According to Google’s new Transparency Report, secure web traffic or HTTPS uptake is on the rise, making the web a lot more secure than it was a year ago. In general, this is great news for everyone, as HTTPS both encrypts our web traffic and helps validate the legitimacy of the domains we visit, keeping our data away from prying eyes and protecting us from websites pretending to be something they aren’t. Between April 2015 and October 2016, Google’s report shows significant increases in webpages being loaded over HTTPS. It also indicates that Chrome users on Windows, Mac or Linux machines are accessing secure HTTPS pages about two-thirds of the time.
While these HTTPS numbers are very encouraging for the security industry and show a genuine improvement in online security, there are a few drawbacks to consider:
First: HTTPS isn’t infallible if it’s not strictly enforced. For example, when users manually key in URLs, most don’t type in “http://” or “https://” before entering their desired destination. Browsers can automatically default to less-secure HTTP when a specific protocol isn’t provided, unless there is an HTTP Strict Transport Security (HSTS) policy in place. Secure websites will run HTTP services to redirect users to the appropriate HTTPS destination, but as a result, they can be more vulnerable to man-in-the-middle attacks. This means that when users are directed to HTTP sites first, bad actors can simply hijack HTTP requests and block users from reaching secure HTTPS websites. Without proper HSTS policies, HTTPS can be much less effective.
Second: Bad guys are now using HTTPS for their own purposes. According to a recent report by A10 Networks and Ponemon Institute, nearly half of cyberattacks on businesses in the past year involved malware concealed in encrypted traffic. Today, attackers leverage HTTPS to protect their malware command and control (C&C) communications and they sometimes use HTTPS to deliver malicious executables to new victims. In both cases, typical security technologies, like antivirus or botnet detection, may not catch these threats if they can’t see within this encrypted traffic. Since malware hidden via HTTPS is invisible to legacy security controls, organizations need security solutions that can inspect HTTPS traffic to weed out these camouflaged attacks.
So, while continued growth in HTTPS usage is a goal the entire security industry can get behind, it’s important to remember that nothing is 100 percent bulletproof in the world of infosec. Keep in mind that attackers are constantly on the lookout for ways to circumvent and appropriate even the latest and greatest security measures.