Every time you PayPal someone, or send a Gmail, or log into Facebook, a layer of encryption protects the information that zips across the Internet. These sites all use HTTPS, an added layer of security to the standard HTTP protocol that facilitates web communication. But as a new Google report shows, an alarmingly small number of the web’s most-trafficked sites use this vital security protocol.
The Google audit shows that 79 of the web’s top 100 non-Google sites don’t deploy HTTPS by default, while 67 of those use either outdated encryption technology or offer none at all. The worst offenders include big names, like the New York Times and IMDB. (For what it’s worth, WIRED doesn’t currently offer HTTPS either. But we’re working on it.) That’s a big number, especially considering that these 100 sites combined comprise about 25 percent of all website traffic worldwide. It turns out that we’ve got a very vulnerable web.
“If you’re on HTTP, the entire URL and page content is visible to anyone on the network between you and that site. Every page you went to on that site. Any search terms. What articles you’re reading,” says Tim Willis, HTTPS Evangelist at Google. “If you’re on HTTPS, only the domain of the website is visible and not the page you’re looking at. Anyone on the network can still tell what website you went to, but it’s very difficult to determine what you did on that site.”
“HTTPS is the cornerstone of our online security and privacy, whether we are doing banking or sending family photos,” says Jérôme Segura, a security researcher at Malwarebytes. “Without encryption, our private information can be intercepted, manipulated, and stolen by attackers sitting on the same network.”
Anyone who uses the web on a regular basis—which is to say, nearly everyone—should find the lack of HTTPS frustrating, and perhaps even surprising. It’s not, after all, the most complicated of security measures. It’s simply establishing a way for a client (your browser) and a server to know that each party is who it says it is. They establish this trust using an SSL (or, more recently, TLS) protocol, a cryptographic key that enables a digital “handshake” between them. The server coughs up a certificate that confirms its identity, and the encrypted data exchange can begin.
That might sound complicated, but it’s not nearly as tricky as it once was. “Several years ago there was a certain cost and effort to go through in order to get a site set up for HTTPS,” says Jérôme Segura, a security researcher at Malwarebytes. “These days the process is really simplified, and in fact many companies are providing free SSL certificates.”
Those companies range from CloudFlare, a global CDN which offers “one-click SSL,” and Let’s Encrypt, a project led by the Internet Security Research Group that offers SSL certificates to anyone who owns a domain. It’s also worth noting that, despite the examples above, full HTTPS protection is not limited to prestige or blue chip sites. Among those receiving full marks from Google are two porn purveyors: Bongacams and Chaturbate.
For smaller sites, HTTPS can be a relatively simple thing to embrace; if they don't implement it, it's largely because they simply don't care to. The more moving parts a site has, though, the trickier it gets.
"For large sites, it usually involves a non-trivial amount of engineering work, figuring out what changes you need to make and working with others," says Willis. "For example, do your ad networks support HTTPS? Does your content delivery network charge more for HTTPS? Is third-party content on your site offered over HTTPS? Answering these questions takes time and involves multiple rounds of 'test-break-fix' to get it right."
A convenient example is the media industry, a few big names of which populate Google's naughty list. These are sites that work with a wide variety of ad networks, often embedding content from a variety of sources. In order for HTTPS to work across the entirety of the New York Times, or CNN, or WIRED, all of those elements---many of them outside of a publisher's control---must also work with HTTPS. Meanwhile, the tech resources that news sites have aren't limitless, and many prioritize keeping up with the latest industry trends, like Facebook Instant Articles or Apple News, over something as relatively bland as security protocols.
Other types of sites face more specific challenges. You’ll notice that several of the 100 sites Google calls out, for instance, are based in China, a country that is known to actively work against encryption efforts.
Segura points out that HTTPS alone isn’t enough to guarantee security. Several sites may implement it on their homepage, he says, while failing to roll it out across all pages and services. You’re often only a few clicks away from being exposed. He also notes that HTTPS isn’t ironclad. It, too, can be exploited. Hackers have for years attempted to steal certificates that would allow them to impersonate trusted sites. Just last week, the first-ever OS X ransomware hitched a ride on an app that was signed with a valid developer certificate.
Then there are the pages that are compatible with HTTPS, but don’t have it turned on as default, which Willis considers nearly as ineffective as not having any HTTPS at all. “The difference is significant,” he says. “The only way for a user to get to the HTTPS version is for a user to go up into the address bar, see that the page is over HTTP, add the ‘s’ for HTTPS and reload the page. Unless that user is familiar with the risks of HTTP, that’s pretty unlikely to happen.”
The fact that HTTPS isn’t perfect, though, best serves as a reminder of just how dangerous the web is without it. It’s the difference between risking a crack in one’s armor and jousting nude.
For Google’s part, it’s not just going to provide regular updates on what parts of the web have HTTPS and which are wild lands. It’s also leading by example, having implemented HTTPS-only for Gmail years ago, and by achieving 75 percent HTTPS across all of its services. It’s also expressed a commitment to reaching 100 percent, though services like Blogger (where people can use a non-Google domain) pose unique challenges. In fact, Google faces some of the same challenges as media outlets.
“Today, online advertising involves multiple calls to various tech providers. Some of these providers have embraced HTTPS and others are still on legacy HTTP connections,” says Willis. “If we are a participant in other platforms’ ad auctions (i.e. Google is bidding in the ad auction, not running it), and they request info over HTTP, we have to respond over HTTP. We can only change this if the industry moves with us.”
Hopefully Google’s effort to raise awareness will prompt some of that movement, especially among the laggards with limited excuses to hurry up and HTTPS. They’re overdue.
"It’s easy for sites to convince themselves that HTTPS is not worth the hassle," says Willis. "But if you stick with HTTP, you may find that the set of features available to your website will decline over time." As just one example, Willis notes that the next version of Chrome will only allow its geolocation API to be used over HTTPS. Sites that haven't updated are out of luck, and their user experience will suffer.
Mostly, though, Willis and Segura agree, the security benefits alone should be motivation enough.
“The Internet we use today is not the same as it was 20 years ago,” says Segura. “There is an expectation and need for people to be able to securely go on about their daily lives without having to worry if the ever increasing amount of information they are sharing is going to fall in the wrong hands.”
