HTTP - HTTPS

HTTP can be also used as "transport" for such application layer protocols as SOAP, WebDAV.

HTTPS (HyperText Transfer Protocol Secure) is the expansion of the HTTP protocol supporting enciphering. The data transferred under the HTTP protocol are encapsulated in the cryptographic SSL or TLS protocol. Unlike HTTP, for HTTPS TCP port 443 is by default used.

In 1994 this expansion the Netscape Communications company for the Netscape browser created Navigator. HTTPS is used and supported by all popular browsers.

Principle of work

Operation of the HTTP protocol happens by the following principle: the client program performs TCP connection with the server (the standard number of port-80) and outputs to it a HTTP request. The server studies this request and issues the HTTP answer to the client.

2019

Google thought up how to force the websites to pass to HTTPS

Since 2010, the Google corporation will change the attitude to the websites which completely did not pass to HTTPS and continuing to load some resources of pages (for example, video, audio, images and scripts) on HTTP.

The resources loaded by the websites on HTTPS and on HTTP are called "the mixed content" and represent a problem from the very first day of implementation of HTTPS. Within several years browsers ignored a problem of "the mixed content", it was only that the master was loaded on HTTPS important for them.

Nevertheless, recently Google and Mozilla companies, everyone on the, actively advance HTTPS. Mozilla and its partners started the Let's Encrypt service providing free, simple TLS certificates in deployment. In turn, Google Chrome began to designate the websites as unsafe (Not Secure) loaded on HTTP.

Now Google intends to go further away and to force the websites to pass completely to HTTPS. Starting with the version of Chrome 79, changes which as a result will lead to complete blocking of "the mixed content" by default will be gradually made to the browser. Already in Chrome 80 "mixed" by audio and videos will be automatically updated to HTTPS. In case of impossibility of loading of content on HTTPS, it will be blocked. In Chrome 81 this approach will also be applied to the "mixed" images.^[1]

The authorities of Kazakhstan intercept traffic of Facebook, Google and VKontakte

A week later after the government of Kazakhstan began to intercept all HTTPS traffic, some details about the events in the country became known. Read more here.

The government of Kazakhstan began to intercept all HTTPS traffic in the country

On July 17, 2019 the government of Kazakhstan began to intercept all Internet traffic of HTTPS in the country. For this purpose local telecommunication operators were obliged forcing users on all the devices and in browsers the special certificate developed by the authorities.

After installation of the certificate governmental bodies of Kazakhstan will be able to decrypt HTTPS traffic of users, to browse its contents, again to cipher it using the certificate and to send to destination. It allows the government of Kazakhstan to monitor easily actions of the citizens on the Internet.

According to the ZDNet edition, the users trying to get Internet access since July 17, 2019 are redirected on web pages on which installation instructions of the root state certificate contain in browsers for mobile devices and computers.

Without installation of the certificate it is impossible to visit the websites with HTTPS (and such the majority) — the Internet service provider blocks access and issues  the page stub, similar to that which is given below.

Residents of Kazakhstan obliged to set the safety certificate "for protection against the hacker attacks and viewing illegal content"

On this page the following message is displayed:

The purpose of application of the safety certificate is restriction of distribution on network of telecommunications of information prohibited by the legislation.

To users suggests to follow the link for installation of the certificate. To some subscribers  SMS  with a reminder arrived "according to the Law About Communication of Article 26" to establish the certificate on all devices going on-line.

Kcell and Activ operators  stated that the certificate was implemented because of the become frequent cases of plunder of personal data of Kazakhstan citizens and  theft of money from  their  bank cards. It  will protect subscribers "from  the hacker attacks and  viewing illegal content".  The certificate  will have no access to  personal data of the subscriber, approve Kcell.^[2]

2018: 20% of the largest websites do not use HTTPS

In April, 2019 it became known that 20% of the world's largest websites do not use  the HTTPS protocol  with enciphering support, despite restrictions which which they face with respect thereto.

According to Google, 79 of 100 most popular web resources which are not connected with the company do not use the certificate for protected by HTTPS connections. Such security is ignored, in particular, by the world's largest database and the Internet portal about cinema of IMDB and the The New York Times newspaper. However, HTTP is applied not on all pages of the websites of the specified and other large companies.

For installation of safe connection in the Internet the HTTPS protocol with enciphering support is used.

The authors of rating of Alexa collecting statistics about attendance of the websites made the list of resources which automatically do not redirect unsafe requests in response to safe. Data of Google are confirmed: 20% from the most visited sites belong to discharge of unsafe.

