My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

How much HTTP (not HTTPS) Traffic is Traversing Your Perimeter?

Published: 2024-10-22. Last Updated: 2024-10-22 16:33:35 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Back in June of 2010, The Electronic Frontier Foundation (EFF) released the first beta release of the "HTTPS Everywhere" plugin [1]. Even then, most websites offered HTTPS. But unlike today, HTTP was often still the default, and HTTPS was not always implemented across the entire site.

The world has changed quite a bit since then. Today, browsers are expected to attempt to connect via HTTPS first, and non-TLS connections are the exceptions. New protocols like QUIC went as far as to no longer define a "clear text" version. Few websites offer any content without TLS.

I looked at recent traffic in my network to identify connections that are using HTTP in the clear and only found very few:

  • A weather station connected to my network reporting weather to Weather Underground uses HTTP instead of HTTPS. IMHO, it's not a big deal as the data is public. Of course, an attacker could manipulate it, but the weather station is not receiving, just sending. Another service used by the same weather station (Weathercloud) is also sending data in the clear.
  • Ubuntu Updates. There have been many discussions in the community if these downloads should take advantage of HTTPS, but so far, the cost of implementing HTTPS is seen as too high. The updates themselves are digitally signed. There is a privacy issue, as requesting updates will leak information about what systems you have running on your network and how they are configured.
  • OCSP responses. It may be ironic that the Online Certificate Status Protocol (OCSP) is not using TLS. But again, the overhead of TLS was perceived as too large. This could, however, cause privacy issues in revealing what certificates you are verifying. OCSP is somewhat on its way out, with certificate revocation lists (CRLs) being fashionable again and currently the only required means of certificate validation.

 

[1] https://www.eff.org/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
2 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

I have been having this "Fight" this our network/firewall guys. Number 2 (win 11) and 3 are causing problems and they want to add a proxy server just for them.

Diary Archives