The State of HTTPS

The importance of securing all web traffic and why Utah should take the lead

Relevant Bio

'90s:  Internet native / BBS addict

2013:  First InfoSec con:  SAINTCON

2015:  HTTPS advocate:  SecureUtah.org​

Always:  The Ethos of Tron

Background & Disclaimers

The Ugly:  HTTP abuses

The Bad:  HTTPS objections

The Good:  HTTPS justification

The Future:  Utah

The State of HTTPS

HTTPS: What is it good for?

Data Integrity    In-transit Privacy    Server Identity

Background

This is not new territory

This is not new territory

Web:  HTTPS / TLS
 

Email:  S/MIME
             PGP / GPG
 

Mobile:  Signal
               WhatsApp
 

Voice:  Signal

             WhatsApp

If default is your desire

HTTPS does not prevent:

Metadata collection

  • What ISPs Can See

  • DNS request

  • Domain name
  • IP address & port
  • Session initiation
  • Session length
  • Session activity
  • Session volume​

Disclaimers

Disclaimers

HTTPS does not prevent:

Disclaimers

HTTPS does not prevent:

Disclaimers

  • Client or server compromise 
    • Seek professional help
       
  • De-Anonymization 
    • Seek professional help

HTTPS does not prevent:

What HTTPS attempts to protect against:

  • Eavesdroppers 
    • Public WiFi Snoopers
    • Perversive Trackers
    • Dodgy ISPs
    • Prismatic Spinal Taps
       
  • Mischief-Makers in the Middle 
    • Cookie Thieves
    • Tor Exit Nodes
    • Code Injectors
    • Nosy Nations
    • Redirections to Imposters

Disclaimers

Reasons to prefer HTTP

...that aren't really reasons for actual website owners

Reasons to prefer HTTP

Reasons to prefer HTTP

You are an ISP and want to sell out, annoy, and/or track customers as they move across the web

Reasons to prefer HTTP

You are an ISP and want to sell out, annoy, and/or track customers as they move across the web

Reasons to prefer HTTP

You are an ISP and want to sell out, annoy, and/or track customers as they move across the web

Reasons to prefer HTTP

You are SIGINT and you want an easy way to inject code or track individuals

Reasons to prefer HTTP

You are a frumpy government and you want to block only  some pages of a website

Reasons to prefer HTTP

You engage in BGP attacks for fun, profit, or malice

Reasons to prefer HTTP

You retain the web traffic you carry... just in case

Reasons to prefer HTTP

Mandatory / regulatory traffic inspection

  • Healthcare, Education, Enterprise, Mil, Gov
    • Install private root certs to selectively decrypt
    • Invasive end-point monitoring (keylogging)
    • Aggressive traffic analysis
    • Block entire domains
    • Forced adaptation

...that just aren't that strong of a reason anymore

Reasons to not use HTTPS

Reasons to not use HTTPS

Encryption decreases server performance

TLS requires a dedicated IP address

Excuse:

Rebuttal:

Excuse:

Rebuttal:

Reasons to not use HTTPS

Certificates cost money

Excuse:

Rebuttal:

Reasons to not use HTTPS

Can't serve lucrative relevant useful ads

Excuse:

Rebuttal:

Reasons to not use HTTPS

Configuration and management are too hard

Excuse:

Rebuttal:

Reasons to not use HTTPS

Configuration and management are too hard

Excuse:

Rebuttal:

Reasons to not use HTTPS

Mozilla provides an extensive guide​​

Configuration and management are too hard

Excuse:

Rebuttal:

Reasons to not use HTTPS

HTTPS errors produce confusing warnings

Excuse:

Reasons to not use HTTPS

Chrome '15:  Improving SSL Warnings - PDF; video

Excuse:

Rebuttal:

HTTPS errors produce confusing warnings

Reasons to not use HTTPS

Excuse:

Rebuttal:

HTTPS errors produce confusing warnings

Reasons to not use HTTPS

Excuse:

Rebuttal:

HTTPS errors produce confusing warnings

Reasons to not use HTTPS

View your browser's warnings:

BadSSL.com

Excuse:

Rebuttal:

HTTPS errors produce confusing warnings

Reasons to not use HTTPS

Seek professional help and/or change jobs

Indifference

Excuse:

Rebuttal:

Reasons to enable HTTPS

...that are very good reasons if you are a conscientious website owner

Reasons to enable HTTPS

 The whole principle is wrong; it's like demanding that grown men live on skim milk because the baby can't eat steak.  -  Robert A. Heinlein
 

 The Net interprets censorship as damage and routes around it.  -  John Gilmore
 

 Censorship reflects a society's lack of confidence in itself. It is a hallmark of an authoritarian regime.  -  Potter Stewart

Censorship sucks

Reasons to enable HTTPS

Reduce unsanctioned tracking

  • W3C TAG: Unsanctioned tracking is harmful
    • "...unsanctioned tracking is actively harmful to the Web, because it is not under the control of users and not transparent."​

Reasons to enable HTTPS

The network is hostile

IETF RFC 1122:  In general, it is best to assume that the network is filled with malevolent entities that will send in packets designed to have the worst possible effect.