The icon of the protected HTTPS connection became standard and even necessary attribute of any serious website. If  the certificate  is absent, almost all last browsers show warning that  connection with the website "is not protected"  and do not recommend to transfer to it confidential information. The absence of HTTPS influences positions in search issue and has significantly a negative impact on privacy in general.

Earlier implementation of HTTPS was very expensive for the websites, especially small, but by April, 2019 the set of the companies offering free and very fast installation of SSL certificates works. For example, it is possible to note  the Lets's Encrypt service providing automatic issue of free certificates for TLS enciphering and supported by Google as the platinum member.

However the large websites do not hurry to pass completely to HTTPS, including this migration technically difficult and often unprofitable. Planning such transition, the companies, as a rule, ask themselves several questions: Whether "The network of delivery will become more expensive in a case with HTTPS?", whether "Third-party content on the website will consider transition to HTTPS?", etc. The company should hold a set of testings and to correct numerous errors before the protocol begins to function normally.

If HTML-resources which are provided by the company have references (pictures, scripts …) per different hosts and relative URL are not used, then transition to HTTPS becomes complicated.

The HTTPS installation can frighten a little the unprepared user — she demands many steps with participation of the different parties and also specific knowledge of cryptography and server configurations and in general in general it seems difficult.

Besides, according to the information security expert of Malwarebytes Gérôme Segoura  (Jérôme Segura),  HTTPS does not guarantee 100 percent security. For example, some websites can involve the protocol on the homepage, but not include it in other pages and services.^[3]

The websites having certificates of HTTPS are marked with browsers an icon in the form of the lock

Check of 10,000 leading websites  from the rating of Alexa showed the following: many of them are subject to critical vulnerabilities of protocols of SSL/TLS, is normal through subdomains or dependences. Vulnerable cryptographic configurations are revealed on 5574 hosts, i.e. approximately for 5.5% of a total quantity.

According to authors of a research, the complexity of modern web applications repeatedly increases the surface of the attack. The problem is aggravated by lack of officially approved and approved list of the recommended HTTPS settings. So,  Mozilla SSL Configuration Generator  offers several options of a configuration depending on the required level of protection.

2017

Russia: the number of the websites with SSL certificates in a year grew four times

According to analytical service StatOnline, in the Russian national domain zones the quantity of the websites using SSL certificates in a year grew four times. In July, 2015 in a zone. RU quantity of such resources made 109 thousand, in the same month 2016 — 189 thousand, and in July, 2017 — 531 thousand. For comparison, zone indicators. The Russian Federation was made by 18 thousand, 21 thousand and 65 thousand respectively. As of August, 2017, all in a zone. RU is 5.5 million websites, in зоне.РФ — 900 thousand, Izvestia tells.^[4]

HTTPS protocol is designed to protect data of users from interception. According to promises of Google, the link to resources which still did not pass to HTTPS, since the beginning of 2018 will be displayed in search results with warning of their insecurity. The similar initiative was taken also by the Mozilla company releasing the Firefox browser.

SSL certificates — the unique digital signature of the website necessary for the organization of the protected connection between the browser of the Internet user and the server. The normal websites use for data exchange the HTTP protocol, resources with the certificate — the protected HTTPS. SSL certificates are issued for different terms. According to StatOnline, the most widespread period of action of the SSL certificate — less than 1 year. In a zone. RU number of such certificates makes 82% of total number, and in a zone. The Russian Federation — 95%.

Antiviruses affect security of HTTPS

On February 13, 2017 the group of researchers published the report on influence of antivirus software on security of HTTPS traffic in which assumptions of experts of unsafe influence of antivirus tools on the ciphered traffic were confirmed.

As a part of group specialists of Mozilla, Google, CloudFlare, representatives of the university of Michigan, the Illinois university in Urban-Shampeyna acted, the University of California in Berkeley and the International institute^[5].

Experts suspected about influence of instruments of protection on the protected connections therefore the ciphered traffic is exposed to risk and security weakens. They were right in the suspicions. Researchers analyzed confirmations of communication sessions (handshakes) connected with browsers, anti-virus products and malware and on the basis of it created heuristic methods of control of interception and intervention in HTTPS, determinations of the subject of interception of traffic.

The tools created for tests placed on the servers Mozilla Firefox, CloudFlare CDN and e-commerce sites. The analysis showed: 4% of the Firefox connections, 6.2% of the e-commerce connections of the websites and 11% of the CloudFlare connections are intercepted. Then the majority of these connections became less safe (97% in relation to Firefox, 54% for CloudFlare and 32% for e-commerce of resources). Security more than 62% of percent of connections weakened to rather acceptable level, and 58% of connections became subject to critical vulnerabilities.

