Internet Security Exploration: Is HTTPS Truly Safe, and Is Its Use Essential? (Final Installment)

Internet Security Exploration: Is HTTPS Truly Safe, and Is Its Use Essential? (Final Installment)

The Early Days of Web Browsing Security: Unencrypted and Simple

delved into the early years of web browsing security, spanning from 1990 to 1995, a time when browsing was always unencrypted. The foundation of this era was HTTP (hypertext transfer protocol) and HTML (hypertext markup language), a pair of straightforward technologies that aimed to make web content creation accessible for everyone, without the need for complex typesetting or page layout software.

Known as hypertext with hyperlinks, this web system was innovative and easy to implement. Users could create web pages by marking up regular ASCII text files with simple commands, leaving the browser to handle page layout, rendering, and display. The flexibility of the HTML language allowed users to create pages using applications they already owned, such as text editors on both personal computers and Unix systems. This portability facilitated the sharing of web pages across various computer systems.

When loading HTML files, no special headers or identification information were required. Browsers could access files directly from the user's hard drive using traditional operating system calls such as open() and read(). However, accessing hyperlinked web pages from other people's servers would have been unsustainable due to the limited availability of network-based file and directory services like NFS, AFS, and SMB in the early 1990s. These services proved too performance-intensive for internet use, even disregarding the risks that came with them.

Defining a simple HTTP protocol facilitated easy web-based content sharing among researchers without the need to set up network file sharing services first. Although HTTP servers could be vulnerable to various cybersecurity threats, a basic HTTP server was relatively easy to code and believed to be easier to secure compared to a general-purpose network filing system. The original HTTP protocol offered a model of text-based simplicity, making it easy for requests and replies to be exchanged between browsers and servers.

Sir Tim Berners-Lee, the web's inventor, concluded his specification with the concept of idempotent operations, meaning they leave things unchanged once they are completed. The requests made in HTTP followed this principle, ensuring that every request produced the same result regardless of the user's previous activity. This simplicity made features like user accounts, visitor tracking, targeted ads, and online shopping baskets impossible in their original forms due to HTTP's stateless protocol.

The web flourished within academic and research communities before commercial companies recognized its potential. As the web became popular, developers prioritized new features over simplicity. Netscape Browser engineers added headers such as cookies, enabling servers to track a user's past activity. With the introduction of usernames, passwords, and online commerce, personal data like delivery addresses and payment card details became commonplace on the web.

The lack of encryption in HTTP meant that any data entered into forms, such as login information, was transmitted in plain text and vulnerable to eavesdropping by attackers. Although HTTP did not include an encryption layer, protocols like SSL (secure sockets layer) and TLS (transport layer security) would later be developed to encrypt sensitive data transmitted over the web. These security measures were crucial for companies sending passwords and payment card data over the open internet without facing severe repercussions from credit card companies.

The advent of SSL provided optional encryption for HTTP requests bearing personal or secret data. Browsers could request an encrypted network connection by modifying the URL to specify TCP port 443 instead of the standard port 80. Upon connecting to the server, the browser and server would negotiate encryption keys through a cryptographic handshake, creating a secure data tunnel for the HTTP conversation.

Despite the benefits of HTTPS, implementing it on a widespread scale was a challenge. Server management became more complex as cryptographic keys needed to be securely distributed to every computer that might serve up a web page. Additionally, HTTPS traffic tended to slow down due to the CPU cycles required for encrypting and decrypting data and the extra network bandwidth needed to establish secure connections.

Partial HTTPS implementation emerged as a compromise in the world of online services. Some companies, including popular social networking sites, began using HTTPS only for sensitive activities like login and authentication, while resorting to HTTP for everything else. However, this half-hearted approach proved inadequate in ensuring user privacy and data security.

In 2010, the release of a Firefox plugin called Firesheep brought renewed focus on the importance of HTTPS. By automating the process of discovering and exploiting web authentication tokens, Firesheep demonstrated the risks associated with half-baked HTTPS implementations. Following Firesheep's exposure of these shortcomings, many major web properties like Facebook and Twitter began offering full-time HTTPS by default within about 18 months.

Securing the web remains crucial in today's digital era. While it's essential to use HTTPS for sensitive activities, it's equally important to acknowledge its limitations in ensuring the quality and truthfulness of website content. Tools alone cannot replace human judgment in determining the trustworthiness of online information. Make sure your browser offers an "HTTPS everywhere" option, enabling it if it isn't on by default, to protect yourself from unencrypted sites.

References:

1. Dietz, D. (n.d.). A Brief History of the Web. Retrieved April 2, 2023, from https://securityriven.com/a-brief-history-of-the-web
2. Lieberman, J. (2019). On the Origins of Cyberspace. Retrieved April 2, 2023, from https://www.wired.com/story/on-the-origins-of-cyberspace/

[Image Credit: Jornada Produtora via Unsplash]

1. As the web grew and transformed from a research tool to a commercial platform, the need for enhanced cybersecurity measures became increasingly evident, with data-and-cloud-computing operations and science becoming more reliant on secure web services.
2. The evolution of web browsing security encompasses not only the development of encryption protocols like SSL and TLS but also the ongoing examination of technology's role in maintaining data privacy, a crucial aspect of cybersecurity in the realm of science and data-and-cloud-computing.

Read also: