The Fight For HTTPS

Since 2009, Christopher Soghoian, principal technologist with the Speech, Privacy, and Technology Project at the American Civil Liberties Union (ACLU) has been trying to make the Internet more secure.

His goal–getting companies to add a layer of encryption to their websites, turning HTTP to HTTPS–might not sound like much. After all, what's one letter on a URL?

But that extra letter, it turns out, is all it takes to make government surveillance, censorship attempts by authoritative regimes, and attacks by ill-intentioned hackers more difficult to pull off.

Soghoian has been wielding both the carrot and the stick on a near daily basis, until recently offering bottles of whiskey to companies that implemented HTTPS, and getting into public Twitter spats with companies such as Symantec, and the Internet company Akamai, which haven't welcomed to his overtures. "I use whatever argument works," Soghoian says. "I will ask. I will beg. I will offer to bribe. And then I will threaten. I will use every technique at my disposal."

And he's not alone. A group of increasingly vocal Internet companies, activists, lawyers, and privacy experts have been working to have all traffic on the Internet encrypted by default. And while the connection between your web browser and (amazing) places like Fast Company's website aren't always encrypted by default, chances are they won't stay that way for long. Because, according to Soghoian, the HTTPS crowd is "slowly winning"–though not without a few snags along the way.

What's the big deal? You're probably familiar with HTTPS as the lock icon in your browser's address bar that appears when you log in to your bank's website, or check your email. Hypertext Transfer Protocol Secure, or HTTPS, is the encrypted version of plaintext HTTP, the protocol over which most Internet traffic has traditionally been sent. It's HTTP traffic with either Transport Layer Security (TLS) or it's predecessor Secure Sockets Layer (SSL) beneath. Though traditionally used, primarily, to protect usernames and passwords and online transactions, the argument goes that we should be using it for everything, the mundane stuff, too.

The reason is that anything sent via regular old HTTP is done in the clear–in other words, in unencrypted plaintext for all to see. The person next to you at a coffee shop or the government that controls your ISP can see what articles you're reading online, or what videos you're watching on YouTube. And, "The articles that you read in a newspaper are very, very sensitive, because they reveal an awful a lot about what you're interested in," Soghoian says. "If you're looking at the website of an abortion clinic, or a suicide hotline or self-help group for alcoholism, I think that's super, super sensitive as well. But very few sites in those areas use encryption."

HTTPS also ensures the integrity of the data you request. Think of it as a fact checker, asking, "Is what the user asked for what they're getting?" Without it, someone on the network could tamper with the data you request before it is sent back to your device, all without you knowing–for example, by modifying a YouTube video, as The Intercept reported earlier this year, to secretly deliver malware. And because there's no server authentication when you request a site via unencrypted HTTP, you also can't know for sure whether the Fast Company you're reading this article on is the real Fast Company (we hope it is!), or just a clever copy designed to compromise your computer or phone.

Yan Zhu, now a security engineer at Yahoo!, and Parker Higgins of the Electronic Frontier Foundation gave a talk in July at the Hackers On Planet Earth Conference (HOPE X) bluntly called "HTTP Must Die." Services such as Facebook, Tumblr, and WordPress have made HTTPS the default over the past year. But in August, Google fired perhaps the biggest salvo thus far. The search giant announced that it had begun considering HTTPS as a ranking signal in its search results–lightly at first, but increasing the importance Google places on sites with HTTPS versus HTTP over time.

In other words, sites with HTTPS would come first.

Yet, beyond some of the Internet's bigger players, there are still a number of factors that have been holding more widespread HTTPS adoption back. Some websites don't realize that the mere act of visiting their website might be sensitive, or that a user's connection can be hijacked along the way, and thus don't see a reason to encrypt. Others aren't savvy enough to implement HTTPS themselves. Ad networks, many of which still serve ads over plaintext HTTP, are often cited by news websites as a reason they've been slow to encrypt. "Aligning many parties with certificates so that errors are not thrown to users isn't trivial," wrote Scott Cunningham, vice president of technology and ad operations at the Interactive Advertising Bureau in an email. "The effort, and cost of that effort, is primarily why it hasn't occurred."

Cost is something that Soghoian says makes it especially difficult for customers of Akamai, the Internet's largest content delivery network (CDNs), to go HTTPS by default. CDN services are used by most websites and services to distribute their content across servers in multiple locations, so that, among other things, pages load quickly no matter where you are in the world. Some of today's largest companies rely on Akamai, including IBM, Yahoo, Verizon, and Fox. But they're also alleged to charge a premium for customers who want encryption by default. For Reddit to encrypt its traffic without paying a lot of money, it actually meant leaving Akamai altogether. "So convincing people to ditch Akamai is basically now part of my job," Soghoian says, "I don't really care who they ditch them for. But as long as Akamai is gouging their customers on SSL, that's going to be part of the pitch."

Akamai, in an emailed statement, said that the company "makes decisions on how to offer services, such as SSL delivery, based on our customers' requirements. We have many customers that have opted for SSL delivery of their sites, while others have not. SSL is included as a built-in option to many of our product offerings. For those that do not include it, it can easily be added as an option." (The company doesn't disclose pricing.)

But Akamai's competitors are changing with the times. A CDN and Internet security company called CloudFlare announced on Monday a feature called Universal SSL, which would enable HTTPS on all of its websites by default, for free–including for the 2 million users who use CloudFlare's basic service at no cost.

"Philosophically we believe that you shouldn't have to pay to be secure online," CloudFlare cofounder and CEO Matthew Prince said. "By making the mundane safe, it actually makes the things that need to be safe a little bit safer."

It may be time to put that whiskey in the mail.