No, the Web is not safer or more secure for adopting the HTTPS protocol. In fact, the Web has never realized any legitimate security benefit from using HTTPS protocol, not even on ecommerce Websites. Unfortunately, recent advances in the propaganda campaign coming from people who should be smart enough to know better are beginning to convince more and more corporate decision-makers to convert their Websites to use HTTPS protocol.
People, of course, are naturally curious. They don’t normally have to keep up with all this felgercarb so the HTTPS debate has taken many people by surprise. I see more people asking “how does HTTPS make HTTP more secure” every week. Technically, it doesn’t work like that.
HTTPS Is a Separate Communications Protocol from HTTP
You can run both HTTP and HTTPS protocols on the same domain name. Technically they look like two distinct Websites to search engines and Web browsers but the average person doesn’t recognize the difference.
The HTTP is an acronym for “Hyper Text Transfer Protocol” (some sources say “Hyper Text Transport Potocol”).
The HTTPS is an acronym that is variously defined as “H(yper)T(ext)T(ransfer)P(rotocol) over SSL” or “HTTP secure”.
SSL means “secure sockets layer”.
In order for HTTPS to work, you need three things:
- A Web server that can use HTTPS
- A browser that can use HTTPS
- A security certificate that tells the browser to trust the Website
The SSL technology is used by applications like email programs and Web server software to encrypt the little information packets that browsers and servers exchange. Whatever you do on the Internet is broken down into small strings of data that contain an “envelope” identifying you and the machine you are trying to connect to and a “body” that consists of the data that you send to the server or that the server sends back.
It takes a lot of these packets, as they are called, to construct a typical email message or Web page. Every action you take on the Web results in some of these packets being sent off to multiple servers. Your browser has to resolve domain names by asking DNS servers for help and then it has to send all your packets to the Web server.
The idea behind HTTPS is that someone can set up a Website that pretends to be the site you want to reach. If your browser can verify the actual machine that hosts the site you want to reach, it can bypass any fake Websites.
Sadly, HTTPS Does Not Prevent Website Fakery
Hackers quickly figured out ways to get past the defenses of the HTTPS protocol. They can set up their own fake certificates and use those to send you to a different Website. Your browser may tell you there is something wrong with the security certificate of a Website (and there often are problems with legitimate security certificates) but it cannot tell you if the security certificate is fake or helping the wrong Website.
What is worse is that any Web server can create its own security certificates and many do. But the browsers have been programmed to expect only certificates that are hosted by “trusted” designated third-parties. Some of these companies have been hacked through the years (one even went out of business after being hacked). So bad people can sometimes get into the trusted databases and make life interesting for everyone.
Most people don’t realize that you have to pay an annual fee for these certificates. Furthermore, it’s not easy for everyone to install them. In fact, if you pay for low-cost Web hosting (just a few dollars a month) you probably cannot even use a security certificate. They require dedicated IP addresses (although there are ways around that).
In addition to the dirty tricks above, anyone can set up an HTTPS Website, buy a legitimate certificate, and then send out emails or publish articles on the Internet that contain links pointing to Websites that pretend to be sites you are already familiar with. These kinds of “phishing” sites are often used to trick people into logging in to fake services so that their usernames and passwords for the real Websites are handed over to the data thieves.
Worse, Your Browser Is Not Really as Secure as You Think It Is
All modern Web browsers released in the past few years support HTTPS protocol. You don’t have to do anything to your browser to get it to work with an HTTPS connection. All that is taken care of for you. But browsers do some really stupid things. For example, if you type your password into a Web page it will almost certainly use what is called a “Password Input Control” — a little box that replaces the characters in your password with asterisks (*). These asterisks are there only for display and to make you feel safe. Your password is still unencrypted in the browser.
Some hackers have found ways to trick browsers into sharing the data they have stored for various Websites and forms. This is illegal and the people who write Web browser software have taken measures to make it hard to get to that data, ut sometimes they can get to it. They may install software on your computer or even in your browser itself that tells the browser to send that data to some location on the Internet.
So your browser will offer you the chance to click past security certificate warnings, it pretends to encrypt your password, and it may be compromised by malicious software that tries to steal your login data.
So far, HTTPS has failed to make HTTP more secure and we’re still just talking about the browser.
