Justification for encrypting all web traffic

Silverfox 2015-09-03 06:01:35 UTC #1

Hello guys
I've recently been introduced to this project and I've been active in this field for some time. I work in security field and most of my customers are from. banking and payment industry.
There are two things that I find frustrating, first my customers, mosyly have all their pages in http(even the link to the login page) and only the payment or internet banking pages are delivered over https. But when giving a talk most of the time I cant convince them to use https all over their site, they see the MITM scenario as a very rare case and dont really bother with that.
Also when saying that the articles you read over http, your search queries and all your behavior can leak important information about you they seem to not care(they dont see it as a big deal)
I Wanted to share it with this community and use your experiences, thoughts and rationale te be able to present this problem in a better and more convincing fashion.

eva2000 2015-09-03 06:51:53 UTC #2

Yeah it would be nice to have more articles illustrating specific concrete real world examples of the benefits of HTTPS from a security point of view.

NOYB 2015-09-03 09:00:19 UTC #3

Even Google (@ 1:46)

If this doesn't scare them to death they are not qualified to be running a financial institution web site. And they certainly don't have their customers best interest at heart.

eva2000 2015-09-03 09:13:44 UTC #4

A Linode employee wrote this article on their forums at https://forum.linode.com/viewtopic.php?f=23&t=12230

Article link https://felicianotech.com/blog/always-on-ssl-what-it-is-and-why-you-should-implement-it/

ac000 2015-09-03 19:47:19 UTC #5

I used to be pretty dubious about this "all http traffic should be encrypted talk".

However, the best argument for it I've seen is the dodgy ISP inserting god knows what crap into your website.

I want people to view my (albeit simple) website how it is. Not with who knows what tacked onto it that viewers might think I put there.

NOYB 2015-09-03 21:29:55 UTC #6

Important web sites alarmingly still http:
https://www.youtube.com/v/0JioB7rNpvI&start=65&end=106&autoplay=1&modestBranding=1&rel=0&showinfo=0

Even Google (example injection; fake sign-in)
https://www.youtube.com/v/0JioB7rNpvI&start=106&end=159&autoplay=1&modestBranding=1&rel=0&showinfo=0

Privacy Advocates and Web Security Folklore:
https://www.youtube.com/v/OZyXx8Ie4pA&start=102&end=219&autoplay=1&modestBranding=1&rel=0&showinfo=0

Just a Few Examples:
https://www.youtube.com/v/OZyXx8Ie4pA&start=219&end=343&autoplay=1&modestBranding=1&rel=0&showinfo=0

Librarians Understand Importance of Reader Privacy
(even for public information)
https://www.youtube.com/v/OZyXx8Ie4pA&start=343&end=419&autoplay=1&modestBranding=1&rel=0&showinfo=0

Content Based Censorship Built Into Networks:
https://www.youtube.com/v/OZyXx8Ie4pA&start=419&end=454&autoplay=1&modestBranding=1&rel=0&showinfo=0

Content Injection, Tacking Headers, Tampering:
https://www.youtube.com/v/OZyXx8Ie4pA&start=454&end=483&autoplay=1&modestBranding=1&rel=0&showinfo=0

Silverfox 2015-09-03 21:54:45 UTC #7

How dangerous do you think it is for a bank to deliver its homepage over http, how prevalent can mitm scenarios be? be it a malicious user or a technician at ISP level. Do you think the case of using http for non login pages which may contain links to https login pages(same concept as google ads demo in the video above) should be brought up as a security risk and payment institutions should be forced to use https all over the place? or it should just be their choice to use https for non login and payment pages?

schoen 2015-09-03 21:57:37 UTC #8

Hi @Silverfox, one example that might be interesting to financial industry sites is the way that a network adversary can rewrite links on the page so that even if the payment pages are HTTPS, a user would be tricked into going to a non-HTTPS version (or a fake site).

A comparatively low-effort version of this is automated SSL stripping, described by Moxie Marlinspike.

http://www.thoughtcrime.org/software/sslstrip/

So, even if part of the site is "supposed to" be HTTPS-only, if a user starts interacting with the page in HTTP, a network attacker can rewrite all of the links so that they're still apparently HTTP, and then proxy the requests so that the HTTP redirects that the site sends are hidden from the user. This attack is extremely effective, and is part of the motivation for HSTS.

People might think that this sort of attack is rare, and I agree that phishing is a more common vector for financial fraud today than network attacks. But it's very easy to go to some public place and create a "Free Public Wifi Network" that other people will use, and it's also quite possible to compromise a lot of public wifi routers. So I think it's credible that the prevalence of these attacks will increase over time, especially if sites fail to adopt HTTPS.

eva2000 2015-09-04 05:41:03 UTC #9

Was reading about http://www.businessinsider.com.au/wikipedia-suffers-decline-in-traffic-2015-8

Wikipedia has lost about 300 million monthly desktop readers since the beginning of the year, according to a new analysis from Similar Web, an internet traffic analysis company.

The decline appears to have happened following Wikipedia’s switch from delivering its pages in HTTP format to HTTPS, Similar Web and Wikipedia both say. HTTPS is a more secure, encrypted website publishing format, and it prevents bots from crawling Wikipedia and creating fake pageviews.

And, just to reiterate, the decline from Google appears likely to be linked to the adoption of HTTPS, which reduces the number of fake clicks, and NOT because Google has somehow downranked Wikipedia.

riking 2015-09-04 05:57:21 UTC #10

I find that unlikely; more likely is that the robots are requesting the plain HTTP pages and not following the upgrade redirects. If Wikipedia was always HTTPS to begin with that would not be a problem

eva2000 2015-09-04 06:28:09 UTC #11

maybe, but still a pro for switching to HTTPS

cognish 2015-09-07 07:39:25 UTC #12

I do not expect your finance industry clients to care but my personal favourite reason for encrypting all web traffic comes from Bruce Schneier who "urges people to 'make surveillance expensive again' by encrypting as much Internet data as possible."

Beyond making it harder for the NSA et al to harvest our thoughts, relationships, etc, there are more subtle benefits. An example from Schneier: "If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. [...] Every time you use encryption, you're protecting someone who needs to use it to stay alive."

eva2000 2015-09-07 12:00:13 UTC #13

interesting never thought about encryption benefits in such a way !

Flar 2015-11-19 16:52:29 UTC #14

files reach your computer over the Internet go through many intermediaries. in theory those intermediaries could for instance insert JavaScript that exploits your computer or identifies you uniquely.

there was recently a case of a very large ISP from I think Canada that was inserting ads at the top of each and every webpage that their users saw.

there was also of a case of large Indian ISP that was inserting actual spyware somehow...

gluejar 2015-11-19 21:21:26 UTC #15

I think the internet cafe man-on-the-side attack should be really scary for your banking customers. See "QuantumInsert". http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/

pfg 2015-11-19 21:51:55 UTC #16

Comcast, biggest ISP in the US, injects javascript into pages to deliver copyright alerts.

This can't come soon enough.

mholt 2015-11-19 22:44:13 UTC #17

Also tell your customers that their sites will soon be broken in most major browsers and there's nothing they can do about it except use HTTPS.