HTTPS-only option

Posted June 13, 2014 by David Redekop to Security

In support of the Reset The Net campaign (by the good folks at fightforthefuture.org, we built a new feature we boringly call HTTPS-only.

HTTPS is as different from HTTP as sending a security-sealed envelope is from sending a postcard. So, in a an over-simplified nutshell we’ve prepared this image:

https-vs-http

Many mainstream Internet services already offer services over https, but have not discontinued their http services. A good example is YouTube. You can visit YouTube via http OR https. Neither option is forced. This makes sense for YouTube because http in its clear-text, non-secure form provides all sorts of advantages including caching along the way, therefore faster/better viewing by some end users. This is especially valuable in remote areas where good quality bandwidth is not yet a reality.

However, the vast majority of Internet users have sufficient bandwidth to use an HTTPS-only policy. If that’s you, and you want to enjoy some of the additional benefits of an HTTPS-only profile, here’s what you would experience if you landed on youtube.com via HTTP and not HTTPS:

httpsonly

JavaScript will attempt to redirect you from http://www.youtube.com to https://www.youtube.com (if YouTube offers it, which it does, in this case). Otherwise your browser will stay on that window.

Here are some good reasons you might want to force https in some environments:

  • Policy enforcement. You may have a written policy that certain computers or staff may never submit any confidential information over insecure means. This would enforce that policy and dramatically reduce the risk that the policy was violated unknowingly or unintentionally.
  • Thwart any and all identity theft and drive-by malware installation attempts. Malware and identity theft sites have never yet been spotted on SSL-protected sites (except for brief periods where an SSL site may have been compromised). Generally speaking, an SSL-enabled site can be traced back to individuals in a company and you can even “follow the money” in terms of who paid for the SSL certificate.
  • Prevent sniffers from intercepting your traffic for the purposes of man-in-the-middle attacks, privacy violations, content re-direction, ad-insertions, profiling you, etc, etc. Just imagine what a post-card in-transit facilitates vs a secure envelope.

The biggest benefit to this kind of enforcement is that it bypasses the need for end-user education, and thereby eliminating significant risks.

Over the coming weeks we will release this feature to public users of DNSthingy along with our own results of going about our day with an HTTPS-only enabled profile.

More to come…