Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTTPS Adoption Has Reached the Tipping Point (troyhunt.com)

Posted by msmash on from the tipping-point dept.

Security expert Troy Hunt, who is perhaps best known for creating Have I Been Pwned data breach service, argues that adoption of HTTPS has reached the tipping point, citing "some really significant things" that have happened in the past few months. From a blog post: We've already passed the halfway mark for requests served over HTTPS -- This was one of the first signs that we'd finally hit that tipping point and it came a few months ago. This is really significant -- Mozilla is now seeing more secure traffic than it is non-secure traffic. Now that doesn't mean that most sites are now HTTPS because that figure above has a huge portion of traffic served from a small number of big sites. Twitter, Facebook, Gmail etc. all do all their things over HTTPS and that keeps that number quite high. Hunt also cited security aficionado Scott Helme's recent analysis which found that the number of websites listed in Alexa's top one million websites that have adopted to HTTPS has more than doubled year from August 2015 to August 2016. Troy adds: Browsers are holding non-secure sites more accountable. Chrome 56 is now holding sites using bad security practices to account (by flagging a "not secure" label in the address bar when you visit such websites). Many sites you wouldn't expect are now going HTTPS by default. (He cites websites such as ArsTechnica, NYTimes as examples). Making more cases for his argument, Hunt adds that HTTPS sites are not slow as they used to be, and that services such as Let's Encrypt and Cloudflare have made it free and east to bring this security feature.

14 of 85 comments (clear)

  1. HTTPS negotiation was never the "slow" part by xxxJonBoyxxx · · Score: 4, Insightful

    HTTPS negotiation was never the "slow" part - it's always been the Javascript, single-pixel images and other crap imported from dozens of other sites. Developers have been driving me nuts with "we can't use HTTPS for our snowflake app - it'll slow the user experience" BS for years.

    1. Re:HTTPS negotiation was never the "slow" part by Shawn+Parr · · Score: 2

      Developers have been driving me nuts with "we can't use HTTPS for our snowflake app - it'll slow the user experience" BS for years.

      Translation: We are too lazy to learn the small adaptations to make sure our app works with SSL properly. What do you mean anything we embed has to have HTTPS vs HTTP references! That is soooooo hard! Although a special annoyance goes out to any web app that can't deal with being put behind an SSL appliance. Or poor documentation for how to do it (Wordpress used to be a major offender here).

      --
      Shawn's Tech Articles
    2. Re:HTTPS negotiation was never the "slow" part by guruevi · · Score: 3, Informative

      You need to update your knowledge base, the overhead of SSL vs. non-SSL is on the order of 2-5% with modern CPU. A decent set of Intel Xeons can push upwards of 3GBps (that's 24Gbit/s) in encrypted traffic per CPU. Even before HTTP2 there were various methods of speeding up SSL but the whole thing adds less than 2-3ms even on old hardware with relatively up-to-date web servers.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    3. Re:HTTPS negotiation was never the "slow" part by Just+Some+Guy · · Score: 2

      Then you've never tried to have a server actually scale in the past.

      "In the past" being the key part. SSL overhead is trivial now and has been for some time.

      --
      Dewey, what part of this looks like authorities should be involved?
  2. Alexa Rankings by nmb3000 · · Score: 2

    found that the number of websites listed in Alexa's top one million websites that have adopted to HTTPS has more than doubled

    Why do people still use Alexa? There can't be more than a tiny handful of people who still use their crappy browser toolbar and that measuring metric has always had significant selection bias. Do they have a newer, better data source, or is there just nothing better so people fall back to a name that's familiar?

    It would be nice if the major ISPs would aggregate and share all that data they save for the NSA anyway with some nonprofit org for this kind of thing.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  3. Re:Tipping Point by Anonymous Coward · · Score: 4, Interesting

    I see it as more of a needle in a haystack...
    When only a small amount of traffic is encrypted that traffic screams to be targeted for an attack.
    When all traffic is encrypted it's harder to determine what traffic should be targeted for an attack.

