A Secure Week

June 21, 2016

As an engineer, I am genuinely interested in challenges. Not necessarily the problem-solving challenges that we can face daily as a profession, but others forms as well. This is why I decided to challenge myself in a computer security related way.

For some of my daily Internet browsing, I make use of Google Chrome, and I have the HTTPS Everywhere extension installed. What this browser extension (claims it) does is check every website I visit and determine whether there is an HTTPS version available, and if there is, it redirects me there.

This has many benefits, and can help upgrade insecure requests that I may make, by clicking on an http:// link for example. It essentially does its best to encrypt as much of my web browser traffic as possible.

But this extension has a second option in its Settings menu. The option to block all HTTP requests and only allow HTTPS traffic. That means that if a website does not support the secure version of the protocol, or has issues implementing it (such as untrusted certificates, mixed content, etc.) I cannot visit it. I just see an error, like the one below:

This website does not support HTTPS

So what I did was to challenge myself to block all HTTP traffic for one week, and then write this blog post with notes, comments, and results. After all, I have already done something similar in the past, by blocking all network traffic destined to 80/tcp.

Now many of you will think that with free certificates, minimal performance overhead, dead simple configuration, and even performance benefits, it won’t be an issue. Most websites will already support that by now, and I will experience no difference.

Of course, this is a big mistake. During my first day, I visited some websites to see how they stand up, and one of the first things I realized was that most Greek websites did not support HTTPS at all. I immediately lost access to most of my country’s websites.

First of all I tried some University of Crete sites. The main website did not work because it had a terribly misconfigured server, but the Computer Science Department website worked. I could also see my grades, and even use the e-Learning platform that’s currently in place. Of course, that’s not the case for every department or school, and certainly not true for all universities. I just happened to be lucky.

I then wanted to check Alexa’s Top 10 Greek Websites, but I could not do this, because apparently Alexa does not support HTTPS, so I could not even see which ones they were.

Luckily, I came up with a trick of accessing the content of websites that did not support HTTPS, and that is to use Google’s Cached Page. By searching on Google about something that will give the website in its top results, you can view the cached version, which only works for a single page, and usually lacks styling and/or images. However, it is a quick workaround to get essential content.

Armed with the Top 10 List, I proceeded to check them one by one. The first few are, of course, Google, YouTube, and Facebook, which support the secure protocol, but what about the .gr domains?

It turns out the most popular one is fanpage.gr, followed by zougla.gr, makeleio.gr, protothema.gr, dikaiologitika.gr, and gazetta.gr, all of which do not support HTTPS. These sites are clickbait news websites, newspapers, as well as sports sites.

The top Greek websites using HTTPS were Skroutz and Ti Les Twra. The first is a price comparison website and the second is, like some before, a… “news” site ;-).

I then wanted to see how the Greek web hosting companies do. By far the most popular to my knowledge is Papaki, which not only has HTTPS, but it also allows all its users to have free HTTPS in their websites hosted with them. I was happy to see that Hyper Hosting, The Web Power, IP Domain, and Pointer, some of the top results on Google for “greek web hosting” also work.

I then had a look at Greek banks. I was not interested in the e-Banking system, it would be criminal negligence not to have HTTPS there, but rather in the home page, which of course is where you go to click the e-Banking button. From the banks I tested, the only one not supporting HTTPS was Piraeus Bank, at www.piraeusbank.gr.

Greece aside, in the international market, a lot of websites supported HTTPS, but most did it thanks to CloudFlare, so it is not clear whether the connection is encrypted all the way to the origin. In any case, they were perfectly accessible.

Some notable exceptions were theguardian.com, cnn.com, bbc.com, and nytimes.com, so I guess it’s a tradition to not support a secure protocol in that line of work.

Clearly for educational purposes, I also looked at adult entertainment websites, only to find out that none of them worked and all of them were HTTP only, even if they had users, log-ins, etc.

During the week I was doing this, I needed to research a lot of information for work related topics, which was a little bit annoying since around 60% of the links I clicked did not work at all. The Google Cache workaround did the trick, but it’s not something you are typically willing to do more than a few times per hour.

It turns out we are not yet surfing a world wide web that can work with HTTPS only, which is a shame since there is no excuse not to use that protocol. The adoption rate is large, especially in pages that are targeting users of all countries, but it is not enough, at least for some users. The good news is that it keeps increasing, which is something positive.

An argument I’ve heard is that most people only use YouTube, Twitter, Facebook, Instagram, Snapchat, all of which are properly configured, and these websites do their best to keep them in their environment, but that’s not always the case.

However, this article is not just a (very) long post about how we suck at securing our websites. I would also like to propose a solution to this problem. I think I came up with a way to visit only HTTPS sites, and still be able to access everything out there. It’s called “Online Proxies” and there are many available, such as Hide Me, K-Proxy, Zend2, and Hide My Ass.

As a final note, I’d like to say that I intend to keep punishing myself, but not by blocking all HTTP traffic, just impose a 20 ms delay to all packets destined to 80/tcp. This will allow me to visit insecure websites, but just have a worse, slower, experience when doing so. This defeats net neutrality, but in a good way.

Stay tuned for a far more extreme experiment where I will be spending a day in an IPv6-only network, with no access to IPv4 whatsoever. Also, I challenge you to do the same and post your results in your blog, or in the comments below!

Disclaimer

I am not endorsed by or affiliated with any website linked in this blog. They are provided for purely illustrative purposes. The solution provided in the end is not recommended and is not an actual solution to the problem. Of course, the title is not accurate. A website is not secure simply by having HTTPS, but a website without HTTPS is definitely not secure.