Open in app

Sign in

Write

Sign in

Why should you port your website to HTTPS now!

Saad Ulde
Globant
Published in
7 min readJul 28, 2020

We’ve all heard the phrase “HTTPS is better than HTTP because it’s more secure”. While that is true we need to understand the WHY behind it. What happens if I stick to HTTP? Are there any benefits of using HTTPS?

STATS OF WEBSITES USING HTTP AND HTTPS

Before we go into the pro’s and con’s, let’s take a stock of the current situation. Amongst the top million websites, roughly 50% of websites use HTTPS for at least their sensitive APIs. It’s 2020 and just half of the publicly accessible websites are using HTTPS! Why should this worry you too? Let’s look at this with a hypothetical example.

SCENARIO

vulnerable-site.com is a forum-based website that was made in the mid to late 2000s. Tony is a registered user since the early days and has been a respected contributor for years. He has a habit of sitting at his favorite coffee shop and browsing through the forum. Today he sees a GoT thread and a discussion about Season 8. He comments that it wasn’t that bad and soon gets into an argument with a couple of other users on the forum. After a heated debate on the forum, he decides that he has had enough, logs off and heads home.

Fast forward a couple of weeks and Tony is home watching Netflix, when suddenly he gets multiple messages from his friends (who were also on the forum) showing him the screenshots of HIS offensive posts. After vehemently denying that he ever posted them, he tries to log in..and to his horror he realizes he can’t. He quickly realizes that his account was hacked, but was confused..how? He was sure his password was secure and his device wasn’t stolen. So what gives?

SINISTER BACKSTORY

One of the users who Tony argued with was Raymond who worked in the same office as Tony and was a highly opinionated GoT fan and was triggered (obviously!). He decided to teach Tony a lesson. Like nearly all online trolls, he wasn’t brave (or rational) enough to confront Tony in person. He knew Tony’s routine and his daily visit to the favorite coffee shop and followed him there.

Unfortunately for Tony, Raymond was a bit knowledgeable in computers and had the following information with him -

  1. Knew that the forum worked on HTTP.
  2. Knew the favorite coffee shop that Tony frequented.
  3. Knew that the coffee shop used an open guest network for the “convenience” of its patrons.

Armed with this knowledge he started the WiFi packet sniffing and captured all packets. Within seconds of getting the results and filtering for the forum’s website he quickly identified the API that was used to login -

Intercept over the same network.

Since HTTP doesn’t use encryption by default the user name and password are transmitted as text!. But the keen-eyed amongst you must have noticed that the password is encrypted. (Secure is it? 😂 Keep reading..) It’s clear from the key that it’s encrypted using an MD5 hashing algorithm. Although MD5 isn’t technically broken, there is a huge (and growing) list of words being added with their respective checksums. On this list, a basic dictionary or reverse lookup is enough to know that the “secure” password is…well… “Password12345”.

Let’s step back a bit, the above scenario was a hypothetical one and although serious but wasn’t as scary. For a truly horrid scenario, imagine for a second how insecure bank transactions would’ve been had they used HTTP instead of HTTPS. Anyone could potentially take away your life savings within seconds!

Some truly observant folks might point out that the attack was possible only because Raymond and Tony were on the same network. Well let’s test that theory out, shall we?

The scenario for the screenshot below is — I’m accessing the same website from my mobile which is connected to the WiFi network and is secured by a strong WPA2 password and MAC address whitelisting as an additional security layer. My laptop is currently not whitelisted to access the network so I am not connected to the WiFi network on which my mobile is connected, but I do know the SSID and shared key of the network. Let’s look at the sniffed packets again.

Intercept over a different network.

The way in which the WiFi technology works inherently exposes the vulnerability that anyone can sniff the packets whether they’re connected to the network or not. As you can see even without being granted access to the secure network I still can clearly sniff out the packets, albeit under certain conditions.

The scary part is that both attacks when timed correctly take only a few seconds to execute!

COULD HTTPS HAVE PREVENTED IT?

Coming back to the hypothetical scenario at least the password was encrypted with a hashing algorithm but why take the chance. Let’s look at the capture of a login action on a website that uses HTTPS

Intercept of an HTTPS request.