According to experts, the concern causes not only the fact that interceptors of connections used weaker cryptographic algorithms, but also that 10-40% from them announced support of the cracked ciphers long ago that allows Man in the middle (MITM) attacking in a position to intercept connection, to make downgrade and to decrypt it.

Researchers studied work of products A10 Networks Blue Coat Barracuda Check Point Cisco Forcepoint Fortinet Juniper Networks Microsoft Sophos, Untangle and WebTitan. From this list only Blue Coat technologies, according to researchers, addressed with TLS connections correctly. Other products got 2-3 points on a five-point scale because of vulnerabilities and the potential MitM-attacks.

The table of impact assessment of the anti-virus systems on traffic of HTTPS, (2017)

2016: Only 5% of HTTPS servers use correctly configured HSTS

According to Netcraft company, 95% of all which are used in the world of HTTPS servers are vulnerable to the hacker attacks because of incorrectly configured HSTS mechanism or its absence. As showed results of a research, only 5% studied by experts of HTTPS servers use correctly configured HSTS. The similar research was also conducted three years ago, and since then practically nothing changed. According to researchers, administrators or do not know about a problem, or treat it insufficiently seriously.

HSTS activates the forced protected connection through HTTPS instead of HTTP. Now the given mechanism is supported Internet Explorer by browsers 11 Microsoft Edge Firefox Chrome, Safari and Opera. With its help administrators of web resources can prevent man-in-the-middle attacks, manipulations with cookie files, etc.

According to experts, the simplest scenario of the attack looks as follows: the user enters the website address into search string, specifying http:// instead of https://. The resource without support of HSTS opens through HTTP, and malefactors have an opportunity to perform a phishing attack or man-in-the-middle attack.

2015

Browsers promote existence of the false websites

Browsers Google (Chrome), Microsoft (Internet Explorer), Apple (Safari) and Mozilla (Firefox) allow to break the mode of safe use of information to programs like Superfish, PrivDog, Gogo and similar. They do it by failure to act^[6].

Safe web pages (HTTPS) demand from web browsers of availability of the file which is referred to as with the digital certificate which is necessary, in addition, to be convinced that the user exactly there, on that website on which he thinks that it there.

It is necessary because construction of the Internet does possible dishonest substitution of names of the websites. So the user comes on somebankingsite.com, and instead of real bank it can be the duplicate of the website created for deception of users by the most different methods.

One of protection methods against it is the file of the digital certificate. The same as the postage stamp shows — where and when the letter was sent by mail, the file of the certificate should prove identity of the website.

For use of the protected HTTPS website, it is necessary to receive the file of the certificate at any of the companies in business on their sale in the beginning. These companies are called Certificate authorities (Certificate Authorities). They undertake efforts on check of identity of the subject making a request.

Technicians mention the file of the certificate as "certificate" or, most often, "cert" is simple. Sometimes it is called by "the certificate of HTTPS" or "the certificate of enciphering". Google calls its "safety certificate".

To confirm the identity, the websites using SSL certificates provide safety certificates for Chrome, for example. Anyone can create the website which is pretending to be other website, but only the real website has the valid safety certificate for specific URL. Invalid certificates can mean: someone tries to manipulate connection to the website.

Sounds hopefully - for technically not grounded users, but, a system has the vulnerabilities adjoining on fraud.

One of the biggest vulnerabilities in a system that any Certificate authority (CA) can be charged for any website. At the same time, there are hundreds of Certificate authorities, everyone has subcontractors who can also issue certificates.

In addition, nobody knows these companies. GeoTrust, Entrust, USERTrust, GTE CyberTrust, Starfield, CertPlus, DigiCert and Thawte are not well-known. The post office of Hong Kong, for example, is trusted certificate authority. Who will trust a website which identity is certified by post office of Hong Kong? Browsers in the user systems trust.

The companies vendors of web browsers, did not create this vulnerable system, but they promote it, hiding the events from users.

There is no doubt that Microsoft, Apple, Google and Mozilla will point that the name of the charged Certificate Authority is easily available. Technically, it so. Really it not so, at least, not for not - technicians who need it most of all.

To see the name Certificate Authority, it will be required to make several manipulations, and a movement route nobody ever explains to beginners. And these manipulations are excellent for each browser.

Let's consider actions on the Windows platform. There are several ways on disclosure of the name CA.

