back to article Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections. A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since …

  1. Little Mouse

    I only just noticed...

    El-Reg uses https:!

    Holy crap - when did that happen?

    1. John Lilburne

      Re: I only just noticed...

      "Holy crap - when did that happen?"

      Pretty recent, I think, within the last year. Some one in accounts got suckered by a Google FUD.

      1. Anonymous Coward
        Anonymous Coward

        Re: I only just noticed...

        How else would you know you are reading real Anonymous Cowards and not some Russian hackers ?

        1. Anonymous Coward
          Anonymous Coward

          Re: I only just noticed...

          "How else would you know you are reading real Anonymous Cowards and not some Russian hackers?"

          Russian hackers haven't learnt to:

          a) babble incoherently like the majority of us commentards

          b) they can't avoid the pull of defending Mother Russia in the time sink that is TheReg forum's

    2. Cuddles

      Re: I only just noticed...

      "El-Reg uses https:!"

      Sometimes. I'm sure it was all https for a bit, but today it's back to regular http on the main site and only https on forums.reg. Maybe they're making sure to stay at 38.4% secure?

      1. rh587

        Re: I only just noticed...

        Sometimes. I'm sure it was all https for a bit, but today it's back to regular http on the main site and only https on forums.reg. Maybe they're making sure to stay at 38.4% secure?

        For the <www.thereg> subdomain they're not doing redirects to the HTTPS version, so you can browse to http or https and both work.

        <forums.theregister.co.uk> do have redirects enabled, so if you try and hit the http, it will bounce you to https.

        I assume the absence of redirects on the www. is down to having some legacy or mixed content that could break browsers, whereas the forums are entirely https safe.

        Neither part has HSTS enabled however because they're using Cloudflare which IIRC is a bit all-or-nothing as far as HSTS is concerned.

        1. Cuddles

          Re: I only just noticed...

          "For the <www.thereg> subdomain they're not doing redirects to the HTTPS version, so you can browse to http or https and both work.

          <forums.theregister.co.uk> do have redirects enabled, so if you try and hit the http, it will bounce you to https."

          Ah, makes sense. I wondered why the main site suddenly started using https right after I posted that comment. I guess I have an out of date bookmark that gets me to the http site, but visiting the forum and then hitting the top banner to get back to the main site hooks me into the https version.

    3. bombastic bob Silver badge
      Meh

      Re: I only just noticed...

      I'd like https a lot more if there weren't a potential "tollbooth" designed into the protocol (i.e. having to periodically pay a 3rd party for a cert).

      also I wouldn't expect a public key method to protect you from a man-in-the-middle attack. self-cert https sites don't either, in theory, though I suppose you could verify the DNS request by contacting multiple DNS servers directly. An MITM that could be so clever as to mask itself as a particular name server, including the root name servers, would be pretty amazing.

      Just to re-iterate: the absolute LAST thing we want on the intarwebs is a TOLLBOOTH that prevents independent small-time web server operators from publishing content WITHOUT a google, github, amazon, faecebook, linkedin, or ANY other 'web site or cloud service provider' being involved.

      1. Tom Chiverton 1

        Re: I only just noticed...

        "I'd like https a lot more if there weren't a potential "tollbooth" designed into the protocol (i.e. having to periodically pay a 3rd party for a cert)."

        LetsEncrypt is free.

      2. JohnFen

        Re: I only just noticed...

        "self-cert https sites don't either"

        If a site acts as its own CA, and signs certs that it generates (so the certs the site uses aren't self-signed), then that's actually more secure than those signed by a commercial CA, because the chain of trust is actually trustworthy.

        The catch is how to get the root cert into users browsers. This is the problem that commercial CAs more-or-less "solve". However, if you're running a site that is intended for a small audience that you personally know and can get the root cert to, that's a far superior solution.

        And, it's free.

      3. Orv Silver badge

        Re: I only just noticed...

        I've had https up and running for a few years now on my personal server, and didn't pay anyone a thing. I used StartSSL at first, then switched to Let's Encrypt. Google, GitHub, Amazon, et al have nothing to do with it.

      4. Drew 11

        Re: I only just noticed...

        One word - DANE.

        Oh, wait, Google and Mozilla refuse to bake the standard into their browsers. Their old excuse was "pinning is the way to go".

