29 Jul, 2020

HTTPS is Becoming a Necessity

Browsers are becoming increasingly strict about the types of connections they allow. Here's why having an SSL certificate and additional protection with ThreatSign keeps your site secure.
The need for any serious website to have HTTPS protection has become clear. Sites that let users log in or submit forms need protection to keep transactions secure. Plus, any site that uses unencrypted HTTP will get a lower search engine rank.

Up to now, simple, static websites haven't faced so much of an issue, but this is changing. In a few years, websites without security will be the exception. Web experts and search engines will regard them as second-class sites. Accessing them will result in warnings or even outright blocking, even if they don't ask for any user input.

To operate a secure website, you need a TLS (SSL) certificate. It's easy to get one for free from Let's Encrypt and other sources. The Quttera DNS-based Web Application Firewall (WAF), part of the ThreatSign anti-malware service, provides a free SSL certificate. It enables HTTPS communication with no need to install or configure the certificate on your site.
The latest developments
For some time, major browsers have presented warnings if a user goes to a non-secure page that contains a form. Now, it's extending warnings to all pages that don't use HTTPS. Open an HTTP page in Safari, and it will admonish you with "Not Secure" in the address bar. Google Chrome does the same. Some browsers are subtler; Firefox shows a padlock with a red slash through it. It means the same thing.

Browsers are getting even more strict. Firefox version 80 is adding an option where the browser will allow only HTTPS connections. If a link or the address the user types uses HTTP, it will try to upgrade the connection to HTTPS. If it can't find an upgraded connection, it will block access. Unlike the HTTPS Everywhere extension, which upgrades connections only for sites known to support the protocol, the new Firefox feature attempts to upgrade any HTTP pages it finds.

This setting isn't the default; a user or administrator has to turn it on. It turns off access to many legitimate sites, but offices with strong security concerns may decide the tradeoff is worth it. Browsers that use the new option won't be able to reach HTTP-only sites.

Many pages are only partially secure. The page itself uses HTTPS, but it incorporates elements, usually images, that aren't. Browsers vary in how they treat these pages. The non-secure elements are vulnerable.
The reason for the changes
What's the reason for this shift? Non-interactive sites may not seem to pose a security risk in the way ones with user forms do. But man-in-the-middle attacks can compromise them as well. A malicious relay point can alter links or inject unwanted or dangerous ads. It can replace an entire page with counterfeit data.

Public Wi-Fi hotspots are highly vulnerable. Connections to them aren't encrypted, and it just takes some simple equipment to intercept communication with one. Alternatively, criminals can create a public hotspot, give it a name that sounds like an authorized service, and then use it to manipulate any connections people give it.

Another trick is DNS manipulation. Criminals or state actors trick a DNS (domain name service) server into providing incorrect IP addresses. Traffic intended for a legitimate website goes to a rogue one, instead. With an HTTPS connection, the browser will warn the user that the certificate doesn't match. A plain HTTP connection won't give any warning.

Many people use proxy servers to conceal their identity or bypass restrictions on access. The people who announce that a free proxy is available aren't always honest. They could alter or replace any content that passes through them. They could replace ads on a page with their own, and most people would never realize it was happening.

Your own Internet service provider could be manipulating what you see. In 2014, Comcast was caught injecting ads into pages accessed on its public Wi-Fi hotspots. The owners of the pages hadn't consented. There have been reports of similar ad injection on a smaller scale by local access point owners. If they had used HTTPS, no hotspot could have injected ads.
Some objections (and why they're wrong)
The most common reason for not upgrading a website to HTTPS is simple procrastination. No matter how simple it is, it's a change that has to be scheduled. It competes with other needed work.

"Tomorrow" is always easier than "today," but an indefinitely postponed tomorrow could be too late.
Some site owners are afraid they'll lose their existing traffic because they're changing their URLs. But browsers are designed to promote requests to HTTPS. Most users don't even type in the protocol prefix anymore, but instead, count on the browser to get it right.

There's the concern that doing HTTPS wrong is worse than not doing it at all. It's a legitimate point.
An expired or invalid certificate triggers a full-screen browser warning, not just a polite "not secure" notice. But doing it right isn't very hard, and Quttera can make it easier.

The objections are easy enough to overcome, and the consequences of not having HTTPS protection are growing more serious. Browser messages discouraging the use of non-secure sites will become more conspicuous. It will become more common for users to have to confirm access to those sites, and in some cases, their browser settings won't let them do it at all. Procrastination isn't viable anymore.
Get a free SSL certificate with ThreatSign
Making a website secure requires multiple layers of protection. Quttera's WAF is available as part of ThreatSign website protection, guarding your site against targeted attacks. It's available in Endpoint (local) and DNS (remote) configurations. In the DNS configuration, we install a free SSL/TLS certificate on our server, which inspects and filters all traffic before it touches your systems. If you prefer, you can provide a certificate from any recognized certificate authority.

You don't have to do anything to configure it; all you need to do is adjust your DNS settings. Visitors to your site get secure pages. They can log in and fill out forms without the fear that someone else is reading them. No one can add advertisements to your pages or vandalize them while in transit. With ThreatSign protection and a secure connection, you can be confident that your site is well protected.