Why can't we use https for everything?

Helping people with computers... one answer at a time.

Https provides validation and encryption, two important pieces of security. Using it for everything is possible but costly and issues would remain.

Why couldn't all websites that are genuine like microsoft.com or hotmail.com or yahoo.com be https?

•

They could.

Heck, I could do it for ask-leo.com as well, though I'm not that huge a target for phishing attacks.

There are some costs and some ramifications, though.

•

First, briefly, a reminder of what https (http-s) means:

Verification of the identity of the remote site. Https uses cryptographic "certificates" that allow the browser to positively confirm that the site you're connecting to is, in fact, the site that it claims to be.
Encryption of the data that flows between your browser and the remote site. All the data sent is strongly encrypted such that only the recipient can decrypt it to view its contents.

Verification and encryption: that's all https really does, but those are two very important and useful things.

"Verification and encryption: that's all https really does ..."

As you might expect web sites that will request sensitive information from you should be https. Banking sites, for example, should always have an https connection to enforce both identity verification (you really are connected to your bank), and data encryption (no one "listening in" will be able to see your information).

What's not as obvious is that https technology could be used in other ways.

For example, as you suggest, what if all downloads from microsoft.com were via an https connection? That way you could be absolutely certain that your download was coming from microsoft.com, and not some spoofed or phishing site.

There are a few problems with this as a blanket solution:

Https Performance

One of the classic objections to https is performance. The concern is that the overhead of encrypting all the data would affect both the web server and the client browser.

That's simply no longer true.

Current computers have enough computational power to make the encryption work relatively negligible. In addition, while the initial connection setup involves computationally expensive cryptography, once established the vast majority of data transmitted is actually encrypted using a relatively simple cipher.

The biggest issue is that phishing and viruses don't actually use the microsoft.com domain. They use some other domain that somehow looks enough like microsoft.com to fool the casual user. For example, "microsoft.com.ask-leo.com" is a totally valid (though unimplemented) domain, and if you only read the first part, of if the rest was partially obscured, you might think you were going to microsoft.com when you weren't. The fact that microsoft.com might have an https connection means nothing if that's not where you're connecting.
Https is also easy to set up. As I've shown in an earlier article, https://ask-leo.com exists (though there's nothing there right now). I could get a real https certificate for it, and could even go so far as to make https://microsoft.com.ask-leo.com work. Particularly if I were overseas, the accountability that getting an https certificate requires might even be called into question.
People ignore errors. If you went to https://ask-leo.com you'll get an error message because it's not a real certificate. However, that can be bypassed. It likely would be in the case of someone who doesn't understand the potential ramifications, or someone in desperate need of whatever the link was supposed to provide. If a phishing site were to throw the same error on an https connection, enough people would still fall for it anyway to make it successful.
People don't look at http versus https. If you get an email that says "your download is at http://microsoft.com/...", how would you know that it was supposed to be at https? And would you even notice? How would a user know that https should be required? We've had years to get people used to "you need https for banking" and yet people are still phished and scammed every day.

There's also a cost for website owners for https to be done properly. https://ask-leo.com currently uses what's called a free "self signed" certificate, which means that while data on the connection is encrypted, there's no additional validation that the site you've connected to is, in fact, ask-leo.com. In order to get that level of validation (and remove the warning a visitor will experience), I as the site owner need to purchase what I'll call a "real" certificate, renewable and payable every year. The purchase process also requires that I prove ownership of the site and a certain amount about myself.

All this isn't to say that https doesn't serve it's purpose - it does. As I said, it remains critical to validate your connections when you pay attention, and it keeps your data safe from prying eyes when used.

And it's very possible that we may see more sites move to https as a connection mechanism, particularly when offering even marginally sensitive information. I know I appreciate it when I see it. But widespread adoption to actually prevent phishing or other forms of deception, while possible, would require some truly Draconian measures along the lines of browsers requiring only valid certificates with no work arounds, and perhaps even requiring only https connections period.

That's just not likely to happen any time soon.

Article C3598 - December 21, 2008

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

You may also be interested in:

Is an https connection really all that safe? https is an important part of keeping your data safe, but it's only a part. It's important to understand what it means and what it doesn't mean.
How can an https web site still be nonsecure? Surprisingly, it's possible for aspects of an https site to still be nonsecure, if the site is improperly designed. And it's very difficult to tell.
What does "leaving a secure internet connection" mean? One of the ways that hackers gain access to valuable information is to eavesdrop on internet connections. It's important to know if you're secure.

Recent Comments

3 Comments

The above are good points. Though I believe it's primarily cost that prevents sites from using it. Cost in that the website owner has to purchase the certificate, though those have gotten to be relatively cheap (they used to cost thousands of dollars a year, now you can find them for $30/year). Another added cost in that each HTTPS site must have a dedicated public IP address. Most websites use shared hosting where there are hundreds or thousands of sites sharing a single IP, using host headers to differentiate. Host headers aren't compatible with HTTPS. Having a dedicated public IP for each site would raise the hosting cost. Also HTTPS increases the server load because it must encrypt and decrypt all traffic. That again leads to higher hosting costs because the provider can't load up as many sites on a single server, so each customer would have to pay a bigger chunk of the server hardware costs.

Posted by: Chris Buechler at December 21, 2008 3:48 PM

I agree with everything in Chris Buechler's comment.

And I think that It's the encryption overhead which makes it impossible to make all the web sites use https.

You say that it's negligible compared to the power of contemporary machines, but this overhead when multiplied by the number of connected users will be something notable, while we already have a lot of web sites employ complicated frameworks (such as ASP.Net) which have overheads of their own.

Posted by: Ashraf Sabry at December 23, 2008 9:35 AM

CAn we download from yahoo.com or gmail.com to outlook express or any other client?

Posted by: Junti at December 23, 2008 8:14 PM

Post a comment on "Why can't we use https for everything?":

Name: (Required - will be included when your comment is published.)

Email Address: (Required - will not be published.)

Remember Me? YesNo

Comments: (You may use HTML tags for style)

Before commenting, please...

READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored.
Comment only on the article. Use the search box at the top of the page if you have a question about something else.
NO PERSONAL INFORMATION in the comment. No email addresses. No phone numbers. No physical addresses.

Anything that looks the least bit like spam will be deleted. Links to unrelated sites or links that appear to be primarily promotional will be deleted, or the comment will be deleted.
Don't ask me to recover lost passwords or hacked accounts. I can't. Those comments will be deleted.
I can't respond to every comment. And I can't vouch for the accuracy of others who do.

Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...

Question? Ask Leo!
The Tip Jar: Buy Leo a Latte!

Categories | Full Archive
By Date | Business Card | About

Advertisements do not imply my endorsement of any product or service.

Copyright © 2003-2012 Puget Sound Software, LLC and Leo A. Notenboom
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure

http://ask-leo.com/why_cant_we_use_https_for_everything.html