Even if someone tries to sniff the packets they won’t be able to glean the username and passwords.

BACKGROUND AND ADVENT OF HTTPS

Now that we know why HTTPS is necessary let’s step back and understand what HTTPS really is. HTTPS is essentially HTTP with encryption that is implemented using an SSL/TLS encryption and a certificate. This certificate enables 2 key features that make it more secure — Encryption and Identity Verification.

Encryption — It is done by using the Public Key Infrastructure (PKI), in which anyone can use your public key (available to everyone) to encrypt data but it can be decrypted only using the unique private key that you have. For an analogy consider it like a letterbox, anyone can put letters in it, but only you can open it using your unique key.

Identity Verification — A third party a.k.a certification authority (CA), trusted by both the sender and recipient, who’s job is to issue a digital certificate of authenticity. This ensures that the recipient is who it claims to be and not someone impersonating it.

The long and short of it is that HTTPS provides more security by not only ensuring encryption but also identity assurance. That is why I wasn’t able to sniff data for the HTTPS website above.

This is WHY HTTPS is more secure than HTTP.

OTHER BENEFITS OF HTTPS

  • Better SEO — Way back in 2014, Google announced that sites using HTTPS will get a minor boost in SEO ranking on its pages.
  • Prevent Insecure notification — In 2018, Google announced that instead of labeling websites using HTTPS as secure, it will start labeling websites that use HTTP as insecure. A small but key change, if you think about it. This will not only push away potential visitors to the website, it will make a lasting impact “this website isn’t secure” in their minds and in a world where first impressions are everything, this could very well lead to a slow death of your website.

DISADVANTAGES

While HTTPS is much better than HTTP, it is not a silver bullet.

It is important that we know about its disadvantages as well -

  • By installing a fake certificate on your device or by using honeypots or a bunch of other techniques the security measures can be bypassed.
  • Cost — Setting up universally accepted certificates isn’t free. They need to be renewed generally yearly, which means that it adds a periodic cost.
  • SSL/TLS has vulnerabilities — Although not a straightforward scenario, but given the right circumstances, even TLS has been proven to be ineffective.
  • Speed degradation — The additional step of handshakes, required for verifying the authenticity, can increase the load time of the page.
  • Mixed modes — Although a website could potentially be serving secure resources, it can be that the ads or social plugins on the page aren’t operating over HTTPS, which can lead to your website being marked as “insecure”.
  • Insecure encryption — SSL/TLS allows the server and client to decide which encryption they want to use. While all available encryption options are secure, there is a chance that a misconfigured server can use outdated encryption which can expose some vulnerabilities.

That being said, the benefits far outweigh the disadvantages.

TAKEAWAYS

Let's address the obvious ones -

  • As a website owner, you must port it to use HTTPS ASAP.
  • As a user always look for the secure sign in the URL and avoid websites that don’t have it.

Avoid public WiFi — If you’re not paying for the data, you are the data!

But what if you really need to use a website that uses HTTP? What precautions can you take?

  • Use a VPN service. It will encrypt the data from your device to the VPN service provider. This will prevent any WiFi sniffing attacks at the source.
  • Always use incognito/Private mode. This won’t prevent data from being sniffed but will add some measure of protection.
  • If you intend to just browse for information like a blog post, it should still be okay.

But for performing sensitive operations like authentication or purchases, first, ask yourself is it really needed? If the answer is still yes 😑 then follow these steps to reduce the risk. (Ideally, you should be following these anyway!) -

  • Use a secure password of at least 15–20 characters that have one each of Uppercase, Lowercase, Special Characters and is unreadable. Ideally using a password manager.
  • For such a complex password the risk of a readily available reverse MD5 lookup is slim.
  • Never reuse passwords even for trivial websites.

And remember just because you can use HTTP sites for sensitive operations doesn’t mean you have to!

DISCLAIMER — Although the scenario is fictional the forum website is real and has been alerted about the flaw.

Https
Vulnerability
Hacking
Security
Website

--

--

Saad Ulde
Globant

Written by Saad Ulde

5 Followers
Writer for

Technical Architect @Globant. Gamer. Potterhead. Security Enthusiast.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams