If youre a regular Naked Security reader, youll know that weve been fans of HTTPS for years.
In fact, its nearly nine years since we published an open letter to Facebook urging the social networking giant to adopt HTTPS everywhere.
HTTPS is short for HTTP-with-Security, and it means that your browser, which uses HTTP (hypertext transport prototol) for fetching web pages, doesnt simply hook up directly to a web server to exchange data.
Instead, the HTTP information that flows between your browser and the server is wrapped inside a data stream that is encrypted using TLS, which stands for Transport Layer Security.
In other words, your browser first sets up a secure connection to-and-from the server, and only then starts sending requests and receiving replies inside this secure data tunnel.
As a result, anyone in a position to snoop on your connection another user in the coffee shop, for example, or the Wi-Fi router in the coffee shop, or the ISP that the coffee shop is connected to, or indeed almost anyone in the network path between you and the other end just sees shredded cabbage instead of the information youre sending and receiving.
But why HTTPS everywhere?
Nine years ago, Facebook was already using HTTPS at the point where you logged in, thus keeping your username and password unsnoopable, and so were many other online services.
The theory was that it would be too slow to encrypt everything, because HTTPS adds a layer of encryption and decryption at each end, and therefore just encrypting the important stuff would be good enough.
Even if you didnt have an account on the service you were visiting, and therefore never needed to login, eavesdroppers could track what you looked at, and when.
As a result, theyd end up knowing an awful lot about you just the sort of stuff, in fact, that makes phishing attacks more convincing and identity theft easier.
Even worse, without any encryption, eavesdroppers can not only see what youre looking at, but also tamper with some or all of your traffic, both outbound and inbound.
If you were downloading a new app, for example, they could sneakily modify the download in transit, and thereby infect you with malware.
Anyway, all those years ago, we were pleasantly surprised to find that many of the giant cloud companies of the day including Facebook, and others such as Google seemed to agree with our disagreement.
The big players ended up switching all their web traffic from HTTP to HTTPS, even when you were uploading content that you intended to publish for the whole world to see anyway.
Fast forward to 2020, and youll hardly see any HTTP websites left at all.
Search engines now rate unencrypted sites lower than encrypted equivalents, and browsers do their best to warn you away from sites that wont talk HTTP.
Even the modest costs associated with acquiring the cryptographic certificates needed to convert your webserver from HTTP to HTTPS have dwindled to nothing.
These days, many hosting providers will set up encryption at no extra charge, and services such as Lets Encrypt will issue web certificates for free for web servers youve set up yourself.
HTTP is no longer a good look, even for simple websites that dont have user accounts, logins, passwords or any important secrets to keep.
Of course, HTTPS only applies to the network traffic it doesnt provide any sort of warranty for the truth, accuracy or correctness of what you ultimately see or download. An HTTPS server with malware on it, or with phishing pages, wont be prevented from committing cybercrimes by the presence of HTTPS. Nevertheless, we urge you to avoid websites that dont do HTTPS, if only to reduce the number of danger-points between the server and you. In an HTTP world, any and all downloads could be poisoned after they leave an otherwise safe site, a risk that HTTPS helps to minimise.
Sadly, whats good for the goose is good for the gander.
As you can probably imagine, the crooks are following where Google and Facebook led, by adopting HTTPS for their cybercriminality, too.
In fact, SophosLabs set out to measure just how much the crooks are adopting it, and over the past six months have kept track of the extent to which malware uses HTTPS.
Well, the results are out, and it makes for interesting and useful! reading.
In the paper, we didnt look at how many download sites or phishing pages are now using HTTPS, but instead at how widely malware itself is using HTTPS encryption.
Ironically, perhaps, as fewer and fewer legitimate sites are left behind to talk plain old HTTP (usually done on TCP port 80), the more and more suspicious that traffic starts to look.
Indeed, the time might not be far off where blocking plain HTTP entirely at your firewall will be a reliable and unexceptionable way of improving cybersecurity.
The good news is that by comparing malware traffic via port 80 (usually allowed through firewalls and almost entirely used for HTTP connections) and port 443 (the TCP port thats commonly used for HTTPS traffic), SophosLabs found that the crooks are still behind the curve when it comes to HTTPS adoption
but the bad news is theyre already using HTTPS for nearly one-fourth of their malware-related traffic.