In Firefox 36 (above), it is necessary to click the lock, to the left of the website address in an address bar. In a pop-up window will appear also the name of Certificate authority "Is confirmed".

In Chrome 41 the company name dark green in a light green rectangle. It is necessary to click the company name or the lock near the address, then the word "Connections". It is clear not at once, in the appeared window there are two tabs — one for Permissions, another for Connections.

For some reason, the visual design of these tabs completely differs from browser tabs directly over them. On a tab of Connection the name of Certificate authority is visible.

In Internet Explorer 11 it is necessary to click on the lock on the right side of an address bar. In the appeared window it is visible information on identification of the website. In the bottom of a window to click Viewing certificates and it is visible detailed information on Certificate authority to whom it is issued also validity periods.

In Opera 27 it is required to click the company name displayed in green color near the black name of the website or the lock to the left of the address. Then to click a word "In more detail". The name of Certificate authority is shown, but it is not identified, as such.

The Vivaldi technical preview 2 browser offers a confidential hint. If to guide the mouse cursor at the company name displayed in green color to the left of a website name, the pop-up window will show "information on the website". After clicking, background color changes from light green to dark green. Clicking the company name will open a window which looks the same as in Chrome — with tabs of Permission and Connection.

In Safari on OS X it is necessary to click the small green lock to the left of the company name.

Two IOS 8 browsers work as Jekyll and Hyde. Chrome does not show the company name, only the address. Safari, on the contrary, shows only the company name and hides URL.

Worst of all in Safari on iOS 8 the fact that irrespective of where neither click, nor click or direct it will not issue the name of Certificate authority for safe websites. It does not show even the complete URL addresses. Chrome on Android is also not able to identify guarantees of Certificate authority for the protected website.

Strange coincidence that in the most popular browsers on iOS and Android there is no important safety feature.

In screenshots it is noticeable above that the Certificate authority is never identified as such. Developers of the interface decided that all on the planet are already familiar with a system.

In Windows, Firefox, Chrome and Vivaldi the word is used "is confirmed", Internet Explorer uses "defined the website as", and Opera just shows a name.

The best explanation in Safari on OS X: Company X defined the website Y as belonging to company Z. Quite simply. But even this explanation does not define Certificate Authority as Certificate Authority (Certificate authority) that does a situation much more difficult for not - technicians.

The name of Certificate authorities adds confusion. In the stated above examples of Bank of America, four different names are visible: VeriSign Inc, VeriSign (without Inc), Symantec Corporation and Symantec Class 3 EV SSL CA — G3.

How can the Certificate authority use four names?

Partly it comes from the file of the certificate having several built-in names for each Certificate authority. Chrome displays "general name", and Firefox outputs "The name of the organization". Any of browsers does not show the name of Organization unit which, in this case, "Symantec Trust Network".

Several names arise because of use of subcontractors (technicians use other term, but it submits the concept better) Certificate authorities.

These subcontractors, in turn, can have own subcontractors. Actually, one root CA never warrants for the individual website, it is done by subcontractor of the lowest level. So, what name the browser should show? That, which at subcontractor of the lowest level, intermediate subcontractor or Certificate authority of the high level?

In examples about Bank Of America, browsers reported that VeriSign confirming this website, received the name or from CA subcontractor of the average level, or from original CA (known among technicians as a root certificate authority).

And everything becomes even worse.

In a case with Bank of America, technicians know that Symantec purchased VeriSign so these two names, in fact, same.

But whether really Bank of America uses VeriSign? Perhaps, they use DigiCert or GeoTrust or Thawte. How to learn? The only way - if the relative works in this bank.

Who else thinks that determination "fraud" is too severe?

At the same time it is quite clear how Superfish worked.

Person in the middle (Man in the middle)

Superfish places itself between the victim and the rest of the world. When clients of Lenovo thought that they set safe connection with somebankingsite.com, it actually was not. They had a safe connection with the software of Superfish on their PC with Windows 8.

Besides, bank deceived too, forcing to think that it communicates directly with the client. Actually, the bank also communicated with Superfish. It is the classical attack of the intermediary, man-in-the-middle attack, ^[7].

In olden days, only bad guys and spies carried out the attacks of the intermediary. Now promotion companies do it.

The classical attack "the person in the middle" used the unprotected HTTP connection between the web browser and the swindler. If there is a replacement of HTTPS by HTTP, then there has to be no lock icon. Since those times many things changed.

Superfish can hide the presence by representation to the web browser of the file of the certificate - not this file certificate, and that which Superfish creates "on the fly". Irrespective of the fact which the client of Lenovo visited the protected HTTPS website, Superfish dynamically created the certificate for it.