        What's their new excuse? Could make for a good REG article.

    4. david 12 Silver badge

      Re: I only just noticed...

      --- but the https is still 256bit key, or something like that. So it's still visible in my old browser.

      As it happens, I do most of my browsing in http, only doing more complex stuff (like posting) when I'm on a cumputer that supports modern browsers. This means that increasing chunks of the web are becoming invisible to me.

      At the moment, forums.theregister.co.uk is still visible to me, as short-key https. When that goes, I'll be reading less of it.

    5. Agamemnon

      Re: I only just noticed...

      Right? Noticed a bit back and had the same reaction.

      Their problem had been, as I understand, getting their Advertisers on board so it all worked.

  2. mark l 2 Silver badge

    Some of Ebay still on insecure HTTP rather than HTTPS, it takes me to http://bulksell.ebay.co.uk when i choose to do an advance listing rather than a basic listing

  3. vtcodger Silver badge

    Serious question. Is there any real point in sites like The Reg, Slashdot, Stack Overflow, etc requiring https? I'm here to read stuff and maybe post a comment or two. That's not a secure (or AFAICS a securable) process. I ask, because on on any given day, it seems like maybe 15-20% of the sites I try to access have certificate or similar problems. What's the value to anyone in that?

    I'm not against encrypting personal financial/medical data and such. Seems like a good idea in fact. But is this "Let's run everything through https" anything other than security theater analogous to the ineffective and annoying security show at US airports?

    1. Anonymous Coward
      Anonymous Coward

      Yes, but only thanks to the likes of Google. They have already announced that they will soon drop you off the top of the search list if you don't use https.

      1. DagD

        wow, this place is starting to fill up with haters.

        3 thumbs down on a simple statement that is factual.

        OK, let me give you something to hate. Everything is going Https - I mean everything... To include all the packages the bad guys are pushing. From a network security prospective, that means unless you fork out big cash on expensive systems that can't offer true on the fly decryption/re-encryption, or use a proxy that can perform this (and still expensive), you are not going to be able to perform packet inspections on anything. Cisco is about there last I heard, other's are selling products that don't even come close to this but are only using tricks such as IP reputation. why does a blog need to be decrypted, and why does an organization's system have to be upgraded to decrypt and inspect everything?

        This is a double-edged sword.

        1. Charles 9

          Re: wow, this place is starting to fill up with haters.

          OK, riddle me this, Batman.

          Do you send EVERYTHING on postcards? Because that's what unencrypted HTTP is, essentially. With an envelope of encryption, the contents of your postcard cannot be sure to be the same as that which you originally sent. Things can be inserted, removed, or altered, and there is no way you can stop it because it all happens in transit.

    2. Anonymous Coward
      Anonymous Coward

      Watch https://www.pluralsight.com/courses/https-every-developer-must-know and make up your own mind. If you haven't got a Pluralsight subscription, the TL;DR is "yes, there's every point in pretty much everything going HTTPS".

    3. JohnFen

      "But is this "Let's run everything through https" anything other than security theater analogous to the ineffective and annoying security show at US airports?"

      It is more than that. The security at US airports doesn't actually provide an increase in security, but using HTTPS really does.

      As to your main question -- is HTTPS actually required everywhere -- the answer is technically no, not every website needs to be secure in that way. However, there are two strong arguments for why all websites should, even if they don't collect or disseminate sensitive information. First, every data stream on the internet being encrypted is a good and worthy ideal, because then attackers can no longer identify high-value targets based on the fact that they use encryption. Second, website and users are often pretty terrible at determining if the information they're dealing with is sensitive or not, so encrypting everything removes that possibility of error.

      1. Anonymous Bullard

        HTTPS isn't just about encryption.

        It's also about ensuring the site you're looking at really is that site, and what you're receiving hasn't been modified (eg, injecting advertising or malware).

        1. John Lilburne

          "It's also about ensuring ..."

          And for most websites it doesn't matter one bit. No one is going to put up a spoof website of say diptera.info, britishbugs.org.uk, or tolweb.org. There are millions of websites like those, none of which need SSL certs.

          1. Charles 9

            "And for most websites it doesn't matter one bit. No one is going to put up a spoof website of say diptera.info, britishbugs.org.uk, or tolweb.org. There are millions of websites like those, none of which need SSL certs."

