Industry News

Reddit Makes Full Switch to HTTPS. What Should We Expect?

Starting June 29, Reddit will encrypt all site communications, following the example of Google, Apple, Wikipedia, Netflix and others.

“Nearly 1 year ago we gave you the ability to view Reddit completely over SSL,” according to a post by Reddit. “Now we’re ready to enforce that everyone use a secure connection with Reddit. Please ensure that all of your scripts can perform all of their functions over HTTPS by June 29. At this time we will begin redirecting all site traffic to be over HTTPS and HTTP will no longer be available.”

The White House also announced a move to HTTPS connections to “eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide,” US Chief Information Officer Tony Scott said in a memorandum.  By the end of 2016, all federal agencies and departments should move their publicly accessible Web sites and services to HTTPS only.

Why do sites need HTTPS

Unencrypted HTTP connections can expose users’ sensitive data to interception during their transit from computer to servers. Despite protecting parts of a site against network attacks, passwords, credit card numbers and other valuable identifying information can still be intercepted via man-in-the-middle attacks if transmitted in plain text.

The benefits of HTTPS have been advocated for years. Here’s a quick roundup.

HTTPS guarantees the integrity and authenticity of connections. This means users should be confident they are talking to the true application server and that their communications remain unaltered.

The user’s information remains confidential from prying eyes. Only your browser and the server can decrypt the traffic. Eavesdroppers can’t understand the content of the communications between the two. This way, the user’s privacy remains intact against ISP and government tracking.

In terms of threats, users are safe from sniffing attacks. These often occur via unencrypted wireless networks found in cafes, libraries and airports. They are also protected from spoofing attacks, since encryption is done using a key uniquely generated between the two computers, preventing the spoofer from “seeing” how the two machines are communicating.

Impersonation attacks.  When connected to unsecured Wi-Fi networks, users can fall victim to attackers looking to steal authentication cookies returned by services like Gmail after they have entered their login credentials. Bogdan Botezatu, Senior E-Threat Analyst says:

In the light of national espionage scandals that have erupted in the past two years, we see a lot of services moving their non-private content over HTTPS at the expense of computing power. The move does not only stop agencies from gathering sensitive user information, but also ensures that the content the user has not tampered with in any way.

Even if there’s no apparent reason for a site to adopt HTTPS and it may be a resource-intensive process with impact on the site’s performance, the cost of any data leak means it’s worth it. And if you have a site, remember; it’s better safe than sorry.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.

1 Comment

Click here to post a comment
  • In light off all the SSL vulnerabilities, does anyone actually believe this is a true security posture or just an illusion for the masses?