(No Ratings Yet)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

May 17, 2017 Comments closed

So you want to make an HTTP Website? Enjoy 1999.

in Hashing Out Cyber Security

Plain-text sites are stuck with a technology from 20 years ago.

Before you go building a brand new HTTP website, think long and hard about 1999… In 1999:

• The global population hit 6 billion (we are well over 7 billion today),
• Intel introduced the Pentium III processor,
• Fight Club and The Matrix were released in theaters,
• and HTTP 1.1 was new.

That’s right – HTTP 1.1 is from 1999 (actually, the first RFC is from 1997). So when you access a site over HTTP today you are using a technology that is 18 years old. Do you still work on a computer with a 400mhz processer and 128mb of RAM? No? So why serve your webpage from an equally outdated technology.

When HTTP/2 was finalized in 2015 it was the first upgrade to the HTTP protocol in more than a decade. It brought loads of improvements – multiplexing, server push, header compression, and ditched the need to set up multiple TCP connections. Sounds great, right? So you should make sure your website is using HTTP/2 since it’s a huge upgrade to HTTP 1.1.

There is just one ‘catch’ – all browsers require you support HTTPS in order to use it.

That’s a good thing. Absolutely every site – new and existing – needs to be using HTTPS. Now, we know migrating an existing site can take time (we hope you have started working on that, or at least have a detailed plan). But news sites have no excuse. This is your chance to build everything from the ground up to be the best that it can be.

Here is why you want to use HTTPS:

More Than Just Encryption

We often hear people say that they don’t need HTTPS because users don’t need to login or the content of the site “isn’t sensitive.”

The problem is that this ignores the multiple benefits that HTTPS provides. It isn’t just about encryption (which is hugely important) – you also get integrity and authentication.

Integrity means that the data you send from your server is the same data your visitors will receive – with nothing added or removed along the way by networking tampering from an ISP, government, or other pesky person (more on this at the end).

Authentication ensures that you – and your users –are actually connected to your server. Over HTTP, anyone could be responding to requests to access your server. That is pretty shocking when you think about it.

HTTPS prevents man-in-the-middle attacks and network re-routing – so no other server can pose as you. This is a risk no matter who you are. Network attackers don’t have to target you – they can just start redirecting any and all sites. You want your users to know who they are really talking to.

Security AND Speed

Your site will be faster on HTTPS. Thanks to those improvements we mentioned in HTTP/2 you actually get better performance by giving your users a secure connection.

It isn’t a small difference either. On real world sites using lots of images and multiple origins, HTTP/2 can shave seconds off a load time.

So if you (or your bosses) think your site is fine without security, is it also fine being slow?

HTTP/2 & HTTPS Are the Future

HTTPS has essentially been declared the future of the internet. That’s because HTTP/2, the first new version of the HTTP protocol since 1999, will only work with HTTPS. All major browsers decided this was the best choice for the future of the web.

Without HTTP/2 you are stuck on that old, tired HTTP 1.1. Do you really want your new website to rely on technology from the last millennium?

It isn’t just HTTP/2 that is being ‘gated’ by browsers. Mozilla and Google are restricting their browsers most powerful features to HTTPS. Browsers are becoming the home of modern applications – and they are making websites take some responsibility when using features that expose sensitive user data or access. That’s why geolocation, device orientation, AppCache, and notifications are amongst features that require HTTPS.

Eventually, Mozilla wants to ‘sunset’ HTTP “after which all new features will be available only to secure websites.”

 

HTTP is Not Secure

…And your browser is not afraid to say it. Google Chrome has been leading the charge here. At the beginning of this year Chrome added a “Not Secure” warning to some HTTP pages. Since then that warning has expanded – later this year it will appear on all HTTP pages when browsing in Incognito Mode. Firefox has a similar warning for pages that accept logins over HTTP.

This warning will continue to expand – just last month Chrome engineers wrote “we plan to show the ‘Not secure’ warning for all HTTP pages.”

Protect Your Users & Your Site

Unfortunately the ISPs who we pay for our Internet access are more interested in squeezing extra profit from our data than protecting it. Give these providers a way to tamper with your website and they will.

Our government does not seem to care much either. Earlier this year the US Congress went out of its way to *undo* an FCC privacy policy that would have limited ISPs abilities to sell your data. Some governments have gone so far as to use HTTP sites as a weapon.

Its unfortunate, but clear: If you don’t provide privacy to your users, nobody else will.

User don’t want to worry if the history of every page they visit is being cataloged, stored, and sold; and you don’t want to worry about what could be happening once data leaves your server.

Using HTTP means compromising your users privacy, opening your site up to network tampering (which can hurt performance and interfere with how your site is displayed), and dealing with the security risks of man-in-the-middle attacks. What a headache. Just use HTTPS!

 

• #HTTP
• #HTTPS
• #SSL/TLS