Article

Ask the expert: Troy Hunt talks HTTPS

July 26, 2017  |  Troy Hunt
Learn something new. Take control of your career.
Sign up

Is your organization using HTTPS? Why not? 

In a recent live webinar, HTTPS expert Troy Hunt discussed how your organization can overcome barriers to successfully implement HTTPS. After Troy covered why it’s absolutely essential that organizations make the switch to HTTPS, he took live questions from the attendees. Here are our top four from the event: 

1. Why is there so much resistance on moving towards HTTPS?

This is really about the barriers to adoption. In my Pluralsight course about what every developer should know about HTTPS, there is a module dedicated to these perceived barriers. These include things like cost of certificates, difficulty to implement, speed and support from downstream systems. 

Before HTTPS became more mainstream, certificates used to be quite expensive. But new services like Let's Encrypt and Cloudflare make it available for free. My blog, troyhunt.com, is on HTTPS, and I don't pay a cent for the certificate, because I used Cloudflare's free service. Barriers have also included things like difficulty to implement. Using Cloudflare can completely remove this roadblock from your path. If you go to cloudflare.com, you have the option to add a site, and in five minutes or less, you've got HTTPS over your site for free, with the most technical thing being that you need to change the main server DNS provider. And that's it.

Speed has also been a roadblock for users, but in reality, HTTPS gives you the ability to go faster than you did before. And the last main barrier has been the support by downstream services. The argument that frequently came up about three or four years ago was that Google Adwords didn’t support HTTPS, so putting an ad over HTTP on an HTTPS page would kill ad revenue. That argument's gone, because every downstream server of any significance now supports HTTPS. Basically we've been knocking off all of these barriers one by one by one by one, and this is inevitably why we're seeing these massive growth rates at the moment as well.

2. What is the difference in speed between HTTP and HTTPS? Why is HTTPS faster than HTTP?

Today, browsers are more frequently implementing HTTP2 over HTTPS because HTTPS is the future, so the tradition of sending things around insecurely is pretty much over. We will get to a time where HTTP will be the rare exception. An interesting thing we're seeing is browser vendors incentivizing developers to go secure. I suspect that's a part of why we're not seeing HTTP2 implemented over the insecure protocol as well. Even with HTTPS being the future protocol for secure web browsing, we still have control over whether we use it or not. If we choose to use HTTPS we will see a speed advantage to HTTP. 

3. What are your thoughts on the cost involved in certificates? Does a paid certificate provider give any more security than a free one? 

As we’ve said before, cost was one of the barriers of the past because it used to cost quite a bit of money to go out and get certificates. Using HTTPS on everyday sites was not a common thing. Fast forward to today, and we’ve got resources like Let’s Encrypt available. It’s an open project backed by the likes of Mozilla, Akamai, Chrome and others, that makes certificates free for everyone. If you want a certificate, and you can prove that you own the domains, you can got to Let's Encrypt and get a free one. And not only can you get a certificate for free, you can automate the renewal of it. 

Another continual problem we've had with certificates is not just the cost of buying them, it's the fact that you have to renew them. We see many cases where organizations have their certificate, but they neglect to renew it, so things start breaking. Automated renewal is a great feature of services like Let’s Encrypt. 

The second part of this question is about the security of a commercial certificate versus the security of a free one. The short answer is that it makes absolutely no difference. There's a really good way of checking this. There's a website called SSL Labs. Give a Google for SSL Labs. On this site, you can plug in a URL that serves HTTPS, and SSL Labs breaks down the entire security implementation certificate. To see for yourself, go to the biggest, most expensive website or bank you can possibly think of, and test that. Then go and test troyhunt.com, which is the cheapest possible way of doing it. What you'll see is that the security report that comes back with a letter grade and lots of detail. You'll see that the biggest, most expensive site is no better than my site. My site's got an A+ rating, not because I've done anything amazing, it's simply because I've used Cloudflare out of the box. So the actual implementation of the security is absolutely, positively no different. 

The only thing that really differs at all between the certificate implementations is the extended elevations certificates. If you go to Have I been pwned?, you'll see that up in the address bar there's a big bit of green text that says, "Have I been pwned?" And then it's got my name after it as well. An extended validation certificate gives you the identity of the certificate holder. When you actually see that green check up there in the address bar, very common particularly in banks, that tells you what organization owns that domain. There's still technically nothing different whatsoever in the cryptography or the security of it, it's just that there's a visual validation and confidence that it gives to users. 

4. My organization uses a lot of internal applications over HTTP, not HTTPS. How difficult is the implementation with HTTPS on legacy web servers? 

There are different parts to the complexity. In terms of how difficult is it to enable HTTPS on a server 2012 edition, that's the easy bit, right? Just turn it on. After that, it tends to become a bit more nuanced. Many of these nuanced examples are addressed in my course mentioned earlier. For example, there is an upgrade in secure requests on security policy header. It communicates to the browser that anything in the page must be requested over a secure connection, so it actually fixes problems for you. There are things like HSTS–HTTP Strict Transport Security, that when it’s enabled via security header it can pre-load into browsers as well. Then your browser, by default, will only request the content over a secure connection. So there are lots of tips and tricks to try and make this implementation easier for you and your organization. 

Watch Troy’s full webinar on-demand, “What every organization needs to know about HTTPS” to discover how to overcome the barriers to adoption of HTTPS. Still have more questions for Troy? You can find him on Twitter @troyhunt, his blog troyhunt.com or view his Pluralsight courses

Learn something new. Take control of your career.
Sign up

Troy Hunt

Troy Hunt is a Pluralsight author, Microsoft MVP for Developer Security and international speaker and trainer who's been building software... See more