One Does Not Simply HTTPS into Mordor!


Every time you go to a web site that requires you to log in, you are displaying your username and password for the world to see.

HTTPS was introduced very early on in the development of the internet, but it was initially intended to make financial transactions more secure, such as your bank’s website. Most of the sites that currently use the HTTPS protocol are only using it on select portions of their site that do require extra security such as shopping cars or account pages do.

Last year the Firesheep network sniffing tool made it easy to capture a person’s current session cookie on an insecure network; such as when you are at a local public Wi-Fi hotspot like the library or coffee shop. As a result, many sites began to take the threat seriously and began implementing the added security of HTTPS.

More recently, social sites such as Twitter, which are almost entirely run with public data, have begun to add the extra security to their connections. While the end user may be okay with someone intercepting their messages to Twitter in midstream and reading them, they probably don’t want others gaining access to their username and password for their account.

Google has recently announced it will adding HTTPS standard to many of the company’s APIs. Firefox users can force HTTPS connections to several dozen websites that all offer HTTPS, but don’t use it by default by using the HTTPS Everywhere add-on.

There are some practical reasons as to why HTTPS has not been widely implemented besides the high cost of secure certificates. A large problem is that HTTPS does not allow you to cache sites locally which is an issue when servers and clients are not in the same region (such as in Australia, New Zealand and Mordor).

The initial SSL key exchange adds to the latency. Although servers are faster and implementations of SSL more optimized, it still costs more than doing plain HTTP. While this is less of a concern for smaller sites with little traffic, HTTPS can add up if your site suddenly becomes very popular.

Another bigger problem is that it doesn’t work with virtual servers. Most ISPs use virtual hosts as a way to serve many (sometimes hundreds) of websites from a single IP address which does not work with HTTPS. However, virtual hosting and HTTPS can be merged by using the TLS Extensions protocol. Unfortunately it has only been partially implemented.

For those sites that do not have a reason to encrypt data or have a need to protect your username and password, adopting HTTPS is not practical. However, like all technologies, once the standard is widely implemented by major players like Facebook, Google Apps and Twitter, and the infrastructure is in place, it will become more cost effective to adopt HTTPS en masse.

There are several practical reasons why the HTTPS protocol cannot work in the current internet environment, but as available broadband speeds increase for the average user, more and more users will begin demanding its implementation. Many sites are now implementing HTTPS whcih shows that the desire for extra secutiy is there. Most users are okay with the slight reduction in speed if it gives them peace of mind while online.

Comments are closed.