Security in Obscurity

The Importance of HTTPS to your Website

Enterprise Security Magazine, July 2019

This article was originally published in Enterprise Security Magazine. A copy of the publication and article can be found here.

---

Protecting a website requires an undivided focus not only on the web assets and code contained on a site but also the transmission of data traversing the internet itself. The importance of leveraging HTTPS as a part of a comprehensive web security strategy cannot be understated. Not only should HTTPS be considered fundamental in protecting data in transit across the web, but it can also play a very significant part in building customer trust in your website and security posture.

As the secure version of HTTP, the network protocol for accessing websites across the internet, HTTPS leverages encryption to ensure confidentiality of data transmitted between an internet browser and the web. Historically, HTTPS has been leveraged where confidentiality is required. Typical functions of websites such as authenticating to the site or during financial transactions such as online purchases from an e-commerce site have been the most common use cases.

At a high level, the encryption used by HTTPS is based on Public Key Infrastructure (PKI). Websites will issue public certificates for their site that will be signed by a trusted public certificate authority. This public certificate, issued to a website and signed by a publicly trusted certificate authority, creates the foundation for HTTPS on a website. The certificate contains information about the website as well as defines the encryption protocols that will be used to transmit data securely between the website and the internet browser.

Whether referred to as SSL (the legacy encryption protocol), TLS (the modern encryption protocol) or HTTPS (the secure network protocol used for connecting to a website), the need for the secure transmission of data across the internet is important for several reasons. Attacks such as “Man in the Middle” (MITM), which attempt to trick users into providing data to attackers instead of the resource intended, can be leveled against your website if you do not leverage HTTPS. Additionally, a malicious actor can take advantage of non-HTTPS sites by using DNS spoofing to connect a user to a rogue website which can misrepresent the information and purpose of the legitimate site. When HTTPS is used in this scenario, the legitimacy of your site is preserved because a user will receive either connection errors or certificate errors in their browser during the attacker’s attempt to use DNS spoofing against the secured site.

Furthermore, the trust your visitors and customers place in your website can be validated through HTTPS. This validation is successful because the certificate associated with any site using HTTPS can be reviewed in the web browser. Traditionally you may recognize the green security symbol or padlock icon to help indicate this to users. The contents in the certificate associated with the icon will include the name of your company, as well as the address and have been signed and vouched for by a public certificate authority. This will help build trust with your site visitors and ensure them that they are reaching your website as expected.

With the importance of HTTPS fundamentally accepted by the larger security community, including security frameworks such as NIST Special Publication 800-63B, there has been a more recent trend which supports leveraging HTTPS not just in cases where the confidentiality of data is required but across your entire website. This would include non-confidential areas such as image locations used on your site. The justification of using HTTPS across all areas of your site include combating malicious attacks which might take advantage of non-encrypted portions of a website to exploit confidential sections utilizing HTTPS. Ensuring your entire site uses HTTPS helps you preserve the integrity of your website against exploitation of non-encrypted portions of your site.

Outside of the security aspects of leveraging HTTPS across your website, there is a significant need for full HTTPS to ensure the continued trust your visitors place in your website. For example, the validations which users can access in their web browser to ensure that your website is secure will be impacted if you have not used HTTPS across all portions of your website. Major web browsers, including Firefox, now will give users notice that while the website does use HTTPS, it is not secure because not all portions are leveraging encryption. As far back as 2014, Google has called for full encryption of a website and announced by a blog post that they will begin to use HTTPS across a website as a signal in their search ranking algorithms. Because of such industry trends pushing for adopting HTTPS across an entire website, the business impact associated with HTTPS should be elevated to ensure you are not losing the trust of your customers or web traffic due to a drop in rankings in web searches for your site.

In my personal experience as a Staff Security Engineer for Edelman Financial Engines, which provides personalized investment advice to over 1.1 million clients across the United States, I find that not only internet facing assets should be leveraging HTTPS but internal resources as well. Leveraging either a public certificate authority or an internal certificate authority which has been built to sign public certificates for your internal resources, will help your employees validate they are accessing genuine resources and not malicious sites posing as your internal facing assets. Additionally, you may be surprised at the data that traverses your internal network unencrypted, without HTTPS in place.

HTTPS should always be considered an important part of your web security posture. With growing industry trends embracing HTTPS not only for confidential portions of your website but in its entirety, HTTPS should be considered not only fundamental but business critical. Embracing HTTPS across your website will not only ensure a strong security posture but also preserve the trust you have built between your website and your visitors, which is important to maintain the success of your site and business.