No Half Measures: Advertisers Must (Properly) Adopt HTTPS

Written by Greg Norcie

In the wake of Edward Snowden’s revelations, data is increasingly encrypted both in transit and at rest. On the web, HTTPS – the colloquial term for HTTP traffic encrypted with the TLS protocol – adoption has grown significantly, and there is increasing consensus that HTTPS is critical for a trusted web.

The Internet Engineering Task Force’s Internet Architecture Board released a statement on internet confidentiality, declaring that in the presence of pervasive surveillance, encryption should be deployed from the beginning to the end of a communication (called “end-to-end” encryption). Along similar lines the World Wide Web Consortium (W3C) Technical Architecture Group has thrown its support behind HTTPS as a “base requirement” for the web, and the United States CIO has proposed that in the near future, all government websites will only be accessible via HTTPS.

Third parties are increasingly the weakest link in security.

However, while HTTPS adoption has grown significantly, third parties are increasingly the weakest link in security. While many sites have adopted HTTPS, they often suffer from “mixed content” problems. A mixed content vulnerability is when an HTTPS-enabled website includes insecure, plain old HTTP content (often so called “active content” such as Javascript.). Furthermore, the servers hosting said Javascript may also be vulnerable to security flaws.

CDT is currently finalizing a white paper describing why HTTPS is important for marketers and advertisers, along with technical details on how HTTPS should be properly configured. We plan to present our recommendations at the W3C Workshop on Digital Marketing in September, but an advance version of the white paper is now on CDT’s website. If any readers have any feedback on the white paper, I encourage anyone with feedback to contact me directly.

Recent events have shown just how serious mixed content vulnerabilities can be.For example, a security vulnerability in online voting system used in New South Wales, Australia is a scary example of the importance of HTTPS for third parties. While the site itself used properly configured HTTPS, the 3rd party Javascript present on the site used an outdated version of TLS. This meant that  votes cast in the recent state elections could have been changed in transit.  The server hosting the Javascript in question was vulnerable to the FREAK attack – an attack that could allow downgrading the encryption strength and replacing content in transit.

As we point out in our white paper, despite real threats like the one above, many advertising networks load their third party resources over plain HTTP. Even though the Internet Advertising Bureau has publicly stated that there is “a need for HTTPS” and claiming 80% of advertisers support HTTPS, researchers at Citizen Lab recently showed that only 38% of advertisers who participate in the Digital Advertising Alliance’s opt out page actually used HTTPS.

Furthermore, research by Mike Kranch and Joseph Bonneau shows that even when website operators enable HTTPS, they rarely support HSTS – a technology which forces all connections to a website to travel over HTTPS. Thus, sites that don’t employ HSTS might be vulnerable to clients loading insecure content via an attacker forcing the connection to downgrade to plain HTTP.

Kraunch and Bonneau went on to point out that even when a site supports HSTS, it rarely supports HTTP public key pinning (HPKP). HPKP is a new IETF standard which allows a website to specify which certificate authorities are authorized to issue certificates for a domain. This ensures that malicious certificate authorities cannot issue false certificates and intercept user communications.

Without HPKP enabled, a rogue certificate authority could attack the user, by creating a fraudulent certificate to impersonate a legitimate website and intercepting any traffic intended for that site (user data, passwords, etc).

Finally, when a site supports HSTS and HPKP, the sites often do not load all of their external resources from pinned sites.  Therefore, it is important that advertisers implement HTTPS using best practices such as using the latest version of TLS and enabling HSTS.  While it is a relatively new standard, advertisers should also strongly consider enabling HPKP.

As election administrators in Australia recently realized, it’s not sufficient to simply transition to HTTPS, but they will also need to have staff (or a contractor) monitor developments in web security and SSL/TLS vulnerabilities, to compare against their software and configuration. If they do not, there is a good chance that all the hard work to transition to HTTPS could be neutralized by a flaw that they aren’t made aware of in a timely fashion. Constant vigilance is required.

In the future, advertisers who fail to adapt to the higher level of trust the web now demands may see customers shift to advertisers who do.

In the future, advertisers who fail to adapt to the higher level of trust the web now demands may see customers shift to advertisers who do. In addition to market forces, failure to properly enable HTTPS may in the near future become relevant as an unfair business practice under the Federal Trade Commission’s Section 5 authority, or may expose companies to liability under state data security statutes or international data protection laws.

While enabling HTTPS is an important first step, advertisers must take steps to ensure their transition is done properly and that a secure state is maintained once the transition is complete. Failing to support HTTPS (and to do so securely) may lead to security and/or privacy breaches. Advertisers who fail to adopt HTTPS may experience lost revenue as advertising and analytics clients seek more secure alternatives.

We go into more depth on the above topics in our white paper. Definitely check out the full whitepaper, and again, I’d love to hear from you if you have suggestions on it.

Share Post