In an environment rife with identity theft and where even simple cell phone browsers can handle SSL/TLS (Transport Layer Security) it seems that all web site hosting should be done over HTTPS (Hypertext Transfer Protocol Secure). True, there is a small amount of overhead involved with serving up HTTPS web sites, but this small cost is nothing compared to the costs associated with cyber-crime. Many of the simplest exploits would be foiled in an environment where all web site hosting is done over HTTPS, and more sophisticated attacks would be more difficult to pull off.

 At the February, 2009 Black Hat Security Conference held in Washington, DC a security researcher presented a technique that could be used to launch a man-in-the-middle attack over connections that are purportedly secure by HTTPS. The exploit does not actually break SSL encryption, but intercepts a connection once a user clicks on a link to an HTTPS web page from a non-secure HTTP page. One way to foil the attack would be to actually type the URL of the HTTPS page in the navigation bar of the browser, but it would be better if the user never had to open a non-secure page.

 One of the things that SSL does very well is verifying that the target web site is what it purports to be. Failure to make this authentication is something that many phishing exploits rely upon. If all web site hosting were done over HTTPS it would severely restrict the range of tools available for phishing exploits. Every domain would have to be authenticated each time it is visited over HTTPS, and even if it is a phishing site this would leave a better trail for investigators versus the lack of authentication required by HTTP web sites.

 Thanks to Moore’s Law, processing power and server bandwidth are no longer an impediment to the widespread use of HTTPS for web site hosting. The small amount of overhead needed to make this happen is a trivial price to pay in comparison to the benefit it could deliver for improved security of the World Wide Web. This is something you can take action on today by making sure that all of your web site hosting is done using HTTPS.