Reasons to enable HTTPS

Tor nodes should be assumed to be dangerous

The network is hostile

Alec Muffet asks:  Do you love your users?

Reasons to enable HTTPS

Firefox & Chrome are moving away from HTTP

Reasons to enable HTTPS

Firefox & Chrome are moving away from HTTP

Reasons to enable HTTPS

HSTS helps force HTTPS connections

Reasons to enable HTTPS

You provide sensitive information

Reasons to enable HTTPS

You provide sensitive information

  • Content that deserves a higher level of privacy and security:
    • Domestic violence
    • Sexual abuse
    • Suicide help
    • Mental health
    • Symptoms about any medical condition
    • A wide range of personal and social issues that
      have the potential to be stigmatizing

Reasons to enable HTTPS

You provide sensitive information

Reasons to enable HTTPS

You collect sensitive information

  • Login - username and password

  • Contact Us - forms that request customer info

  • File upload - images, video, PDFs, résumés

  • Geolocation - address, ZIP code

Reasons to enable HTTPS

You collect sensitive information

Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security

Reasons to enable HTTPS

Everyone is doing it

Internet & web standards bodies

Reasons to enable HTTPS

Everyone is doing it

Major websites switch to HTTPS

Reasons to enable HTTPS

Everyone is doing it

News outlets
 

  •   NY Times:                  privacy    security   content authenticity
     
  •   Washington Post:    privacy   security   anti-censorship
               
  •   JustSecurity.org:      privacy   security   content integrity
     
  •   Lawfare.com:  block trackers   anti-censorship  content integrity
     
  •   The Guardian:       privacy    security    content integrity    SEO

Reasons to enable HTTPS

OMB creates HTTPS-Only Standard

Tony Scott, Federal CIO, issues mandate for all Federal websites:

Full Memorandum  [PDF]

Reasons to enable HTTPS

OMB creates HTTPS-Only Standard

Tony Scott, Federal CIO, issues mandate for all Federal websites:

Full Memorandum  [PDF]

Reasons to enable HTTPS

...Empower USA's TLAs?    #patrioticbackfire

Stewart A. Baker, former NSA general counsel,

from the Risky Business podcast #412, starting at 51:25

     At lot of the reaction to Snowden was not wanting the U.S. in their communications.  But the first thing that Silicon Valley did was say 'we need more HTTPS, more TLS.'  And, ironically, that probably empowered U.S. intelligence, vis-a-vis the intelligence agencies and the law enforcement agencies of the rest of the world, more than any other technical development since international cables, because it meant that people who'd been getting communications between two Brazillians just by tapping their lines couldn't do it anymore because the communications were going straight back to Hotmail encrypted and the only way to get it was to get it at the server and that meant going hat-in-hand to the U.S. Government and saying 'could you help us investigate this crime.'

User requirements

Very easy!

User requirements

Very easy!  Probably not a good idea...

Train them to avoid visiting HTTP sites...

     with electricity!
 

The Web Training Collar:

Why HTTPS?

Server-side implementation is solvable for a growing majority of websites

 

Client-side compatibility is handled by keeping the OS and browsers up-to-date

Choosing to enable HTTPS is now a matter of principle

Integrity & Authenticity

 

The Network is Hostile

 

All Traffic is Sensitive

 

You Love Your Users

 

Best Practice

Why HTTPS?

The State of HTTPS?

SecureUtah.org

Utah has received well-earned national attention for a pro-business environment and its many successful technology and software companies.

 

Utah is a perfect candidate for promoting online safety and they can (and should!) lead by example.

 

Currently there's almost no HTTPS advocacy work happening at the State level.

SecureUtah.org

Why Utah?

SecureUtah.org

Tracking HTTPS support of Utah websites

UtahWatch.org

Tracking HTTPS support of Utah websites

UtahWatch.org

Tracking HTTPS support of Utah websites

UtahWatch.org

Information

Testing & Configuration

Testing & Configuration

Inspiration

Inspiration

Thank you!!!

Twitter:  @SecureUtah

The State of HTTPS

By J0NJ4RV1S

The State of HTTPS

The State of HTTPS: the importance of securing all web traffic

  • 5,904