Back in 2014 when Google announced that HTTPS would become a ranking signal, many website and web application owners made the jump from HTTP to HTTPS in search of a small rankings edge.
Along with a push to have more sites implement HTTPS came an increase in the use of language related to web application security. Many people began to incorrectly associate HTTPS with a website or web application that was more secure.
In this post, we’re going to try to confirm some of the truths and dispel some of the myths surrounding HTTPS — to help you understand in which situations HTTPS offers an appropriate solution and where it falls short.
Understanding the Basics of HTTP and HTTPS
HTTP stands for Hypertext Transfer Protocol which is the primary method by which messages and actions are transmitted across the web. It essentially tells browsers and servers what actions they should take and when they should do so when browsing a website or a web application such as Facebook..
HTTPS is simply a secure version of HTTP. It is made secure by encrypting the information as it is transferred from the end-users web browser to the server and back. HTTPS also uses a different port (443) than HTTP (port 80).
In order to run a website or web application on HTTPS, you simply need to obtain an SSL certificate from a certificate authority. Depending on the certificate authority and type of SSL certificate, the requirements can vary greatly. There are two primary types of certificates used outside of intranets: The easiest to obtain is a domain validation certificate. All that’s required to obtain this type of certificate is proof that you own or control the domain. The other type of certificate is called a fully-authenticated certificate.
In order to obtain a fully-authenticated certificate, you need to verify ownership and authority over the domain in question as well as the legal name of the business and appropriate geographical information.
There are many applications in which HTTPS is an appropriate solution to a very serious problem: Improving the safeguarding of sensitive information. It effectively reduces the risk of a variety of security concerns such as man-in- the-middle attacks. It’s important to understand that even if you’re implemented HTTPS for the right reasons, it’s not infallible. HTTPS can be and is defeated on a regular basis. To make matters worse, even companies who have the best of intentions when implementing HTTPS fail to realize that the same data that is secured when in transit, needs to be secured when hosted on company servers.
The Ashley Madison breach would be one example of late. Safeguarding information in transit is completely unrelated to the development of a secure website or web application.
HTTPS Has Nothing to Do With Web Application Security
Many people ask: Does HTTPS make our website or web application more secure?
The simple answer is no, it does not. HTTPS secures information in transit but does nothing to secure the information that is resident on a server or to improve the security posture of the web application itself.
Although implementation of HTTPS is a good idea where sensitive information is being transferred back and forth, it’s still possible for a website or web application to be hacked. In fact, it makes no difference to a hacker whether or not your website uses an SSL Certificate.
HTTPS does not protect against SQL Injection, Cross-site Scripting, Command Injection or any number of attacks because once the port is open, any traffic, malicious or friendly, can reach your website or application. In order to reduce the probability of your website or web application being hacked, it is necessary to scan it for vulnerabilities in the same way that a hacker would by using a combination of manual penetration testing and an automated web application scanner.
HTTPS is One Small Part of Your Overall Security Posture
The purpose of this post is not to discourage the use of HTTPS. There are many instances where it’s important, even critical to encrypt information being transmitted between a user browser and a server. Just as there are many instances where it’s critical to encrypt the information contained on a server.
But at the same time, you need to realize that the encryption of data is not related to the overall security of your web application. Maintaining a strong security posture requires the use of multiple approaches —automated web application vulnerability scanning, manual penetration testing and yes, encryption of sensitive data, whether in transit or sitting on a server.