All Web Users Deserve Confidentiality and Integrity:
All interactions on the web benefit from protection. People online increasingly face serious risks, from financial fraud and spying and surveillance to malware in downloads and advertisements. On the web, protection is achieved by HTTPS, and now is the time to move your websites from (insecure) HTTP to (secure) HTTPS. It’s easier than you may think, and getting easier every day.
Privacy & Security Concerns:
- Without HTTPS, ISPs and governments can spy on what your users are doing: Traffic on the web traverses many different networks from server to browser, and each of these networks (or equipment installed on these networks) can see the full contents of unencrypted (HTTP) traffic. This means ISPs can do things like monitor your web traffic to build advertising profiles. This also means that the government can monitor unencrypted traffic at chokepoints such as undersea cable landing sites. This is especially problematic since the U.S. government treats traffic encountered outside the United States as foreign – free from the restrictions imposed by the U.S. constitution – and subject to interception. However, traffic travelling from one computer in the United States to another computer in the United States can easily cross international borders, and when it does, it can be intercepted.
Business Risks of not using HTTPS:
- Without HTTPS, ISPs can strip out your ads/referrals and add their own: Your site may use advertising or other digital marketing features or depend on accurate analytics about visitors and customers. If your site is using (unencrypted) HTTP, ISPs or other network operators can remove your own advertisements, analytics, and marketing code and add their own. For example, NebuAd partnered with ISPs to snoop on their customer traffic and deliver targeted advertisements.
- Without HTTPS your website cannot have the fastest performance: HTTPS is required for the best performance the web offers. HTTP/2, the latest revision to the HTTP protocol, yields massive performance enhancements (faster page loads and less data to transmit). Major browser makers such as Firefox and Chrome only support HTTP/2 over HTTPS. You’ll be missing out on these performance gains if you stay on plain HTTP. Google also gives a (small) search ranking boost to HTTPS sites. And major browser makers such as Chrome and Firefox will soon begin to mark unencrypted HTTP as insecure.
- Without HTTPS, you can’t use the latest cool web features: The web is gaining some neat new tools and features that will only be available to secure (HTTPS) websites, and HTTP sites simply will not have access to those features. Some of the most innovative things you can do with your website, for example HD video chat (WebRTC) or using geolocation in the browser, require that your site use HTTPS to function.
- You already need HTTPS to do payments anyway: If you accept payments, tips, donations, or provide subscription access to content or services, the Payment Card Industry Data Security Standards (PCI DSS) specify that you must encrypt data in transit and require HTTPS for e-commerce transactions. Websites should treat all of their customers’ browsing as private – not just their financial data. By enabling HTTPS for your entire website, operators can show that they view privacy as more than mere compliance, but an important part of good customer service.
Previous CDT work on this topic: “No Half Measures: Digital Marketing Properties Must Adopt Encryption Best Practices” https://cdt.org/?p=75853.
For more information, please contact:
- CDT Chief Technologist Joseph Lorenzo Hall ([email protected])
- CDT Communications ([email protected])