View across the paddock.
Secure All The Things
Wednesday, 04 July 2018 12:53 Hrs
❝ In an era where censorship is on the increase and trust is being eroded, if you own or use a website that uses HTTP and not HTTPS, you are contributing to the problem.

This blog is 🎂 10 Years Old.

Ten years on and the way I create a post hasn't changed much. This post starts as an idea and I use a Python3 script to create a partially filled text source file. I edit the YAML metadata [0] at the top of the file then write the guts of the post in Unicode and annotate in Markdown with Vim. To generate the WWW site, I use a bunch of python3 scripts and templates using Make. You see the result through your browser as plain HTML, CSS and no JavaScript. At the server end, my DNS points to my domain name and serves this WWW site via HTTP.

Until today.

From now when you point your browser to my site, it will be served in HTTPS instead of HTTP. [1] The WHY is more interesting than the HOW. [2]

Why https?

"Think if it like this - if you could make a webpage do absolutely anything you like as if you had built it yourself, what would you do? That’s the threat HTTPS is protecting people from." Troy Hunt [3]

So why bother with HTTPS? This week, The Tor Project reported [4] how websites were being interfered and censored, directly as a result of using HTTP. The report details a sophisticated operation conducted by a nation state at telecommunications level. The motivation, the suppression and disruption of news and profit. Using HTTPS makes this difficult. At its simplist, using HTTPS over HTTP through encryption, data integrity and authentication allows:

  • What you read is not intercepted directly by third parties. (Encryption)

  • What you read is not tampered by third parties. (Integrity of data)

  • What you read, is what is intended. (Authentication)

Enabling encryption, third parties reading data between the reader (CLIENT using a browser) of a document on the web site (web page on SERVER) cannot decrypt the message.

http + 🔒 = https

This makes tampering with the message being read, magnitudes harder than unencrypted HTTP. [6]

Not convinced?

In an era where censorship is on the increase and trust is being eroded, if you own or use a website that uses HTTP and not HTTPS you are contributing to the problem. Some further reading:

State of Web Browsers in 2018

All modern Browsers will now show HTTP websites as insecure and HTTPS websites as secure. Interesting note, Microsoft is shifting all users from Internet Explorer to Edge, removing "VBScript, JScript, VML, Browser Helper Objects, Toolbars or ActiveX controls" and is still reported as being the least secure browser.

Internet Fundamentals

Understand these basic Internet concepts. HTTP and TLS are Internet protocols, while HTTPS is an extension of HTTP.

Technical

As a part of the Tor Program, the Open Observatory of Network Interference is an attempt to understand and map attempts to interfer with Internet traffic.

  • OONI (Open Observatory of Network Interference)

Reference

[0] The YAML describes the posts metadata and is inspired by the Jekyll/Hyde YAML Frontmatter format. <https://jekyllrb.com/docs/frontmatter/ >

[1] For a crash course on HTTP, read "A cartoon intro to DNS over HTTPS" by Lin Clark <https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https >

[2] A five minute setup installing an SSL certificate, then make sure HTTPS is served by adding a .htaccess file. You can read about how to get a certificate at Let's Encrypt. <https://letsencrypt.org >

[3] Troy Hunt, responding to a thread on HTTP vs HTTPS and security threats. The thread starts here: <https://twitter.com/troyhunt/status/1014084238092611584 > and the referenced tweet <https://twitter.com/troyhunt/status/1014287831970168834 >

[4] The Tor Project: "Egypt didn't just censor the internet. It profited from it. Many blocked sites were redirected to affiliate ads and cryptocurrency mining scripts." <https://twitter.com/torproject/status/1013859982876561408 >

[5] The Tor Project, 2018, July 02, "New OONI & AFTE Report Details The State of Internet Censorship in Egypt" <https://blog.torproject.org/egypt-internet-censorship >

[6] Secure your site with HTTPS <https://support.google.com/webmasters/answer/6073543?hl=en >

―~♞~―

bio Another Scrappy Startup ☮ ♥ ♬ ⌨

alt url seldomlogical.com/https.html

contact Peter Renshaw

← HOME ↖ UP TOP ↑