Why HTTPS Matters for Busy Folks
This is my second blog post explaining the concepts of HTTPS. I will focus on the importance of HTTPS and how it affects the internet.
My previous text PKI for busy folks looked at the concepts of certificates and PKI. While it attempts to simplify, it still contains loads of technical aspects that you should not need to know. Here I will focus on the role of different parties and how they can change our online behavior.
The Role of Web Browsers
If we want to use the internet, we need a web browser. There are a relatively small number of web browsers that have the power to force changes in our behavior.
- 65% - Chrome / Google
- 16% - Safari / Apple
- 4% - Firefox / Mozilla
- 3% - Samsung Internet / Samsung
- 3% - UC Browser / UCWeb
- 4% - Edge, Explorer / Microsoft
- 2% - Opera
It is ultimately the web browser that will decide whether a given website is safe and secure or whether it will show a danger page.
Mozilla browser detected an insecure website.
If a web browser does not recognize an HTTPS certificate or when the certificate is invalid (e.g., expired), it will prevent you from accessing the website.
What About Mobile or Internet Apps
The purpose of many mobile apps is to simplify the use of the internet. They depend heavily on the operating system (iOS, Android, etc.) to help with the internet connectivity.
In my experience, most apps don't expect invalid HTTPS and can't handle it. If that happens, e.g., because of an expired certificate, the app fails to work correctly. I wrote about one of my experiences with cashless parking a couple of years back.
How does web browser recognize valid encryption (HTTPS)
Web browsers depend on lists of "trusted third parties" - also called Certification Authorities. It is a list of certificates that are trusted implicitly by the web browser and/or by the operating system.
Market share of OS: 38% Android (Google), 36% Windows (Microsoft), 15% iOS (Apple), 9% OSX (Apple), 1% Linux.
These lists are controlled by the vendors of MS Windows / OS X, Linux, Android - the platform of your phone or computer. This can be further restricted by the browser.
If, for example, Google decides that one of the trusted parties is not good anymore, it will be included in the next upgrade. As a result, all websites using that third party will be shown as insecure in all Chrome browsers. That happened to Symantec back in 2018.
The Role of Search Engines - SEO
Major search engines have recently started using the presence of HTTPS on web sites as an indicator in their ranking algorithms. This includes Google search.
It has a fundamental impact on all of us with an internet presence. If we don't use HTTPS, our websites are ranked below our competitors. That means less traffic, less business, and lower revenue.
"Insecure Content" Message
HTTPS is a must for websites that combine their own content with content provided by other websites or web applications. If you have an online chat button, contact form, or a button to a payment service, all of them have to have HTTPS. If any of this third-party content is insecure, the whole website may become inaccessible. The most popular browser Chrome will start blocking such websites possibly from July 2020.
Does HTTPS Impact Resilience of Internet?
The short answer is: yes it does. While there are millions of websites, and thousands of internet providers, there are only a handful of web browsers and scores of Certification Authorities. I believe that HTTPS has become the most important aspect, or risk, in the internet resiliency. To demonstrate, back in February, Let's Encrypt revoked 3,000,000 certificates. While the actual impact was much smaller - only thanks to the timing of events, this incident had the potential to take that many websites and internet services down with less than 24 hours notice.
- If a web browser stops accepting a particular Certification Authority, it can impact millions of websites using that Certification Authority.
- If a Certification Authority revokes your certificate, your website becomes instantly inaccessible.
- If a Certification Authority revokes its own certificate, all websites using that certificate will become instantly inaccessible.
In terms of the market share, "Let's Encrypt" is a company that provides HTTPS for 50-60% of the internet. It has 13 staff and its budget in 2019 was around $3 million. In other words, this small not-for-profit company has the power to take down 60% of the internet by revoking their certificates.