The Packets are Encrypted When Sent to Browser, Email Client, or Server
So once you hit SEND or click on a link or do something that causes your computer to start communicating with another computer on the Internet, if the other computer tells your computer that it needs to use the HTTPS protocol your browser or email client will do this automatically.
What this means is that your computer agrees on a set of “keys” with the other computer that they will use to encrypt and decrypt all the packets sent between them. The thinking is that if your Internet Service Provider wants to record all these packets somewhere they will only get unencrypted envelopes and encrypted bodies. You may be using what is called a Proxy Server, which stands between your computer and whatever computer you are connected to. The encrypted packets are supposed to pass through the Proxy Server to the other computer — but that doesn’t always happen.
Whether it is your computer or the other one the receiving machine decrypts the packets and then performs whatever task it needs to. That may be to add your login information to a database, assemble an email message, or put together a “Web page” (or document). Usually both computers pass information back and forth for a while, but every time the packets arrive at one machine or another they are decrypted.
Remember that any malware can be installed on any computer, so after your information has been decrypted it is once again vulnerable to being read by malware. The HTTPS protocol only defended your information for a fraction of a second.
And Proxy Servers Now Regularly Decrypt Your Packets
There are several different types of proxy servers. However, it is difficult to use a non-HTTPS proxy server to connect to a machine that is using HTTPS. In fact, modern software is supposed to reject an unencrypted connection coming in to an HTTPS application.
So if you use a Proxy Server for any reason to connect to a secure HTTPS site that Proxy Server has to use the HTTPS protocol as well. And that means your Proxy Server can either pass your encrypted packets through to the other machine or it can just interact with your computer. A trusted Proxy Server will act as the destination machine. Your computer trusts the Proxy Server because you or someone responsible for configuring your computer told it to trust that Proxy Server. The Proxy Server thus receives your encrypted packets, decrypts them, and then figures out where they must go.
At this point the Proxy Server becomes the client on your behalf and it opens up a secure connection to the machine you really want to get to. So the Proxy Server encrypts your data again (this time using keys your machine does not use) and it communicates with the destination machine.
All this happens transparently and you may know you are using a Proxy Server (this is very common for people connecting to corporate VPNs, for example) but you don’t actually see what is happening. So while advocates of adopting HTTPS for all Websites insist that the proxy servers will not be able to grab your data for themselves, that is not entirely accurate.
Meanwhile, the Server Just Throws Away the Encryption
So remember that you have been told that using HTTPS protocol will make your HTTP data safer and more secure. But once that encrypted data reaches the destination machine it just decrypts the packets and encryption is no longer part of the picture.
If the guy who set up that other Website is smart he will use some sort of encryption to protect his server’s data files but frankly it rarely takes hackers a long time to get into the data. In fact, most Web servers do not encrypt their customer data. So even if they all switch to using HTTPS your data remains vulnerable to theft and unauthorized scrutiny.
Just how safe do you feel now?
Technically, whenever someone says that changing a Website to use HTTPS makes the site safer that simply is not true. The Website is unencrypted. Hence, if you’re thinking that your boss or the government won’t be able to see what you are seeing, all they have to do is grab a normal Web browser and visit the same Website. The basic location information for the site is NOT encrypted because it is in the envelope, which many machines may have to read before the data is finally delivered to the destination machine.
That is how the Internet works: machines blindly receive data intended for other machines and then pass that data on to one or more of the machines to which they are connected. Your data may pass through 10 to 30 computers before it reaches its proper destination. The envelopes tell all those machines where to send the data. So even though they cannot read it they can tell anyone who wants to know where your messages went and which servers whose Websites you are browsing.
For Webmasters the Problems are Worse
Now that you know HTTPS will not in any way protect your visitors’ data once it reaches your Website you may be wondering why people are demanding that everyone change over to this useless protocol. Ignorance and fear are the only answers I can think of. But some supposedly very smart people and companies (like Google and Automattic, the makers of WordPress) are telling the world to “make the Web safer by changing to HTTPS”. It’s insane. It’s stupid.
And it will cost many Webmasters money. Security certificates may cost as little as $30 a year. Dedicated IP addresses may cost as little as $1 a month. Many people may decide that $42 a year is a small price to pay, but if your Website doesn’t make money that starts to make your hobby expensive.
