Should All Sites Use HTTPS by Default?
While few e-commerce sites fail to protect sensitive data with the HTTPS protocol, many sites continue to use the less secure HTTP for some functions.
A recent HP Security Research study found that a surprising 18 percent of 2,000-plus mobile applications from Global 2000 companies send user names and passwords via HTTP rather than the more secure HTTPS. Further, of the 82 percent of apps using HTTPS, 18 percent had not implemented it correctly.
E-commerce websites fared better, according to a recent study by High-Tech Bridge, a Swiss provider of security services such as penetration testing and malware analysis. Using its own ImmuniWeb tool, which verifies SSL certificates and implementations, High-Tech Bridge found that just two of the 100 largest e-commerce websites lacked SSL certificates and none had expired or untrusted certificates.
Still, High-Tech Bridge CEO Ilia Kolochenko said he was disappointed to find that many sites do not consistently use HTTPS. Just two sites used HTTPS by default to ensure consistent data encryption, he pointed out.
HTTPS Not Always On
While only seven sites failed to enforce the use of HTTPS for such sensitive operations as login, checkout and payment, nearly three-quarters of the 100 sites do not use HTTPS for other customer activities such as managing shopping carts or searching for items, High-Tech Bridge found. And 33 sites display non-SSL content together with SSL content on their pages.
Kolochenko said many companies "are still living in 2003" in regard to SSL. While using HTTPS a decade ago had a tendency to slow site performance, he said there are few remaining concerns when it comes to speed or search engine optimization (SEO).
As proof, Kolochenko notes that both Twitter and Facebook now use HTTPS by default. Both sites initially offered always-on HTTPS as a user option before migrating all users to HTTPS.
According to a post on Twitter's blog, "HTTPS is one of the best ways to keep your account safe and it will only get better as we continue to improve HTTPS support on our Web and mobile clients."
Writing on a Facebook blog in July, software engineer Scott Renfro said: "Turning on HTTPS by default is a dream come true, and something Facebook's Traffic, Network, Security Infrastructure and Security teams have worked on for years."
Other large sites are also introducing always-on HTTPS. The Wikimedia Foundation, owner of Wikipedia, in August announced it had enabled HTTPS by default for users of its sites due to "recent concerns over the privacy and security of our user community."
According to the Electronic Frontier Foundation, in an explanation of its HTTPS Everywhere Project, a Web extension that allows users to more consistently use HTTPS by forcing always-on HTTPS connections by default on websites that only support the feature on an opt-in basis, HTTPS proponent Google is working on reducing any performance gaps between HTTP and HTTPS.
In addition to making it harder for hackers to intercept unencrypted data, Kolochenko said HTTPS can improve online security by making users less susceptible to phishing scams. If sites used HTTPS by default and users were trained to avoid sites that use only the HTTP protocol, phishing would be "almost useless," Kolochenko said.
The Online Trust Alliance also advocates the use of always-on HTTPS. Craig Spiezle, executive director and president of the alliance, said, "All sites and mobile apps must recognize the importance of securing the data transmitted between users and their sites. Banking, social, government and e-commerce share this responsibility to implement these best practices to better protect consumers from harm. Always-on SSL and HTTPS are effective measures to enhance the security and privacy of users. Failure to adopt unnecessarily puts users in harm's way."
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.e