Malware often uses standard-looking web connections for many reasons, including:
Go here to see the original:
Malware and HTTPS a growing love affair - Naked Security
- Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it - ZDNet - April 6th, 2020
- This startup is going back to basics to strengthen encryption - Livemint - April 6th, 2020
- Zoom's encryption has 'serious, well-known weaknesses', according to report - Android Central - April 6th, 2020
- LimeRAT malware is being spread through VelvetSweatshop Excel encryption technique - ZDNet - April 6th, 2020
- Hardware-based Full Disk Encryption Market 2019 Global Share, Trend, Segmentation and Forecast to 2025 - Science In Me - April 6th, 2020
- Encryption helps America work safely and that goes for Congress, too | TheHill - The Hill - April 6th, 2020
- Zoom admits confusion over its promise of end-to-end encryption - IT World Canada - April 6th, 2020
- Zoom Alternatives: 5 Options For People Who Care About Security And Privacy - Forbes - April 6th, 2020
- Senator Blumenthal Is Super Mad That Zoom Isn't Actually Offering The End To End Encryption His Law Will Outlaw - Techdirt - April 6th, 2020
- Another day, another couple of Zoom vulnerabilities discovered - 9to5Mac - April 6th, 2020
- Encryption Software Market Increasing Demand with Leading Player, Comprehensive Analysis and Forecast 2026 - Science In Me - April 6th, 2020
- Work from home: Videoconferencing with security in mind - We Live Security - April 6th, 2020
- Trustifi Releases Solution for Organizations to Protect Themselves Against the Explosion of Video Conferencing Cybercrime and Hacking - GlobeNewswire - April 6th, 2020
- Bill to protect children online ensnared in encryption fight | TheHill - The Hill - March 13th, 2020
- Child exploitation bill earns strong opposition from encryption advocates - Washington Examiner - March 13th, 2020
- Senators Pretend That EARN IT Act Wouldn't Be Used To Undermine Encryption; They're Wrong - Techdirt - March 13th, 2020
- Patent hints that encrypted displays could appear on future Apple devices - TechSpot - March 13th, 2020
- Senators dispute industry claims that a bill targeting tech's legal shield would prohibit encryption - CNBC - March 11th, 2020
- The EARN IT Act Is a Sneak Attack on Encryption - WIRED - March 11th, 2020
- Krk WiFi vulnerability affected WiFi encryption on over a billion devices - Privacy News Online - March 11th, 2020
- The Benefits of Encryption and the Implications of Creating Backdoors - American Action Forum - March 11th, 2020
- Big Boom in Encryption Key Management Software Market that is Significantly Growing with Top Key Players Netlib Security, Fortanix, Avery Oden, AWS -... - March 11th, 2020
- Mobile Encryption Market to Witness Robust Expansion throughout the Forecast 2020-2026: McAfee(Intel Corporation), Blackberry, T-Systems... - March 11th, 2020
- Email Encryption Market Rising Trends, Technology and Business Outlook 2020 to 2026 - Best Research Reports - March 11th, 2020
- Crypto, Encryption, and the Quest for a Secure Messaging App - Bitcoin News - March 8th, 2020
- Encryption Flaws Leave Millions of Toyota, Kia, and Hyundai Cars Vulnerable to Key Cloning - Gizmodo - March 8th, 2020
- IoT Security Solution for Encryption Market to Boom In Near Future by 2026 Industry Key Players: Cisco Systems, Intel Corporation, IBM Corporation -... - March 8th, 2020
- What are the top-rated encrypted texting apps? - Fox Business - March 8th, 2020
- Data Encryption Software Market: Future Forecast Assessed On The Basis Of How The Industry Is Predicted To Grow 2020-2025 - Bandera County Courier - March 8th, 2020
- How Encrypted Messaging Works And Why Australian Spies Are Trying To Break The Code - Gizmodo Australia - March 8th, 2020
- Why Britains new deal with Silicon Valley for stopping child abuse still has one big hole in it - Telegraph.co.uk - March 8th, 2020
- What the 2020 election means for encryption - The Verge - March 3rd, 2020
- Our guide to the 2020 election including Section 230 and encryption - The Verge - March 3rd, 2020
- Research: IT Managers Regard Encrypted Traffic as a Source of Cyberthreats, But Their Defenses Are Inadequate - Yahoo Finance - March 3rd, 2020
- Encryption Foes in Washington Won't Give Up - Reason - March 3rd, 2020
- BestCrypt by Jetico expands cross-platform protection to computers with T2 chip - Help Net Security - March 3rd, 2020
- Barr's Motives, Encryption and Protecting Children; DOJ 230 Workshop Review, Part III - Techdirt - March 3rd, 2020
- Comment: Its time for governments to learn how end-to-end encryption works - 9to5Mac - March 3rd, 2020
- Crypto AG Shows That US Concern Over Huawei Encryption Backdoors Comes From Long Experience Doing the Same Thing - CPO Magazine - March 3rd, 2020
- MI5 Still Thinks Encryption Backdoors are an Excellent Idea That Couldn't Possibly Go Wrong - Gizmodo UK - March 3rd, 2020