If you are using a subdomain on a service like WordPress.com or Blogspot.com your site is probably already using HTTPS (for free). So you don’t have to install anything. But, again, the Website itself is not encrypted. Just the packets that flow out from the server to people’s browsers, which then decrypt those packets.
Implementing HTTPS encryption makes Websites run more slowly, thus degrading the visitor experience. Of course, there are ways to speed up Websites so if you know what you are doing or if you use a service that optimizes site speed for you then you probably won’t see much of a hit in performance.
But you’re still not done.
Google is Promising to Reward Websites that Use HTTPS
Earlier this year Google announced that it would give a slight ranking boost to Websites that use HTTPS. For now, they say, it’s not that big a deal. Nonetheless many greedy or foolish marketers immediately converted their Websites to use HTTPS and a lot of them regretted that decision.
Among the problems many people reported (besides the requirement for a dedicated IP address for the certificate) were:
- Fewer ads displaying on their sites (most advertisers don’t care about HTTPS)
- WordPress’ and other blog platforms’ plugins not working
- Broken certificates (they caused browser warnings)
- Sudden DROPS in rankings on Google
This was not the magically safe Web Google promised everyone. Google employees started fielding questions from marketers and had to point out that HTTPS does not protect Websites (or browsers) from being hacked. In August 2014 China easily conducted a so-called “man-in-the-middle” attack against Google itself, sending millions of Chinese Internet users to a proxy site controlled by the Chinese government. Google switched to HTTPS over a year ago.
Furthermore, publishers who depend on that advertising revenue had to change back or lose a lot of money. And some security certificated are quite expensive (they come with additional features). Some people paid up to $500 for their certificates. That’s an expensive mistake.
The ranking boost that comes for a site using HTTPS is minimal. I did get to see it in action back in April when Google was still testing this ranking boost. Someone accidentally created an HTTPS version of his Website. His navigation was broken but somehow Google found the HTTPS address and crawled as much of it as it could. The HTTPS Website was just pointing to the same files as the HTTP address so Google found the content it was looking for.
But because the links were broken visitors were looking at a broken Website (images were not loading properly, some navigation did not work, etc.). Google nonetheless promoted the HTTPS version of the Website above the HTTP site in its search results. So what was frustrating to the Website owner was that he saw the correct pages in the search results but because Google was boosting the HTTPS site above the HTTP site the searchers were visiting the broken site.
HTTPS Does Not Make the HTTP Web Secure and Safe
HTTPS does not even encrypt the Web. Websites are not encrypted so when you start using HTTPS you are only protecting information that is being copied from machine to machine temporarily for the space of a few seconds at most.
This campaign to move the Web into HTTPS is all for nothing. No Websites will be protected by the HTTPS and no users’ data will be protected by it.
Meanwhile, many Web hosting companies have begun promoting security certificates (and the additional required services) to their customers and new customers. You don’t need to buy these services but they will make it sound like you must or should. They make money off such sales.
And then there are the Content Delivery Networks that are starting to offer “free encryption” to their clients (or they sell premium HTTPS service). These CDNs are capitalizing on the environment of fear that Google and other companies have created by charging clients for needless services.
Yes, they encrypt their copies of your Websites’ packets. But when you use a CDN you host your Website on one server and then you allow the CDN to copy that site to their server. The CDN takes care of the security certificate for you (hooray!) and its machines communicate via HTTPS with the machines of the people visiting the CDN copies of your Website.
But the CDN passes that traffic back to your Website on your server … without any encryption. Remember, you’re using the free HTTPS service offered by the CDN so your actual Website does not encrypt any packets.
If someone is out there sniffing (capturing) the packets passing between the CDN and your server then all that HTTPS encryption is wasted.
There is no reason to change a Website to use this protocol. If you are using a shopping cart on your Website it will require a security certificate. That’s a shame but you might as well go through the motions because people MAY expect to see a secure connection on a Website that sells merchandise directly to the public.
So the next time you see someone say that “HTTPS will make the web more secure”, please point them to this article. Maybe it’s not too late to stop the madness. Let’s work together to debunk this nonsense before it causes any more economic harm.