  4. Any hope for practical HTTPS on home LAN? by tepples · · Score: 4, Interesting

    So I guess the next thing to do is find a way to make HTTPS practical for a web server on a home LAN, particularly with DNS Service Discovery instead of a purchased domain. A lot of routers, NAS boxes, etc. still use cleartext HTTP because the browser publishers' Baseline Requirements forbid certificate authorities trusted by the web browser from issuing certificates for hostnames in the .local TLD. And with browser publishers threatening to make the Fullscreen API HTTPS-only, this would impair video streaming from a NAS.

    Sources for threat to drop Fullscreen API: Secure Contexts: Risks associated with non-secure contexts; Secure Contexts: Restricting Legacy Features; Deprecating Non-Secure HTTP; Deprecating Powerful Features on Insecure Origins
    Source for impracticality of HTTPS on home LAN: Question to Let's Encrypt rep in /r/IAmA

  5. Re:Not everything needs HTTPS by chispito · · Score: 4, Insightful

    If I'm accessing a site that simply serves up information and doesn't ask for any details from me, then there's no need for HTTPS.

    Your connection can be man-in-the-middled and malicious content served to you, or the middleman could help himself to your cookies. Maybe you have all cookies and javascript disabled, but most of us don't. I mean, there are other ways to mitigate this kind of attack, but it's easiest just to prefer TLS whenever possible.

    --
    The Daddy casts sleep on the Baby. The Baby resists!
  6. Re:Tipping Point by Killall+-9+Bash · · Score: 2

    Ouch! My heart is bleeding! How did that happen...?

    --
    "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  7. Web apps have become more dynamic by tepples · · Score: 3, Informative

    The HTTPS negotiation was slower than HTTP, but the actual encryption took valuable server compute resources

    True, TLS increases CPU overhead for a site that just serves static documents. But web applications have also become more dynamic since the late 1990s when SSL (now called TLS) was invented. With more server-side processing for each page view, the fraction of server CPU time devoted to actually sending the resource to the PC has diminished. I grant that the cost is greater than zero, but the benefit is also greater than zero.

    There are solutions today, but none are free

    I thought NGINX as the frontend reverse proxy in front of your application server was free software under the 2-clause BSD license.

  8. Re:Tipping Point by fisted · · Score: 2

    Asking a real question- why should we encrypt non-sensitive data?

    Because even though the data is non-sensitive, people might still prefer a little privacy. You'll understand when you're behind a proxy that has multiple people constantly tail -F'ing the access log.

    Some stuff is totally mundane and I wouldn't want people to know I'm accessing it regardless even though they would not care about it.

    Then there's the problem of, say, clicking on a google search result that was obtained via https, when the actual result isn't. Congratulation, your google search just leaked as part of the Referrer.

    Then there's the issue of WHAT exactly is going on on a particular site. I'd take a 'CONNECT slashdot.org:443' in the access log over GET and especially POST showing up there, telling the reading vs posting rate. Not that I'd post must on /. at work, but as a matter of principle.

    tl;dr: If your site doesn't speak https, I'll probably stay away from it. Yes, you might not care, but you asked for reasons and here are a few.

    --
    CLI paste? paste.pr0.tips!
  9. Worst Offenders by crow · · Score: 3, Interesting

    What sites are still the worst offenders?

    I'll start by nominating amazon.com. Sure, they use https for the actual transaction portion, but every product page you look at is unencrypted. I'm sure every ISP out there is tracking their user's Amazon browsing to create advertising profiles. Verizon certainly is. Why should Amazon give them this information for free?

    What will it take for Amazon to fix their site? What if an ISP started injecting ads into Amazon? It would be just a small step from the tracking they already do. I would love to see Verizon or Comcast do that. (Mainly because it would push more sites to use encryption.)

    1. Re:Worst Offenders by lgw · · Score: 2

      How are you seeing an unencrypted page on Amazon? Everything I see is encrypted. Is this something that happens when you're not logged in?

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Worst Offenders by crow · · Score: 3, Informative

      It must be a recent change, but you're right. I remember it being http except when dealing with transactions. I'm glad I'm wrong. Now I wish I could delete my original post.