            They don't have to spoof you. They don't even have to pwn you. ANY unencrypted HTML, regardless of its source, can be altered and hijacked...IN TRANSIT. Think Verizon's supercookie or the Chinese Cannon: both concrete examples of this.

      2. John Lilburne

        Because then attackers

        "because then attackers can no longer identify high-value targets based on the fact that they use encryption."

        Why should the rest of us effectively pay either for SSL certs, or in the time spent installing and keeping it up to date, just to help the banks, amazon, google et al? Let them secure their own stuff. too often we end up subsidizing large corps. Fuck em one and all.

    4. olemd

      Privacy in general is a good thing. It's rather scary what a bit of meta-data can reveal. But besides that, it also keeps your sleasy ISP or whatever from injecting unwanted bits of tracking, ads or censorship-stuff.

      More encryption also avoids the problem of "Oh, this is encrypted! We should investigate this."

    5. onefang
      Coat

      "Serious question. Is there any real point in sites like The Reg, Slashdot, Stack Overflow, etc requiring https?"

      Dunno about the rest of you, but I don't want my grubbermint knowing I said some of the bad things I say about them on El Reg. So I tunnel https via ssh to my foreign located server. I'm thinking of adding OpenVPN and Tor into the mix.

      Mines the one with large rolls of tin foil in the pockets.

    6. Adam 1

      A MitM* can easily modify the El Reg homepage to add a coinhive JavaScript or any other tracking token they want. They can manipulate the stories you see, include content not in the original or censor content they don't want you to know. If there is a link to the forums login screen, they can point that to a phishing site.

      *And let's be clear here, a WiFi pineapple can be had for a few hundred local currency and about 15 minutes of YouTube instructions will have your MitM up and running. This isn't a TLA level hack.

    7. rh587

      Serious question. Is there any real point in sites like The Reg, Slashdot, Stack Overflow, etc requiring https? I'm here to read stuff and maybe post a comment or two.

      It's authentication as much as privacy.

      1. Your ISP cannot insert advertising into your HTTPS stream. ISPs can and do have history of inserting ads into HTTP pages, and have then been hoisted by their own petard when they accidentally served malicious ads to their customers.

      2. Related, things like setting security headers to prohibit x-site scripting don't work terribly well if an intermediary can strip those headers out! You need the HTTPS to protect those headers.

      3. People are idiots. They reuse passwords. I would hope that noone on El Reg is reusing their forum password anywhere else (or if they are, that it's a specific password "for forums I don't care about"), but in many cases your users cannot be trusted. You are protecting them from themselves by hashing their passwords and not passing them in plain HTTP, even if the perceived value of the service is relatively low.

  4. irm

    "By contrast there's almost no growth in the use of EV (extended validation) certificates, according to Helme."

    Doesn't surprise me, they're a bloody con.

    Windows 7 - ok, you've signed your code so I'll not bother annoying the user and let them get on with installing your app.

    Windows 8+ - ok, you've signed your code, but oh wait...what's this...not with an EV certificate, so popup warnings here we come again. Want to get rid of them? Well, that'll cost you even more than before (despite the extra checks probably taking about 10 seconds), and you can forget about software-based signing too...oh no, now the key comes on a physical doodad, so you can only use it on one development machine at a time, oh and you can forget about remote desktopping into it, cos we'll disable it if you do that (thank god for vnc), etc, etc...

    1. Tomato42

      > oh and you can forget about remote desktopping into it, cos we'll disable it

      oh, what a wonderful back-asswards thing! sigh, working in security doesn't make you knowledgeable about security

  5. Anonymous Coward
    Coat

    You reap what you sow...

    Many webmasters don't bother themselves to look at how stuff works but only focus on "what's good". Which is exactly why I'm so critical about this current "HTTPS = good" push, because just using HTTPS is by no means any guarantee that your site will be safe.

    I wouldn't be surprised if some didn't even realize the depreciation and would even respond with: "But we're using HTTPS, that's good right?".

    1. JohnFen

      Re: You reap what you sow...

      It's true, using HTTPS is not a security panacea, any more than wearing a motorcycle helmet guarantees that you won't be injured on a motorcycle. But the fact that they don't give you protection from all calamity isn't an argument against using them.

