Senator Schumer Says Websites Should Default To HTTPS

from the security dept

There are plenty of websites where it absolutely makes sense for the default to be https, rather than http as the protocol (if you don't know -- and you should -- https encrypts the traffic, while http does not). Most banks and such already use https, but plenty of sites that don't involve financial institutions do not. Even sites like Google's Gmail only recently switched over to defaulting to https. Still, it's a bit of a surprise to see Senator Chuck Schumer announcing that major websites should switch to https, and it makes me wonder if he's preparing legislation on that. I'm not so sure that we want a law mandating https.

Separately, he seems to indicate that the lack of encryption with http is a "security flaw" that only really got attention in 2007. That's not quite true. I mean it's been well known that http isn't encrypted for much, much longer than that. And it's not so much a "flaw" as the basic way that http was designed. And, of course, whether or not websites use https, you can protect yourself with VPN encryption software or services, but it doesn't seem like Schumer wants to mandate that...


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Feb 28th, 2011 @ 10:10pm

    VPN only protects you to the VPN computer, it doesn't protect you from the VPN computer to the website since the website itself likely doesn't have a VPN server. VPN can be useful if you're on an open wifi and you want to securely connect to your home internet connection and browse the Internet through your home connection, it'll protect you from your location to your home, but it doesn't protect you from your home to the website.

    HTTPS also costs more to implement.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Michael Long (profile), Mar 1st, 2011 @ 12:46am

      Re:

      "HTTPS also costs more to implement."

      Exactly. IIRC, the rule of thumb was that a web site could handle 100 HTTP requests for every 10 HTTPS requests.

      Is the good senator going to pay for all of the infrastructure upgrades he's mandating?

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        zegota (profile), Mar 1st, 2011 @ 4:49am

        Re: Re:

        I'd be ecstatic if the government paid for infrastructure upgrades. Oh well, since that will never happen, let's instead cut women's health funding and libraries/public radio to pay for unnecessary tax cuts and WAR! U-S-A! U-S-A!

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Mar 1st, 2011 @ 7:33pm

          Re: Re: Re:

          They can also give the money to big corporations that make big promises in return and never deliver. That always works.

           

          reply to this | link to this | view in chronology ]

  •  
    icon
    Miff (profile), Feb 28th, 2011 @ 10:13pm

    I seriously hope we don't get an HTTPS mandate law.

    Of course it would seem good at first, for the protection of the public; but one of the clauses will likely happen to be that self-signed certificates are nixed.

    And I ask how many web sites out there now don't use HTTPS or use insecure HTTPS because they can't afford a cert. :/

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Feb 28th, 2011 @ 10:40pm

      Re:

      A non patentable idea

      Why can't websites have their own "self signed" keys and have a search engine, like Google, search various websites for the keys and store them. When I want to connect to a website via a wireless connection, my laptop (which can securely connect to Google) verifies the website's authenticity with Google and, maybe, Yahoo to ensure that the keys that Google/Yahoo give me match with each other and that they match with the keys of the website that I am connecting to. Then, Google connects to the site and verifies the keys for me.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Feb 28th, 2011 @ 11:38pm

        Re: Re:

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        DoxAvg, Mar 1st, 2011 @ 3:10am

        Re:

        As an optimization, you could cache Google's verification in a cryptographically secure way by having Google publish their public keys, and sign the site's self-signed keys.

        Oh, look. We've just re-invented the Certificate Authority.

        The solution is to update HTTPS to have "Private HTTP", which still uses Diffie-Hellman for key exchange and privacy, but doesn't attempt to verify authenticity to prevent against a man-in-the-middle attack. This would protect all sessions from passive snooping (I'm looking at you, NSA; I'm looking at you, FireSheep) while not needing a central CA.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Mar 1st, 2011 @ 9:09am

          Re: Re:

          "As an optimization, you could cache Google's verification in a cryptographically secure way by having Google publish their public keys, and sign the site's self-signed keys. "

          That's what I said. I know Google's/yahoo's public keys ahead of time because it's pre-built into my browser that I downloaded ahead of time (from a secure channel, presumably).

          I go on open wifi.

          I go on site with Https

          I check the key.

          I securely connect to Google and ask it what the key is

          Google goes to site

          Google checks key

          google securely tells me what the key is

          I see if what I'm getting from the site matches what Google is telling me.

          (the software does this automatically of course, transparent to the user).

          If they don't match, my browser alerts me with popups.

