The HTTPS-only experience
EFF recently announced that "We're Halfway to Encrypting the Entire Web." As a celebration of this achievement I've started an experiment: as of yesterday, no unencrypted HTTP traffic reaches this machine*.
Experience
Even though securing your website is easier than ever it will take some time before everybody encrypts. But there are a bunch of sites which support both secure and insecure HTTP transfer, and there are a few tricks to tilt the scales and make the current experience better:
- The HTTPS Everywhere browser extension ensures that you use HTTPS whenever possible on thousands of sites.
-
Editing the URL to add "
https://
" at the start works for some sites. If you get the dreaded certificate error page make sure to report them, and only add an exception if … well, that subject is too big to get into here. Just don't.
Many sites have excellent HTTPS support, and have enabled HTTP Strict Transport Security (HSTS). In short, if your browser knows that the domain supports HTTPS (by visiting it or the browser being installed with it) you can simply type the domain name in the URL field and the browser will default to fetching the secure version of the site. On the other end of the spectrum I can still visit sites which have no HTTPS support at all if I really need to by using Tor, which provides privacy but not integrity or authenticity.
pacman
stopped working after setting this up. It
turns out the package database is fetched using unencrypted HTTP by default,
but it was easy to
generate a new list of
only HTTPS mirrors.
Some sites have a strange HTTPS setup. The BBC only support HTTPS for the front page, which is just weird. Why go to all that trouble for 1% of the gain? Other sites require authentication to access using HTTPS, possibly not realising that setting up HTTPS for everyone would be easier.
My home router runs DD-WRT, and the web interface for it is only accessible by HTTP by default. This is easy to configure though.
OCSP uses HTTP (at least in Firefox), since
the returned file signature has to be checked separately anyway. So if I go to about:config, change security.OCSP.require
to
true
, and visit a site I haven't seen for a while, I get an error
message like this:
An error occurred during a connection to example.com. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR
The solution is to either allow OCSP queries specifically or to allow HTTP to specific hosts. Let's see what can be done…
The Steam client uses insecure HTTP for both game updates and the store pages. There doesn't seem to be any way to force it to use HTTPS, so I have submitted suggestion to Valve using the official channel.
These have been the only major hassles so far. The only other sites I really can't get to work over HTTPS are various hold-outs like Wikia and BBC.
Setup
The change was a simple addition to my Puppet manifest:
firewall { '100 drop insecure outgoing HTTP traffic': chain => 'OUTPUT', dport => 80, proto => tcp, action => reject, }
The resulting rule:
$ sudo iptables --list-rules OUTPUT | grep ^-A -A OUTPUT -p tcp -m multiport --dports 80 -m comment --comment "100 drop insecure outgoing HTTP traffic" -j REJECT --reject-with icmp-port-unreachable
Post mortem, 2020-10-15
After almost two and a half years I disabled this rule on 2019-08-09, for the following reasons (in decreasing order of importance):
- Most interesting sites have moved to HTTPS by now! Woo!
- The excellent HTTPS Everywhere extension achieves basically the same, with the option to disable it per site. This is in most cases† easier than switching to the Tor Browser.
- The Tor Browser would sometimes be inconvenient as a way to get to HTTP-only sites, since several hosting providers seem to be hostile to Tor. Some seem to simply block anything that looks like it comes from Tor, I guess out of fear of being hacked? Also, spending several minutes solving Google CAPTCHAs is excruciating.
- I had to maintain an exclusion list for OCSP lookups (chicken-and-egg problem, really) and Steam, which stubbornly refuse to move to HTTPS for game content delivery. I guess that'll have to wait until the first high-profile exploit enabled by the fact that package signatures don't guarantee confidentiality, meaning that any eavesdroppers can tell exactly what you are installing.
- I moved from Puppet to Nix, and I couldn't be assed to convert some of the ugliest Puppet code.
All in all I consider it a success:
- ✓ It prodded me to ask Valve and others to move to HTTPS.
- ✓ I learned a bit about HTTPS (OCSP).
- ✓✗ I learned more than I cared to about Puppet. Don't get me wrong, it's excellent for additive changes, but it can't hold a candle to Nix in terms of reproducibility.
- ✗ Using Tor Browser was marginally more painful than I had expected. Not because of any fault with the browser, but because of being blocked by website configurations and CAPTCHAs.
* Technical readers will of course notice that the configuration simply blocks port 80, while HTTP can of course be served on any port. The configuration wasn't meant as a safeguard against absolutely every way unencrypted HTTP content could be fetched, but rather focused on the >99.9% of the web which serves unencrypted content (if any) on port 80. I would be interested in any easy solutions for blocking unencrypted HTTP across the board.
† Some sites for whatever reason seem to drop rather than reject traffic to port 443. Unfortunately that means I have to wait for Firefox to time out before getting the prompt to disable HTTPS Everywhere on that site. Other sites do something broken on HTTPS, like heaps of DreamHost sites which just shows a generic 404 page and others which have an admin interface there.
No webmentions were found.