The letters HTTP stand for Hyper(T)ext Transfer Protocol. Transfer protocols handle the movement of data between one computer and another. The internet isn’t comprised exclusively of webpages, but when computers around the world serve up webpages they use this Hyper Text Transfer Protocol to transmit the Hyper Text Mark-up Language scaffold and the ornaments we hang on it. One web, one protocol. We haveTim Berners-Lee to thank for that. We still have him to thank.
As the web foamed out of CERN to spread information between scientists, little thought was being given to security. Why make something secure if the point was open sharing? HTML docs were supposed to be as simple as possible, to make information easy to index and share.
Well, things haven’t stayed simple. Back in 2004 at ITP I watched Dedi Hubbard and Joe Versoza build their Ptooie project, a robot flower whose state of health reflected the security of information being passed on the network. Ptooie found passwords being passed “in the clear” and shouted them out, wilting with deepening sadness the more insecurity it found. Handing around passwords was something relatively new that web pages were being asked to do, and many web developers weren’t implementing it well. Those who attend DEF CON will recognize the connection to the long running Wall of Sheep. It still runs, and it still catches people.
HTTPs, “HyperText Transfer Protocol, Secure” helps keep what’s being passed between your web browser and the sever between your browser and that server. It’s obvious why that would be necessary on pages with passwords and financial data, but why on random sites that don’t seem to “do” anything?
- If the default state of the web is insecure traffic, it’s too easy for content that’s supposed to be secure to be pushed out with a largely insecure page. The reverse is also true, insecure content can run (I’m looking at you ad networks) in pages that are supposed to be secure, causing vulnerabilities. This is called “mixed content.”
- Libraries can tell you the importance of keeping what you’re browsing private. Right now anyone on the coffeeshop WiFi can tell who just asked webmd.com about that rash (clearly for a friend). I kid you not. Sitting with your back to the wall doesn’t cut it. The network sees all.
The good news, starting in 2017 Google will be using its market share to push back on companies that don’t care about your security. If you can’t wait, you can set up a Chrome warning now. Another recommended install, the EFF sponsored chrome extension HTTPs Everywhere. Also look into the Brave browser, a high speed, high privacy browser that enables payments for content creators. (Thanks Dedi/@kweerious)
For those managing a website, Let’s Encrypt makes it easier, and free, to get the necessary certificates to switch to HTTPs. Internet Security Research Group (ISRG) provides this service to further their mission to “reduce financial, technological, and education barriers to secure communication over the Internet.” Google has posted a handy page on the move from HTTP to HTTPs as well. If a beloved site seems to be struggling with the switch, maybe it’s a chance to get involved!
Like all other security measures HTTPs isn’t perfect, but its certainly an improvement. I love the Ptooie project and the Wall of Sheep for making HTTP’s lack of security visceral. This has been a known problem for a long time. I hope theses projects inspire folks to start requiring HTTPs from websites at last.