- Global Encryption Software Market is projected to reach a value of USD 20.44 billion by 2026 - WhaTech Technology and Markets News - March 3rd, 2020
- Exporters Should Be 'Very Careful' of Misusing New End-to-End Encryption Carve-Out in ITAR, Experts Say - Export Compliance Daily - March 3rd, 2020
- Encryption Software Market 2020 Analysis by Overview, Growth, Top Companies, Trends, Demand and Forecast to 2026 - Packaging News 24 - March 3rd, 2020
- If We Build It (They Will Break In) - Lawfare - March 3rd, 2020
- Why the US government is questioning WhatsApp's encryption - CNBC - February 25th, 2020
- No Backdoor on Human Rights: Why Encryption Cannot Be Compromised - Bitcoin News - February 25th, 2020
- Backdoor to encryption back on agenda in absurdly named bill - 9to5Mac - February 25th, 2020
- Signal is the European Union's encrypted messaging app of choice - Cult of Mac - February 25th, 2020
- cloudAshur, hands on: Encrypt, share and manage your files locally and in the cloud - ZDNet - February 25th, 2020
- ASIO: Relentless advance of technology was outstripping our capabilities - ZDNet - February 25th, 2020
- Cygilant to Highlight the Need for Encrypted Traffic Visibility at RSA Conference 2020 - Business Wire - February 25th, 2020
- Encryption Software Market 2020 Emerging Trends, Growing Demand, Leading Companies, Applications, Overview and Regional Analysis 2026 - News Times - February 25th, 2020
- US bill seen threatening encryption on tech platforms - EJ Insight - February 25th, 2020
- AES Encryption Software Market to Witness Increased Incremental Dollar Opportunity During the Forecast Period 2020 2026 | Dell, Eset, Gemalto, IBM,... - February 25th, 2020
- Hardware-based Full Disk Encryption Market To Witness Growth Acceleration During 2020-2026 | Western Digital Corp, Samsung Electronics, Toshiba,... - February 25th, 2020
- Encryption Software Market are anticipated to lucrative growth opportunities in the future by Product Type, Structure, End-user and Geography to 2027... - February 25th, 2020
- Proposed Bill Could Threaten Apple, Facebook Messaging Platforms - MSSP Alert - February 25th, 2020
- Zettaset to Participate in Cybersecurity Forum at Annual HIMSS 2020 Conference - Business Wire - February 25th, 2020
- Cloud Encryption Technology Market Analysis with Key Players, Applications, Trends and Forecasts to 2025 | Gemalto, Sophos, Symantec - Nyse Nasdaq... - February 25th, 2020
- US legislation to fend off end-to-end encryption of Facebook, Google and others - Financial World - February 25th, 2020
- Encryption on Facebook, Google, others threatened by planned new bill - Reuters - February 22nd, 2020
- What Is an Encryption Backdoor? - How-To Geek - February 22nd, 2020
- Sophos Takes On Encrypted Network Traffic With New XG Firewall 18 - CRN: Technology news for channel partners and solution providers - February 22nd, 2020
- Last Week In Venture: Eyes As A Service, Environmental Notes And Homomorphic Encryption - Crunchbase News - February 22nd, 2020
- CIA Encryption Meddling and Chinese Espionage Allegations Make It Clear: We All Need Strong Data Protection - Reason - February 12th, 2020
- Congress, Not the Attorney General, Should Decide the Future of Encryption - Lawfare - February 12th, 2020
- The code breakers: This vault is the epicenter in law enforcement's battle to unlock encrypted smartphones - USA TODAY - February 12th, 2020
- Enea Announces New Smart Tools to Identify Encrypted and Evasive Network Traffic - Yahoo Finance - February 12th, 2020
- Encryption Vs. Decryption: What's the Difference? - Techopedia - February 12th, 2020
- Labor Bill to fix Australian encryption laws it voted for hits second debate - ZDNet - February 12th, 2020
- Encryption Software Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - News Parents - February 12th, 2020
- Mobile Encryption Market to Grow Massively (2020-2025) By Size, Share, Price, Trend and Forecast | Blackberry, T-Systems International, ESET, Sophos,... - February 12th, 2020
- Child-Welfare Activists Attack Facebook Over Encryption Plans - The New York Times - February 9th, 2020
- How Attorney General Barr's War On Encryption Will Harm Our Military - Techdirt - February 9th, 2020
- Strong Opinions on Whether Police Calls Should be Encrypted - Government Technology - February 9th, 2020
- The EARN IT Act is the latest clueless attack on encryption, do not fall for it - Privacy News Online - February 9th, 2020
- Republican Senator Lindsey Graham introduces bill that threatens end-to-end encryption - World Socialist Web Site - February 9th, 2020
- Activists write to Facebook against encryption, says it will dent bid to curb child pornography - Hindustan Times - February 9th, 2020
- BBB Offers the Following Tips for National Clean Out Your Computer and Safer Internet Day WKTN- A division of Home Town Media - WKTN Radio - February 9th, 2020
- Optical Encryption Market Booming by Size, Revenue, Trends and Top Growing Companies 2026 - Instant Tech News - February 9th, 2020