    2. Orv Silver badge

      Re: You reap what you sow...

      HTTPS at least ensures that if there's something unsafe, it's something I put on my site, not something inserted by the ISP or a rogue access point.

  6. onefang
    Coat

    '"The most surprising thing is probably the string growth in HPKP [HTTP public key pinning], a technology being abandoned by many and soon Google Chrome too," Helme told El Reg.'

    String growth? Sounds like a buffer overflow attack to me, they are often surprising to lots of people.

    1. Ken Moorhouse Silver badge

      String growth?

      Looks like you've spotted an I/O Error.

  7. Alistair
    Windows

    Many webmasters don't bother themselves to look at how stuff works but only focus on "what's good". Which is exactly why I'm so critical about this current "HTTPS = good" push, because just using HTTPS is by no means any guarantee that your site will be safe.

    I'm gonna point out that we have the global slurp-o-rama organizations to thank for this. And some entirely stupid historical events. Like a well known commercial vendor of home maintenance tat redirecting to an HTTPS secured payments page that embedded an HTTP frame for the "card number name cvs number" block.

    point one: if all the data is being encrypted on the internet - the slurp monkeys have more work to do. They have to go back to relying on metadata and actually thinking.

    point two: if *every* component of your site(s) are https you're less likely to have a *duh* moment.

    (And I've had web developers bitch and whine that securing the entire site made their lives more difficult when they were developing WL java apps that hid behind an apache reverse proxy that did the https *and* the redirection from http so that their stupid typos didn't cause problems)

    No, https doesn't mean "safe" - it means more likely safe -- and yes, apache to WL was unencrypted but on a dedicated network path, internal to the chassis of blades. No it wasn't monstrous but it was miles better than what it replaced.

  8. Anonymous Coward
    Paris Hilton

    Stubbornly insistant

    It seems that some websites, and of small and large organizations too, insist they have nothing on them to require HTTPS and so use HTTP instead, If there is something to secure they will only use HTTPS on that specific page.

    Perhaps it's logistical?

    Now for the uninitiated the HTTPS is another directory/folder on the server and to have HTTP & HTTPS means everything has to be duplicated in two directories/folder, so it would be easiest to put everything in one directory/folder and be done with it. A compromise is only a few pages being put in HTTPS director, those that require security.

    Then there is the cost of the certificates, it costs money and time and to get updated ones later.

    Many sites are not built by their owners but by others, even off shore web design companies, who just don't have the love for the client organization's customers as the organization may have( or not).

    So it's {yawn} just not a priority for them......

    1. Anonymous Coward
      Anonymous Coward

      Re: Stubbornly insistant

      Just... So much fail there! Speechless...

    2. Adam 1

      Re: Stubbornly insistant

      Well I guess you could clone all your files. Or you could do what normal people do and bind port 443 to the same folder.

    3. Anonymous Coward
      Anonymous Coward

      Re: Stubbornly insistant

      > Now for the uninitiated the HTTPS is another directory/folder on the server and to have HTTP & HTTPS means everything has to be duplicated in two directories/folder

      Errm... How could I break this to you...

      May I strongly suggest that you should consider delegating your web server configuration tasks / maintenance to someone else?

      1. rh587

        Re: Stubbornly insistant

        Errm... How could I break this to you...

        May I strongly suggest that you should consider delegating your web server configuration tasks / maintenance to someone else?

        The problem is typically when you do that.

        I have some cheapy web hosting that uses Plesk and in the directory structure there are indeed separate HTTP and HTTPS folders. This is the sort of hosting a less-savvy user would subscribe to.

        If I were setting up my own server then obviously yes, I would bind 80 and 443 to the same folder and only have one copy of the content (with the requisite redirect for any traffic landing on port 80).

        And in the case of the cheapy web hosting, I dump everything in the HTTPS folder, click the "On" toggle for Let's Encrypt and run the lot over HTTPS. But it's easy to see where a novice might be confused, especially if they're reading a dangerously dated copy of "XHTML For Beginners (Updated for 2007!)" that they found in the library.

  9. Anonymous Coward
    Anonymous Coward

    The Register and Scott Helme

    Listen, I know how the whole dial-an-expert thing works and I have nothing against it. In fact, we use it ourselves and, done responsibly, it is a great tool in an earned media strategy¹.