           

          reply to this | link to this | view in chronology ]

        •  
          identicon
          mirradric, Mar 1st, 2011 @ 10:33pm

          Re: Re: Already present

          The mechanism is already present in most browsers. Just accept the certificate despite the warning.
          In fact, as long as you have some other means to verify the certificate like a finger print distributed via signed email or a physical name card, you are relatively safe against the man in the middle attack.
          Further, most browsers will provide options to accept the certificate permanently. If you do that, you'll only need to do the verification/authentication manually only the first time and it should be smooth going the next time while providing about as much protection as using a CA. (no cert revoking but you can remove the particular cert from your trusted list if you know to no longer trust it)
          Hmm... Perhaps a social networking/crowd-source web of trust... hee hee

           

          reply to this | link to this | view in chronology ]

  •  
    icon
    gojomo (profile), Feb 28th, 2011 @ 10:27pm

    https://schumer.senate.gov/

    https://schumer.senate.gov/

    "schumer.senate.gov uses an invalid security certificate."

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Christopher (profile), Mar 1st, 2011 @ 12:19am

      Re: https://schumer.senate.gov/

      Not really Mr. Schumer's fault.... someone forgot to update the list of websites that security certificate could be used for sometime.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 28th, 2011 @ 10:38pm

    Mandated HTTPS could mean the end of self-certificates, which is bad.

    I think a better way is informing the public and making then shun websites that don't use encryption end to end on everything.

    Heck HTTP is prone to:

    - Ad insertion by anyone along the way.
    - Snooping by anyone(i.e. law enforcement, the government, ad agencies, criminals, your neighbor)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    DS, Mar 1st, 2011 @ 4:14am

    "it's a bit of a surprise to see Senator Chuck Schumer announcing that major websites should switch to https"

    It should NEVER be a surprise to see Schumer standing in front of a camera.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Hanging on to the Cluetrain, Mar 1st, 2011 @ 5:12am

    Why not just educate people?

    This is the same problem with trying to 'lock down' users in any network. Instead of going crazy trying to implement uber-net nanny, starting government black lists of websites and restricting people, just educate them! Major companies can offer 'lite' versions of their security software for free and the gov't can partner with them to educate people on how and why they should use them. Empowering people with knowledge makes more sense than chasing down a problem with byzantine mandates created by people who are clueless about technology.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Schmoo, Mar 1st, 2011 @ 5:24am

    HTTPS costs hosts to set up, and is way slower. If my site needs HTTPS then fine, no problem. Very often they don't, or only need it for a small part of the traffic the site receives. If you've ever used a site that puts all its images, javascript, css etc behind HTTPS, you'll know why this is a mind-numbingly stupid idea.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 1st, 2011 @ 5:39am

    Don't know if this is related...

    But Ars Technica just ran a story about a cable ISP that's using DPI gear to inject ads on web pages (they have screen shots of the Google home page with said ad injected). One of the ways to defeat this is, of course, if the website in question were to use https.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 1st, 2011 @ 5:42am

      Re: Don't know if this is related...

      *facepalm*

      I read both of these sites so much they start to blur together. Of course that story was run here on Techdirt. :(

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    V, Mar 1st, 2011 @ 6:24am

    Yet another...

    Yet another techno-idiot deciding policy for those of us who understand.

    If he has a problem with HTTP, then he should take it up with the Creator directly - I'm sure Al Gore will explain why he created the internet with HTTP instead of just HTTPS...

    /sarcasm off

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    minijedimaster (profile), Mar 1st, 2011 @ 6:39am

    How much you want to bet the esteemed senator just bought a bunch of stock in a digital cert company

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Dean Landolt, Mar 1st, 2011 @ 6:43am

    @Mike

    While you're right that encryption was left out of HTTP by design (for the caching benefits) it was relatively recently (even later than 2007) that it become obvious that HTTPS was more than just a best practice for any web application where users log in.

    Before tools like firesheep [1] came on the scene it was generally assumed that simply encrypting the login exchange was sufficient. I'm pretty sure I remember you mentioning firesheep in a story so you ought to be aware of this but it sounds like you may have missed the wider implications.

    RE: vpn, as pointed out by the first Coward, your statement is not quite true. It _will_ however help you in a proximity-based attack (e.g. coffee shop wifi + firesheep).

    [1] http://codebutler.com/firesheep

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 1st, 2011 @ 7:54am

    SSL cert lobby?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      PrometheeFeu (profile), Mar 1st, 2011 @ 9:20am

      Re:

      Meh. Maybe if the cert lobby gives him money he won't need money from the RIAA. I don't mind lobbyists bribing (I mean contributing to the campaigns of) elected officials. I just have a preference for some lobbyists doing it and not others.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Ccomp5950 (profile), Mar 1st, 2011 @ 10:14am

    After making these comments he is going to be approached by every "domestic spy agency" (FBI, CIA, DEA, ICE) telling him how encryption will hurt their ability to get their job done.

    If he actually proposes the law and it builds traction he will probably be shot from a book depository.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    rudy yniguez, Mar 1st, 2011 @ 6:24pm

    https

    chuck shumer is a mental midget

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    rudy yniguez, Mar 1st, 2011 @ 6:24pm

    https

    chuck shumer is a mental midget

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This