If Not HTTPS Then Exit

Hello kids. Yes, if you are writing applications for consumer companies, there’s a good chance I’m talking to you. We need to have a talk, urgently. It’s about a whole new way of doing things, and it’s a new word in your dictionary. The word is “secure” (linked to Webster’s for your convenience.

Security is a funny thing. Everybody thinks it’s very important, some people think it’s a synonym for “complex” and some people avoid it because it’s “too much hassle”. Most worrying are the people who have online shops and think they can do without, particularly if they think “expensive”.

Online shops which started out as simple “sell stuff from the attic” stores, seldom have good data protection in place. The “my expensive server does not need to backup” problem aside, most of the time there’s nothing in place preventing hackers from stealing data. If that’s the shopkeepers data, that’s not a big problem. The problem gets bigger if the shopkeeper stores customer data in his system.

Most larger shops are often developed by students or hobbyists, who can hack some HTML, or maybe even PHP and MySQL. In a short time, a shop is up and running, the student is payed a small amount and the shopkeeper is happy. The forms in the shop requires customers to register and login before buying, because some twisted minds out there think that having a password is absolutely essential to communicate with customers (I have 82 passwords last time I checked). Those same twisted minds also have the guts to ask you everything from your shoe size to your dog’s name, and make those fields *required* in the registration proces.

Now suppose that shop sells Unobtanium, and you really need that for your project. You see that it’s in stock, so you enter the registration process to be able to fill your shooping cart. You fill in your dog’s name, press “register” and your data is sent to the server… unencrypted! The hacker monitoring the site’s traffic sees your personal information and uses it to steal your dog, selling it online through e-Bay the next day with relative ease.

I typed and removed a whole rant about shops asking you way too much information because sick marketing minds think they are god and can ask and use your information as they please. But some shops need information to ship the products to you. Aside from offering you Unobtanium for a very attractive price, they also need to earn your trust for you to enter your personal data. Funny thing is that nobody seems to care if that site is passing information around using plain http.

I have had email discussions with 3 companies so far who asked me to register online over http connections. When a company sends my personal. private information or password over http, I send them a mail I can not comply because of the simple fact that the password is rendered useless by sending it in plain text over the network. Most companies don’t see the problem and think they are doing everything perfectly safe (those are the scariest). Then there are the companies who know it is in fact not safe, but simply state that they don’t care, or don’t want to pay for an “expensive” secure solution.

I think in most cases, these buttugly shops (of which the last can’t even display it’s own Russian characterset) are developed by you, my dear World-of-Warcraft playing, family kid-genius friend. The world is in the hands of zitfaced 13 year old “noobs” to life who think downloading software without paying for it is cool, and have the nerve to tell shopkeepers that their PHP-MySQL-Tomcat solution on an old 386 machine running the obscurest version of default-installed Linux without firewalls over http is perfectly safe to store customer data and VISA card numbers. These kids are probably the very same kids who think that “under construction” is a very normal term to use on your site because they are, in fact, developing software on the live production server and their tiny mind can’t think of any other way to hide those parts from the customer.

Okay, I lost myself there, but you get the point.

What I really don’t get, is that with the computing power nowadays, protocols like http still even exist. Why isn’t each and every server doing https by default? Even my 3-year old mobile phone can do https, so let’s fase out http alltogether.

If the site administrator is anything like the one at my office, chances are that a lot of sites will have random, or self-signed certificates which are expired 2 days after they’re made, never to be replaced with new ones. To circumvent this, we should have a public-certificate server like a PGP key server. When I access a site with an unknown certificate to me, I can check that certificate at some centralized server, where I can find if this certificate is really belonging to that site (yeah yeah I know about certificate chains, but admin’s don’t). Besides that, the site could also list if the shops is handling it’s data carefully, if your email address is sold, or used to spam you. This data can be statistical, and/or based on customer reviews.

Next step is that in stead of your browser showing you a tiny, small lock icon at the bottom of your screen indicating this is “safe” https, the browser should display a big fat red cross accross the whole site indicating that it’s not https.

The trouble this will cause, is that site admins will still not protect their data, but hey, I guess there’s only so much you can do. Maybe we need a global police department running site-scans to detect unsafe sites, and list them on the public certificate-server we discussed for everybody to see.

Next step would be to make it illegal to store data that’s not yours in an unsafe manner. Yes internet is “free” and I think we should try to keep it that way in the original sense of the word in the early internet years. Right now, the word “free” on the internet is used to defend the rights of (internet)criminals. But that’s a different story…

For now, make sure your data, any data about you, is transported over https. Spam companies who are still using http or otherwise unsafe methods to transport your data.

WordPress.com is a good example…


4 Responses to If Not HTTPS Then Exit

  1. rolfje says:

    To place things in perspective, even people at companies like http://www.wegnahetwerk.nl/ think it is perfectly safe to welcome 100 people to their site, and send each and every user the VERY SAME (and very simple) password over mail. Sjeez.

    Oh and yes, this company also transports your sensitive data over plain http.

  2. rolfje says:

    Just got a reply in from Mark from WordPress, stating that the problem is “speed”, but I think he’s meaning “load”. Lots of people using wordpress, underpowered machines, add https decryption/encryption and things might go slow.

    https does work if you consistently place it in front of all your links but that means you can’t click links, but copy/paste them in the address bar and replace https with http. It’s a matter of time now…

    Mark’s reply, mind the word “yet” :

    We are looking into this but for reasons of speed we cannot yet introduce it, sorry.


  3. rolfje says:

    At least Google has read this post (I think… 😉 )

    I hope their example is followed by the rest of world soon.

  4. Rolf says:

    This recently became a hot topic again by the creation of Firesheep.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s