    However, I am starting to be concerned that this may be over-representing Mr Helme's actual standing or achievements, however great they may be, within the infosec community. I do also freely admit that his attempt at manipulating opinion and throwing dirt at uBlock Origin developer Mr Hill for the purpose of scoring a cheap publicity point did not exactly endear Helme to me, and caused me to have some concerns about the rigour of his methods and analyses.

    Therefore, I should like to suggest to ElReg that, in order to safeguard its journalistic integrity as well as the public interest, in having well-contrasted, balanced and attributable news, it may be more appropriate to either give Mr Helme his own column, making him responsible for both his own research and conclusions, or give equal treatment to other, perhaps more meticulous but less publicity-inclined professionals.

    For reference: https://www.google.co.uk/search?q="scott+helme"+site:.theregister.co.uk

    ¹ This is not an assertion that Mr Helme approached ElReg first. It may also be that Mr Leyden subscribes to his blog feed. Either way the end result is the same.

    1. Anonymous Coward
      Anonymous Coward

      Re: The Register and Scott Helme

      > I know how the whole dial-an-expert thing works

      For those who may not be au courant, this refers to where you, a subject matter expert in something or other, are in the contact list of one or more journalists who seek your input when writing an article about whatever it is you supposedly know about.

      You provide your commentary, opinion or advice which the journalist may or may not decide to publish with different levels of mangling and in exchange for your time you get a mention on his article ("according to Mr Bloggs, an expert yo-yo performer ..."), and often a link back to your own website in these digital media days.

      If you work with the right journalists, so that your words are not misrepresented too much, this is a very effective form of free publicity: it makes people aware of your existence and it reinforces your standing, since you are an "expert". That is of course assuming that you are minimally able to talk sense, explain things in a manner which is understandable to the target public and, importantly, know when to shut up (you can't always know everything).

      For journalists working with the right experts, they get to write more informative and engaging articles which are less likely to contain gross inaccuracies or incorrect terminology. It does not cost them or their employers anything and it does enhance their reputation as a reliable source.

      For the audience, they get the benefit of detail, accuracy and reliability, assuming that you do have the right expert-journalist symbiosis. However, as with everything, the system is open to abuse and sloppiness from all parties, so as usual the audience should always apply critical thinking (and do not be afraid to contact the "expert" if you think he made a blunder).

    2. Adam 1

      Re: The Register and Scott Helme

      I think that it should be considered on a case by case basis. There is nothing in this article that the wider security industry would take umbrage with. HTTPS becoming more common. Check. His survey has been running over years and the methods are generally quite sound. May be off by a percentage point or 2 because of limited sampling capabilities with subdomains, but this doesn't impact the trend. Does he have any conflict of interest? Well I guess he will have more business opportunities if he can establish that HTTPS is inevitable, but I can't think of any subject matter expert who wouldn't equally benefit. And no one serious is questioning his expertise in this area.

      The uBlock origin thing is one where he does have a direct commercial interest, but I believe this was disclosed. It would have been impossible to cover that story without sourcing his views because he was the one complaining. And for the record, there are legitimate arguments for both positions on the uBlock reporturi thing. There is a potential side channel tracking capability if it is honoured but it can also benefit *other* people by notifying the site owners if someone injects a coinhive JavaScript into your site. You don't personally need it fixed because your browser has already protected you. On balance, I think the tracking protection is a better benefit (and I made this point at the time). But yes, that does impact his commercial reporturi service so that needs to be disclosed.

      Ultimately, that is a journalistic integrity decision. I personally find this particular red top acts reasonably responsibly.

  10. Old Handle
    Thumb Down

    I loathe gratuitous HTTPS

    All it does is cause problems. You try to connect from an old device? Boom "no cypher overlap". They forget to renew their cert? Now everybody's locked out because browser makers are too stupid to realize this isn't even a serious problem.

    And almost invariably this nonsense happens on sites that don't even have a legitimate need for security. Knock it off, people.

    1. Charles 9

      Re: I loathe gratuitous HTTPS

      "And almost invariably this nonsense happens on sites that don't even have a legitimate need for security."

      In this day, there's no legitimate reason NOT to have some security. Or do you leave your front door unlocked every night?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon