Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

HTTP Considered Harmful – The Need For Negative Feedback

We all know, and well understand what this means when we see it in a browser:

It means that the connection is encrypted, and that some degree of validation has occurred to verify that the server is who it claims to be. Through the years, users have been taught to trust sites when they see that, or the all too familiar ’lock’ icon – when users see it, they assume their data is safe.

But what about this?

There’s no lock to tell them they are safe, but there’s also no warning to indicate that the connection isn’t secure. There’s no encryption, no validation, – no protection at all. With HTTP, users are afforded nothing at all to protect them – but we all know that, right? Does the average user understand that though? Do they understand how easily they could be monitored, or how easily traffic can be altered?

The Need For Negative Feedback #

Strong negative feedback has long been used in browsers to warn against invalid or expired certificates – but there’s no feedback to warn users of just how dangerous HTTP can be. After a discussion on Twitter, a friend of mine, Taylor Hornby, created a mockup of what could be done in Firefox to warn users:

This provides simple, clear feedback to the user that they shouldn’t trust the site – it doesn’t present an error or anything to interrupt the user, but does make them aware of the risks they are taking.

We, the security community, owe it to users to provide them with useful feedback so that they can protect themselves – providing negative feedback in the browser showing the weakness of HTTP would be a large step in that direction – and to urge site owners to adopt HTTPS as soon as possible.

Adam Caudill


Related Posts

  • On Opportunistic Encryption

    Opportunistic encryption has become quite a hot topic recently, and blew up in a big way thanks to an Internet Draft that was published on February 14th for what amounts to sanctioned man-in-the-middle. Privacy advocates were quickly up in arms – but it’s not that simple (see here). As pointed out by Brad Hill, this isn’t about HTTPS traffic, but HTTP traffic using unauthenticated TLS; thanks to poor wording in the document, it’s easy to miss that fact if you just skim it.

  • On Apple, Privacy, and Device Control

    If you’ve bothered to look at Twitter or any technology news source, you’ve seen that Apple made a major announcement: Expanded Protections for Children. This has been written about by countless outlets, so I’ll assume you’re familiar with the basics. The announcement covered a few new features being added to the next version of Apple’s operating systems, namely: Scanning of inbound and outbound messages for sexually explicit images. Scanning images being uploaded to iCloud for CSAM.

  • 30 Days of Brave

    Brave is a web browser available for multiple platforms that aims to provide additional security and privacy features – plus a novel monetization scheme for publishers. I gave it 30 days to see if it was worth using. I switched on all platforms I use to give it a fair shot, I normally use Chrome which made the switch less painful, though the results were very much mixed. There are some things I honestly liked about it, some things I really disliked, and at least one thing that just made me mad.

  • Looking for value in EV Certificates

    When you are looking for TLS (SSL) certificates, there are three different types available, and vary widely by price and level of effort required to acquire them. Which one you choose impacts how your certificate is treated by browsers; the question for today is, are EV certificates worth the money? To answer this, we need to understand what the differences are just what you are getting for your money. The Three Options For many, the choice of certificate type has more to do with price than type – and for that matter, not that many people even understand that there are real differences in the types of certificates that a certificate authority (CA) can issue.

  • Is moving offshore really crazy?

    Today ZDNet published an article titled “The lunacy of trying to avoid NSA spying by moving e-mail and cloud out of the US” – I’m still trying to figure out if the position is naive, or intentionally ignores important facts. In short, the author (Steven J. Vaughan-Nichols) states that your data is safer in the US because outside of the US, the NSA has much less restrictive rules to operate under.