Why going HTTPS isn't just for Google

By Matt,

October 2017

You've probably read that Google is going to start penalising non-HTTPS sites in search results. You might also have seen that they are going to explicitly mark sites not using SSL as being insecure.

Ensuring your site uses HTTPS is now a fairly straightforward, cheap, and pain-free process, thank to services like Lets Encrypt. But there is actually a more important reason for you to go HTTPS: Protecting your users.

First a quick overview of how the internet works. Your user sends a request from their browser to your server over "The Internet". Your server returns some ones and zeros which their browser then turns into websites/apps/videos etc. The data that goes back and forth actually makes a bunch of stops on the way (routing through your router for example). If you are using HTTPS, all of the information is encrypted and can (realistically) only be read by the user's browser and your server.

If your site is not using HTTPS, that information can effectively be read by anyone in-between you and the website. You might think this is only really important if your site is a bank or Facebook, but thats not really true.

Aside from any privacy concerns, any Tom, Dick or Harry being able to intercept the data also makes the web less safe. Not only can people read the data, but they can change it, injecting things like ads or worse. This allows for a number of security vulnerabilities.

Here's a scenario which I'm sure we've all experienced:

You are in a public place getting a coffee. You pull out your phone to check Twitter and you have no bars. You get a dialog thats offers you some Wifi networks to join, and you pick one that is unsecured (i.e. no password required) but sounds trustworthy (Starbucks Free Wifi for example).

It is trivially simple for anyone in a coffee shop to set up a Wifi hotspot from their laptop and name it whatever they want. If the connection is not secure (only uses HTTP), they can see everything you're doing and inject code into the data as it passes through.

You might have experienced this in an annoying, but mostly benign way, when some networks will inject additional ads or branding into your browsing. Best case scenario is that your user finds this (your site) "well annoying" or ugly or catastrophic for their battery life. In the worst case scenario, you could experience "Man in the Middle" attack, where the person in-between them and your site injects some malicious code into the page.

I read an article yesterday on a potential phishing scam that is so simple it is beautiful. If you want someones password, simply ask for it. This example is specifically for iOS apps but I figured we could use the same principle to phish someone on the internet with a man in the middle attack.

I've hacked together a demo of one that might work on iOS devices (you'll need to go there on your phone though as it relies on touch). In real life, this would get injected into the users page while browsing, but I've just put it all on Codepen as a demo. This does the same thing in popping up a dialog but is all built with HTML, CSS and Javascript.

How many times have you absent mindedly just entered your Apple ID password muttering swear words about how it supposed to just work... I've done it. You might be thinking - I wouldn't get fooled by that because the border-radius is not right on the dialog box. Can you say that about all your non-technical friends and family?

Once an attacker has your user's password, they can continue monitoring them round the web, maybe pop-up an email signup form to try and grab their email, maybe try and inject a script to read their cookies. Even if they don't use the same email for their Apple ID, I bet a good number of us have the same password across all our logins. The attacker could probably make a decent stab at finding their Facebook or Twitter username with a little bit of time and digging... Scary stuff—and this is just the most basic stuff someone could do.

If your site uses HTTPS, this attack is much more difficult, and you've made the web a safer place. Encryption is awesome and so are your users. You should look after them.