One of the sessions featured at this year’s Velocity conference in Santa Clara is titled, HTTPS in 2015, and it’s likely to cause most web engineers to recall Heartbleed and recent other SSL/TLS security issues. But does HTTPS really matter beyond protecting web logins, user accounts and traditionally secured content?
Eric Lawrence, former security program manager for the Internet Explorer Browser, says it does.
“We're seeing more and more cases where intermediaries - whether it's your Starbucks wifi, or your GoGo inflight wifi, or even your ISP - where the network operator is doing things to change your experience of the web. Whether it's injecting ads or trying to capture network errors and deliver you something different.”
And not all of it is intentionally designed to change the user experience you’re intending to deliver. Some of it is just misunderstanding about how the web works. He sees it happen with WebSocket - an HTML5 feature that allows bi-directional traffic over an HTTP connection.
“We found that when you try to deploy that on connections that haven't first been secured by HTTPS, a sizable number of those connections will actually fail because the intermediary has done something to the traffic to break it. They're expecting the normal request for spot pairs for HTTP traffic and when they don't see that, they fail in some way. They're making an assumption that they're just going to see HTTP traffic,” he says.
But WebSocket isn’t the only new technology to be impacted.
“When you have HTTP/2 traffic going through such a connection, it will fail as well. As a consequence, HTTP/2 really isn't very deployable without using HTTPS,” he says.
He also notes that while it’s not an HTTP standard, most browsers are requiring sites to use HTTPS with HTTP/2. This is allowing security to come to the forefront as web performance gains more popularity, but often causes some misunderstandings about the performance of HTTPS.
“There are sites out there that are drawing a conclusion that's a little bit misleading to folks. What they'll do is have a site that has two hundred images on it and they'll download that over normal HTTP and then they'll download it over HTTP/2 over a TLS connection. They'll say, ‘Hey look, HTTPS is actually faster than HTTP!’ The answer is well, yes, but only because you're really using HTTP/2. HTTP/2 is what's really putting in the performance aspect and TLS or HTTPS is what's making that practical.”
It's a little bit misleading, and while the technical details aren’t correct, he’s happy with where the discussion is headed.
“It's a lie in service of a larger truth; and that larger truth is that when you couple HTTPS and HTTP/2 together you get both much better security and improved performance for the sites and scenarios that people really do care about. Ultimately it becomes a case where you shouldn't be thinking, ‘Why do we need to go to HTTPS?’ You should be thinking, ‘Is there some compelling reason that we really need not to go to HTTPS?’ That's where we're seeing the market moving.”