How much HTTP (not HTTPS) Traffic is Traversing Your Perimeter?

    Published: 2024-10-22. Last Updated: 2024-10-22 16:33:35 UTC
    by Johannes Ullrich (Version: 1)
    2 comment(s)

    Back in June of 2010, The Electronic Frontier Foundation (EFF) released the first beta release of the "HTTPS Everywhere" plugin [1]. Even then, most websites offered HTTPS. But unlike today, HTTP was often still the default, and HTTPS was not always implemented across the entire site.

    The world has changed quite a bit since then. Today, browsers are expected to attempt to connect via HTTPS first, and non-TLS connections are the exceptions. New protocols like QUIC went as far as to no longer define a "clear text" version. Few websites offer any content without TLS.

    I looked at recent traffic in my network to identify connections that are using HTTP in the clear and only found very few:

    • A weather station connected to my network reporting weather to Weather Underground uses HTTP instead of HTTPS. IMHO, it's not a big deal as the data is public. Of course, an attacker could manipulate it, but the weather station is not receiving, just sending. Another service used by the same weather station (Weathercloud) is also sending data in the clear.
    • Ubuntu Updates. There have been many discussions in the community if these downloads should take advantage of HTTPS, but so far, the cost of implementing HTTPS is seen as too high. The updates themselves are digitally signed. There is a privacy issue, as requesting updates will leak information about what systems you have running on your network and how they are configured.
    • OCSP responses. It may be ironic that the Online Certificate Status Protocol (OCSP) is not using TLS. But again, the overhead of TLS was perceived as too large. This could, however, cause privacy issues in revealing what certificates you are verifying. OCSP is somewhat on its way out, with certificate revocation lists (CRLs) being fashionable again and currently the only required means of certificate validation.

     

    [1] https://www.eff.org/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords:
    2 comment(s)
    ISC Stormcast For Tuesday, October 22nd, 2024 https://isc.sans.edu/podcastdetail/9190

      Comments


      Diary Archives