The past week has seen some interesting news in the world of online security. First, the US government announced that all websites maintained by federal agencies must be using HTTPS by the end of 2016. Second, the Wikimedia Foundation (best known for Wikipedia) announced that they, too, were rolling out mandatory HTTPS for their own sites as well, with full completion expected “within a couple of weeks”.
With large organizations moving to full-time HTTPS, and browser vendors pushing for it as well (Mozilla has gone on record that eventually, new features will only be for sites running HTTPS), is it time for smaller site owners to make the move as well? Should end users pressure their favorite sites to adopt HTTPS? Will it really help online security?
The short answer is yes. Site owners should strongly consider enabling HTTPS for their sites. It’s been clear to many people that in the long run, meaningful adoption of HTTPS would increase the security of the Web. Web giants such as Google and Mozilla, plus international bodies like the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C) have all spoken out in favor of this. Sites that are being set up now should use HTTPS from the start. That’s the direction the web is going today, and a site that’s being set up now should be built with the safety and privacy of its users in mind. For existing sites, enabling HTTPS as soon as is practical is something that owners should strongly consider, especially if sensitive data is being handled.
Another thing to consider for website administrators is that in the long run, search engines may make HTTPS usage part of their ranking algorithms. Google is already doing just that. While for now it’s not a particularly significant “signal”, down the road that could change. It’s a good idea for site owners to get ahead of the curve and move their users to a more secure and private web.
HTTPS: A Good Start
It is important to note that while the mandate to adopt HTTPS is a very important step to improve online security, the effort should not stop there. HTTPS is definitely an improvement, but it is not perfect and is far from a cure-all when it comes to online security.
Think of it as the equivalent of sending a letter in a secure container; a safe, for instance. An attacker could replace the entire container by their very secure but fake safe, steal the letter after it’s opened (steal the decrypted data from the user’s own machine), or send the user a very secure safe with a bomb inside (direct the user to a malicious site through a secure channel). HTTPS deals with the issue of security “in transit”, i.e., while the data is being sent across the Internet. It doesn’t solve other problems with online security, and was never meant to.
These developments to make HTTPS implementation a norm on the Web is definitely a step into the right direction and it is crucial for website owners to follow suit.