HTTPS What is it good for….

Quite a lot really, I know that’s not how the song goes but, HTTPS, the common abbreviation for Hyper Text Transfer Protocol Secure, is a requirement of all sites you visit, and really you should be questioning the authenticity of any site without it. Even if you are not logging in or giving over payment details, it is important for a number of reasons.

What really is it?
HTTP, or the Hyper Text Transfer Protocol, is the protocol of the web, it is how web pages are delivered to you, it is stateless, which means that each request is independent of another (essentially you arrive on the site and the server and request a page and the server responds, you click on a link to get another page and as far as the server is concerned you are a completely new person). One thing you should always be aware of is that the information sent over HTTP to the server and back to you is plain for anyone to see, read or modify.

HTTPS is end-to-end encrypted HTTP traffic using TLS (Transport Layer Security) or SSL (Secure Sockets Layer). Both the TLS and SSL protocols use what is known as Public Key Cryptography. An asymmetric system uses two ‘keys’ to encrypt communications, a ‘public’ key and a ‘private’ key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa. As the name suggests, the ‘private’ key should be kept strictly private and should only be accessible the owner of the private key. In the case of a website, the private key remains securely held on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.

When you request an HTTPS connection, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the SSL handshake. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website. At this point, the certificate is checked against a certificate authority to check that it is valid and you are really communicating with the website you think you are communicating with.

HTTPS protects more than just form data! HTTPS keeps the URLs, headers, and contents of all transferred pages confidential. Any website that requires login credentials should be using HTTPS. In modern browsers such as Chrome, sites which do not use HTTPS are marked differently than those that are, in April 2018, Google Chrome has started flagging all non-HTTPS websites as insecure, which they are because your information is not protected between the server and the end user over HTTP.

You’ll hear a number of arguments against using HTTPS, most of which are based on old information or are just plain wrong.

I don’t have anything sensitive on my site. It is just a static HTML page.
The internet is not just your computer connected to their server, there are a lot of other pieces of hardware, organisations, and governments, in-between, such as your coffee shop, their Internet Service Provider, a government (not necessarily yours). Do you really want someone injecting scripts, images, or ad content onto your page so that it looks like you put them there? Or changing the words on your page? Or using your site to attack other sites? HTTPS prevents all of it. It guarantees the integrity of the data and the ability to detect tampering.

Think this doesn’t happen? The massive DDOS hack that hit GitHub a few years ago which was linked back to HTTP injection of the┬áBaidu Chinese search engine’s Analytics JavaScript, if the pages were served over https then the code would have been protected.

HTTPS certificates are expensive
No, letsencrypt provides certificates free of charge. This used to be the case 10 years ago, but most certificate issuers now provide HTTPS certificates free of charge, and the ones that do charge are only charging for support or administration.

HTTPS is slow
This was because the server had to do more work, to encrypt the data, but this argument is no longer valid. In fact with the invention of HTTP/2, due to the compression that it offers, HTTPS is now faster than HTTP.


We hash our passwords and encrypt our data at rest.
Great! But what about when it travels between the server and the visitor to your site. Don’t get me wrong, this is good security practice, to encrypt your sensitive data but only protects data at rest. If you are not using HTTPS, your data is transmitted as plain text for anyone to read.

Attackers can still impersonate my website, even if I use HTTPS.
They can certainly try, this is the reason for Certificates, to make sure you are communicating with is authentic, i.e. is who you think you are communicating with. If attackers present a mismatched or invalid TLS certificate. And if the attacker does not use HTTPS at all, browsers should mark the imposter page as insecure.

Phishing sites use HTTPS
Yes, so what, does that mean you shouldn’t use it yourself?!

HTTPS impacts SEO.
Yes that’s correct, in most cases it improves it. Google ranks HTTPS sites higher than non-protected sites.


This one is obvious, use HTTPS everywhere, question sites which don’t have it, do they really care about security? Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser, so it has been around for over 20 years, during that time it has been tested and improved. It is free and simple to implement and has well and truly passed the tipping point of adoption according to the most recent Google statistics 91% of all pages loaded through Chrome were using HTTPS. So ask yourself again, why would you not do this!

Why Building security backdoors into software is a bad idea

This should be obvious, but on the surface, to reasonable people, this seems reasonable. If bad people are doing bad things and the police can get enough evidence to approach a court, they can get a wire-tapping order, which will allow them to intercept any communications in the mail, or telephone that will allow them to gather evidence against the criminals.

TLDR; the basic idea is flawed and it puts individuals at risk.

This seems like an invasive but reasonable approach to protect public safety, and why software should be different? Why should there not be a master key that opens the encryption locks that criminals are using to conduct their nefarious activities? It is just those pesky software companies preventing the police from protecting us from criminals, who want to do us harm. We should make them change and allow the police to view these hidden communications. This seems reasonable, at least until you think about it.

This basic premise assumes that the ones controlling the master key or even the company that makes the software are infallible, there could never be any bugs, and there could never be anyone in those organisations who could be bribed or coerced to reveal the key, an overworked, stressed, or sleep-deprived individual could never mishandle it. This is building an intentional flaw in a defence, like the infamous drain in Helms Deep from the Lord of the Rings.

and that ended well for the men of Rohan.

This also assumes that the organisation that wants the protection can instruct the organisation that makes the software to make this weakness, and that criminals would not just use something else. True the government could restrict sales of the software to disallow the sale of software without the backdoor in force, but again this assumes that criminals are only going to use software that is legal within that region, because of course criminals are well known for following the law. The basic idea is flawed and it puts individuals at risk.

Joking Hazard Kickstarter by Cyanide And Happiness

From the creators of Cyanide & Happiness comes a card game where players compete to finish an awful comic strip.

Joking Hazard

Cyanide And Happiness

“If you like Cyanide and Happiness, youu will love this game. It gives you the feeling of being one of the creators without the burden of actually having to be funny yourself.”

– Max Temkin, co-creator of Cards Against Humanity and Secret Hitler.

Ends: Thu, Mar 10 2016 Status: Funded

If you are the sort of person that enjoys rude humour, perhaps you have played Cards against Humanity and thought to yourself “My ability to describe things is rubbish I want pictures to make sure there is no misunderstanding about what I really mean”, perhaps you are just a fan of the comic series.

Visit the kickstarter and consider pledging to this campaign. I know I will be.

New Battlefleet Gothic: Armada Narrative Trailer

Today Focus Home Interactive released a new narrative trailer to launch their pre-orders of the game and it looks awesome.

Also until Friday, 29 January 2016, 18:00 GMT they Games Workshop are running their midweek madness sale which is offing 10% off the retail price of this game and upto 90% off some of their other titles, so it is well worth a look.