes irreparable damage. So if you’re a developer, or a hosting company, or a well-educated site owner and consumer, you are now well armed to respond to the objections. And most of all, you can start a movement toward better security for all.

This just in. . . .

Our friends at Wordfence just released a blog post resulting from a study they performed on the serious consequences of having your site hacked. They specifically address how this negatively impacts search rankings, and the difficulty and time it takes to correct that side effect.

Sources cited:

  • Go to the profile of John Teague

    John Teague

    Founder of GEMServers Hyper-Performance WordPress and DBaaS hosting.