Deprecating HTTP - Lessons from SSH/Telnet

Recently, both Firefox and Chrome has been coming down hard on HTTP websites. According to this article, HTTP will be labelled as "Not Secure". This is hardly the first step, HTTP only websites have already had their search ranking penalised, and more stringent measures will surely be put in place. But will HTTP die out completely? I doubt so.

Taking a lesson from the history books, we observe a similar happening with Telnet and SSH some years back. Telnet has been around since the infancy on the internet, back when everyone knew everyone else on the network and where there were no security concerns. SSH came around in the 1990s, when the internet started growing exponentially and there were concerns of traffic sniffing by malicious actors in semi-trusted networks such as universities and internet cafes. Telnet is still very much alive today. Most network devices have them built in, the cheaper routers given out by your ISP likely even has them enabled by default.

I believe HTTP will very likely follow the path of telnet and will never die out completely. One reason being, the beauty about protocols like Telnet and HTTP is its simplicity. Apart from some control characters, both protocols are in plaintext, which makes debugging simple. I can easily open a TCP connection to port 80 of a web server, send GET / HTTP/1.0 and receive a readable output. The situation is not as simple with HTTPS. As we move forward with SSL/TLS, old protocols will start getting deprecated. I have seen web servers in public supporting only TLS1.1/1.2, which causes cipher mismatch issues on quite a lot of older browsers. The complexity extends beyond that, there is SNI, cert pinning and other issues which may affect the ability to access the website.

I am definitely in favour of moving to HTTPS. My own website already has HSTS configured for quite a while. Despite that, a simple query of my access logs cat /var/log/apache2/access.log | grep -v "bot" reveal that there is still substantial HTTP traffic to my site. Guess I won't be closing port 80 anytime soon.



Tags: Security

Similar Articles

Rules of Engagement in Cyberspace - Rules of engagement is a concept familiar to most military personnels worldwide. The basic premise of having rules of engagement is to ensure an appropriate level of response or reaction to a ...
Biometrics and Passwords - Many people have the misconception that biometrics such as fingerprint readers are more secure than passwords. It probably stems from Hollywood spy movies showing Top Secret facilities protected ...
The Golden Key - TSA Locks and Encryption - Earlier this year, TSA master keys were leaked and ordinary folks were supposedly able to 3D print these keys and open any luggage with a TSA lock. Despite the huge uproar, I personally feel that ...
Negative space - Sometimes, the lack of information is valuable information. The Washington Post reports that according to unnamed current and former US officials, the CIA pulled "a number of officers" from the ...