Other part of the attack forces web browsers to trust certificates from Superfish. Normal computers so do not do.

Long months clients of Lenovo did not notice that Superfish warrants for each protected website in the world. It demonstrates that it is quite difficult to find the name Certificate Authority. Gogo long issued fraudulent certificates of YouTube until it the employee of Google noticed.

Web browsers should show accurately Certificate Authority in a visible place - better to force the user "click", for concealment of the name, but not for its demonstration. Browsers should shed light on the system functioning in the dark.

The company of retail Sy Syms existing once used a slogan for advertizing: "The educated consumer — our best client". In the world of technologies all not so. There is a strong feeling that there is a purpose - deduction in ignorance of technically illiterate users.

If the name of Certificate authority (Certificate Authority) is in a visible place in a browser window, end users can get some advantages:

• financial firms will be motivated to propagandize the Certificate authority, complicating fraud.
• over time, users inevitably learn something about the companies in business selling trust.
• the Certificate authorities used by the large companies will become visible, and users will have in them more faith, than in those whose name was never seen before. They we will know who should check the protected website which is often used. Now the name of Certificate authority does not mean nothing almost to all users using the Internet.

Intelligence agencies do not love educated consumers. A present system serves them well. They can offer the fraudulent copy of the website and be charged for it by the certificate from the compromised Certificate authority. The compromise of one CA, allows them to be charged for any website until the name CA is hidden. If we could see that the Harveys Certificate authority warrants for Bank of America, swindle would not work.

Everything depends on Google, Apple, Mozilla and Microsoft. They should show to the consumers the name of the Certificate authorities confirming authenticity, allegedly, safe websites.

Identity of Certificate Authority very important aspect in mutual trust between consumers and suppliers of data.

HTTP/2 specifications

On February 18, 2015 it became known of the forthcoming improvements of the HTTP protocol. The upgrade purpose - considerable acceleration of loading of pages.

[1] The working group of IETF HTTP was engaged in development of specifications of the protocol.

HTTP2 is the first significant update of the protocol since 1999 when to light there was a version of HTTP at number 1.1. Updating will accelerate loading of Internet pages, will improve quality of Internet connections with remote servers, optimizes work of a cache on the computer that the browser had not to load the same data several times, loading an Internet channel.

After updating, servers will be able to process multiple requests at the same time that will allow to avoid overloads. Considerably data protection will improve.

The Google corporation declared officially that will try to pass to HTTP/2 protocol most quickly to accelerate data loading for Internet users. The developers interested in the updated protocol can get access to its specifications.

Main features of digital HTTP2 protocol:

• Increase in efficiency of use of network resources due to multiplexing of requests, arrangements of priorities for requests and compression of the headings HTTP, pro-active push-answers from server side.
• Serious performance improvement for modern browsers and mobile devices.
• Possibility of deployment on the modern Internet, using IPv4 and IPv6 and not forgetting about NAT.
• Simplification of deployment of solutions on the basis of HTTP.
• Providing modern requirements to security.

At the heart of HTTP/2 the protocol ^[8].

2014: The websites with access on HTTP will pass into discharge of "dangerous"

On December 17, 2014 it became known of change in the system of warnings of the browser of unsafe connections which is coming in 2015.

Chrome Security Team stated that all web pages, access to which is provided under the HTTP protocol, will be considered as dangerous by default. According to developers, the similar measure should promote public awareness of use of secure channels of communication and stimulate owners of the websites passes to application of HTTPS.

For December 17, 2014 warning appears only in case of HTTPS connection which certificate became outdated or it is considered inadmissible (non-valid) and at the same time the insecure channels are considered as the browser credible that does not correspond to realities.

According to plans of Chrome Security Team, three security levels will be defined:

• safe connection with access on valid HTTPS;
• doubtful connection where access on HTTPS is generally applied, but some resources use normal HTTP or there are insignificant errors TLS;
• unsafe connection where normal HTTP or incorrect HTTPS is applied.

At first the HTTP websites will belong to the doubtful category. When the share of the protected websites grows to 75%, they will be marked as dangerous. When on HTTPS more than 85% of the websites begin to practice access, the notification about secure access is offered to be removed, considering that the session is safe by default.

You See Also

• Cryptography
• Cryptography in digital technologies
• Cybersecurity - Means of enciphering
• PKI
• HTTPS
• DNS over HTTPS (DNS-over-HTTPS, DoH)
• SSL
• Electronic signature (EDS)

• Description of the HTTP protocol
• HTTPS

Notes