Print

One could ask: why does someone who pretends being able to give advice on cyber security has a web site that doesn't use https ?  Do we have an imposter here ?

The reason is simple: my hosting company (strato.de) doesn't accept certificates others than those he sells himself at such a price, that if I were to buy them, it would triple my hosting costs.  There do exist free certificates, but my hosting company doesn't accept them.  I understand that it is a commercial issue.

So, am I an inconscient or neglecting person by proposing a web site using http in the clear, while the security mode is now to use https everywhere ?  The answer is no, and it is a useful exercise to see why.

First of all, what is the difference between http and https ?  http is the protocol that allows your web browser (the "client", Edge, Firefox, Safari...) to:

  1. receive informations from a web server, and to display those informations graphically on the screen
  2. eventually, send informations provided by you, the user, towards the web server

The client and the web server do so, by exchanging packets of information over an internet connection (a TCP/IP connection).  Using HTTP, these packets of information are in the clear, that means, all devices who link the computer that runs the client (your computer) and the computer that runs the server, but also most devices connected to the same networks used by these linking devices, can read the contents of these packets.  Some of the devices along the way can even modify the contents and/or modify the route of these packets and send them elsewhere.

When using https, in fact, the same kind of contents goes in the packets, and the same kind of links is used, except that the content of the packets is now encrypted and signed.  As such, the same devices as before can read the packets - but this time they won't be able to understand their contents (encrypted).  Some devices might still send those packets somewhere else, but this time, client and server will soon notice, because the signatures will not be right.

For sure, this protection is very useful... if the sent information is confidential.  The server might want to send you some confidential information (for instance, some results of medical tests), or it could be personal information you want to send to the server.  On the other hand, for publicly available information, that doesn't serve any purpose.  My web site is not interactive and it is public, apart from one point: the contact form.  My pages are public: there wouldn't be any reason to encrypt them, if they are at the same time available where everybody can see them ?

Of course, for the contact form, the question can be asked.  However, my site sends you a page that encrypts the informations you provide (your name, e-mail address and the message itself) locally in javascript, before sending it to the server that can decrypt it.  As such my site does implement something that is like an https connection "under the hood", without having to buy a certificate from my hosting company.  You can see this when you use the form: in every field appears the word "encrypted".  The link is hence encrypted, even though your web browser doesn't know it (he doesn't realize that the javascript code he executes is an encryption algorithm).  Your web browser will hence tell you that the link isn't secure because I don't use his built-in standard encryption system which is https, but encryption code in javascript on the page.

That said, this technique does have one vulnerability: it could be that you are not on the right web site but on a site by an imposter via a fraudulent routing of the link between your web browser and the supposed server.  If you think that that risk is real (I don't think it is), you better use PGP encrypted e-mail then, instead of the form on the site.  Get my public PGP key and send me some e-mail.  The protection this site offers you is in the case you use the contact form (and if you don't, there's nothing to protect), is against spying on the network, which is by large the most important threat.  This site doesn't protect you against a "conspiration" of certain web hosting and/or internet service providers on the network... but a certificate issued by those same entities doesn't protect you either !  This is a fundamental flaw in TLS, the security protocol on which HTTPS is built: if the trust in one of the commercial certificate authorities is undue, and that authority is still trusted by the web browsers, then the security is also broken.  A fraudulent certificate issued by the least trustworthy certificate authority trusted by the web browsers for a fake "entrop-x.com" will make you also believe that you are on the right site while you are on the fraudulent site.

A variation on this flaw "being redirected on a fake site" and who needs a fraudulent behaviour or a failure on the side of your internet service provider or his partners, is the injection, on the web pages you visit, of publicities.  This has been seen happening.  If you see publicities on my site, that's not me - there aren't any - it is your internet service provider that does so.  Change your internet service provider.  One can say somewhere that your ISP has created a fake entrop-x.com site, which is inspired by mine, but to which he has added publicities, and has redirected your traffic to that fake site.  This is something that is rendered much harder with https, because in order to do this with https, your ISP then needs a cooperative certificate authority.  The real problem in that case is not my site, but your fraudulent internet service provider.

As such, for this site, buying an expensive certificate wouldn't improve much your security.  The day I can use a free certificate, I will switch to https.