February 3, 2014

Does your website offer encrypted HTTPS connections to visitors? Do you use HTTPS by default for administrative logins or lead-generation forms? You may not think you need HTTPS if you just run a brochure marketing site and aren't asking for credit card information, but you might be putting both your site and your users at risk if you don't.

The end of privacy?

Until recently, most people tended to think that nobody would bother listening to their online communications – their digital traffic may not have been secure, but it was assumed to be obscure, or at least of little interest to anyone else.

But we now know that's not the case. We increasingly lead our lives online; all of our personal, professional and financial details, interests and communications take place there, information we might not want everyone else in the world to know.

We also now know that both criminals and governments actively seek to acquire such information, and can often use it in surprising ways to do far more damage than we might have realized. There is a continuing litany of websites being hacked, exposing users' personal and financial information in the process, and increasing awareness of national spy and law enforcement agencies mass collecting, storing, indexing and collating everyone's online activities and communications.

Web giants such as Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo have recognized this and started securing all connections to their sites (as well as between their internal servers), but many smaller sites (and mobile apps) lag in adopting encryption.

Our online communications are no longer assumed to be obscure, so to maintain privacy they must become secure.

Dangers of unencrypted communications

How might the lack of encryption on your website be a danger to privacy and security?

1. Getting inside your network

When you log into your site, your login credentials are easy to intercept if not encrypted with HTTPS. The "password" field may show only circles in your Web browser, but your actual password is transmitted "in the clear" across the Internet for anyone to see. Criminals can access that traffic in a number of ways, including monitoring WiFi connections (even locked and encrypted ones, which are depressingly easy to break into using automated tools), having an inside position at an Internet service provider or backbone network, or by hacking into routers across the Internet so they can watch the traffic that flows across them.

With your password, attackers can log into your site (as you!) and possibly deface it, send spam from your email server, insert spyware or adware into your Web pages to infect or track your site's visitors, host files for download from your server, or siphon off other private information. Getting inside your server also gives attackers a privileged position to hack into the rest of your network and the computers connected to it.

Even if your password is encrypted during the login process, if the encryption does not continue the entire time you are logged in, attackers can still login as you by copying the cookie that maintains your browsing session.

Many of the more serious breaches we hear about start with an initial break-in through a public website, either by exploiting a flaw in the code or by acquiring login credentials. While there are other ways to break into a site than by monitoring network traffic, there's no good reason to make it easier for criminals by leaving your network traffic exposed.

2. Exposing passwords for other sites

Acquiring passwords, in conjunction with usernames or email addresses, allows attackers to try the same combinations on other sites, since so many people reuse the same passwords around the Internet. For instance, passwords from another site may have been used to attack Yahoo email accounts. Once confirmed as usable on various sites, lists of usernames and passwords are sold for criminal use at prices ranging from a few cents to hundreds of dollars per password, depending on what they unlock.

As a result, encrypting passwords in transit may be even more important than securing credit card details (since card numbers are easily changed, fraud is often detected quickly by banks, and liability is limited). This goes for any users' passwords, not just those with administrative access to your site. You may not think your blog's comment form is worthy of encryption – after all, the comment is public, and you might not collect anything aside from email and password – but that password may unlock the person's other accounts across the Internet. It's a disservice to your site's visitors to expose their passwords simply by visiting your site and commenting on a blog post.

3. Spear phishing

Even seemingly innocuous information, such as business phone numbers and email addresses, can be valuable to attackers. This information can be used for "spear phishing" attacks (relevant, personally-addressed messages from a seemingly trustworthy source, such as your own company) or other forms of social engineering.

Such messages may have malware attached, which gives attackers access to a user's computer just by clicking a link or opening a file (which might look like an interesting PDF from your company) – links people may be more likely to click if they're already expecting you to contact them in response to filling out a form on your site. Or they could link to a form on an official-looking website requesting more information, or start an email conversation with the target. Even if your site isn't a juicy target to attackers, important visitors to your site might be.

Visitors to your site might be OK with giving you their email address and phone number, but that doesn't mean they want everyone else snooping on it. People with privacy concerns may choose not to fill out your lead-generation form if it's not secure, so you can increase conversions simply by using HTTPS.

Moving to universal encryption

The Internet is undergoing a transition from being mostly insecure to becoming entirely encrypted. While it may be a few years before most Web traffic uses the always-secured HTTP 2.0 (based on Google's SPDY protocol), more and more companies are upgrading their security. If your company is not, Information Week advises you to. At the least, any login screens or forms requesting personal information should always be encrypted.

One reason for resistance could be concern over increased cost or slower performance, but when Google switched GMail to 100% HTTPS, using no new or specialized hardware, they found that encryption accounted for less than 1% of CPU load, less than 10KB of memory per connection and less than 2% of network overhead.

Building trust with privacy and security

As more sites "go HTTPS", with their websites gaining the "lock" icon and green seal of safety in Web browsers, sites lacking HTTPS increasingly will seem old fashioned and untrustworthy by comparison. And no company wants the liability, bad publicity, distraction and wasted time and money associated with having their website hacked or compromising customer privacy. Using HTTPS to secure all logins and requests for personal information is one step you can take to build trust and help protect against breaches. The Web is heading that direction anyway, so there's little reason to be behind the curve instead of ahead of it.

My recommendation: enable HTTPS on your site, and make it required for all logins and forms (if not the whole site).

While enabling encryption can present challenges and take some time to get right (particularly when dealing with cloud hosting, CDNs, lead-generation partners, and ad networks), it's better – and cheaper – to start now than wait until it's too late.