In light of Google finally kicking off their plan to mark plain-old-HTTP as insecure in Chrome…
…some are wondering whether encouraging all sites to move to HTTPS is worthwhile.
Q: Does everything need to be HTTPS?
Selectively encrypting only “secret” information creates several problems:
- First, it marks the encrypted traffic as a clear target for interception. If only high-value information is encrypted, then attackers know that some given attack on TLS is probably worth mounting on all HTTPS traffic, since it’s likely high-value traffic. Conversely, if everything is encrypted, attacks that take some amount of effort become much harder to target.
- Similarly, even if no feasible attack is available, an attacker can optimistically store HTTPS traffic, assuming one day they’ll make progress in cryptanalysis or buy faster supercomputers (or quantum computers!), and decrypt it months or years later. This is infeasible if “everything” is encrypted.
- It also marks the encrypted traffic as a clear target for filtering by oppressive parties.
- What even is “secret” information that deserves to be encrypted? My ISP may not care what I’m reading on nytimes.com, but repressive governments certainly do care what human rights activists, journalists, et al are looking at. And more trivially, I care if a search for weather at my home leaks my address to everyone on the network at my local café1.
- Finally, insecure HTTP is an attack vector; anyone on the network can inject code into any page you visit via HTTP, and that could be a 0-day exploit for your browser or (more likely) a Flash or Java exploit. This can’t happen with HTTPS traffic. Unscrupulous ISPs have also been known to replace ads on web pages with their own ads, or just inject their own ads into web traffic regardless of what’s on the page.
1: This is just an example. I rarely use public Wi-Fi, and if I do I connect through a trusted VPN. Don’t @ me.
As always, I welcome discussion and feedback; I’m @cdzombak on Twitter.