SSL / TLS and HTTPS

The confusion between HTTPS and TLS and the various versions and variants used to be something that only the security geeks worried about. Now that Google has taken a lead in enforcing SHA-1 certificate signature issue and flagging some high profile websites as insecure, the issue has become mainstream.

I’ve written about the subject of SSL and Chrome before and I think many website owners have got the message and updated their existing certificates and certificate chains. However there are still many websites that don’t use HTTPS at all. Their claim is “I’m not a bank why do I need certificates and encryption?”

“I’m not a bank why do I need certificates and encryption?”

Well the answer to this question is simple, any data transferred over a non encrypted link, i.e. HTTP, is considered insecure, trivially intercepted and therefore should not be trusted. You may be running a blog that encourages comment and interaction with your users, if this data can be intercepted and possibly modified, you are exposing your users and yourself to unnecessary risks and putting their and your privacy in jeopardy. And Google may penalise your page rank.

What does TLS / HTTPS do?

Using TLS / HTTPS guarantees identity, and data integrity between the client workstation and the server by securely encrypting the data and therefore establishes confidentiality and trust.

HTTPS guarantees identity, and data integrity between the client workstation and the server ……. it establishes confidentiality and trust

What does TLS / HTTPS NOT do?

Using TLS / HTTPS does not protect from other client or server based vulnerabilities, if you have malware on your PC your internet traffic can be intercepted or controlled regardless of the connection to the server. A HTTPS connection will not protect your website from other code based vulnerabilities such as SQL injection, nor will it prevent your PC being infected from a rogue or malicious server which may try to install malware on your PC.

Certificates

But HTTPS requires me to use a certificate and they’re expensive and complicated! Actually this is no longer true, and equally using HTTPS and certificates used to be very detrimental to performance but that is no longer the case either. There is now a plethora of certificate authorities and certificate types that can be used easily and affordably by everyone.

One very interesting, Let’s Encrypt a free and open certificate authority is due to make its appearance in the market very soon. Let’s Encrypt, is an initiative run by the Internet Security Research Group (ISRG) sponsored by mozilla, Cisco, Akamai and the guys that make WordPress automattic amongst many others (and you too can donate).

Links

The Chromium Project – TLS / SSL

Let’s Encrypt Free Open Automated CA