The power of HTTPS to protect has been brought into sharp focus by a series of attacks against software collaboration site GitHub. These attacks consistently failed because of the site’s universal use of HTTPS. Most recently, GitHub reported a blistering series of distributed denial of service attacks in March, which it believes were an attempt to persuade the site to remove certain content. Security researchers including Robert Graham and Insight Labs analyzed the latest GitHub attack, concluding that it appears to have been mediated by China’s “great firewall” censorship system.
These attacks come as the White House announced its consideration of a universal HTTPS standard for all U.S. government websites, citing security and privacy concerns. Online advertising industry group, the Interactive Advertising Bureau, likewise called for widespread adoption of the security protocol for advertisers.
GitHub previously had a run-in with China’s “great firewall” at the start of January 2013, when data collected by the Greatfire.org censorship-monitoring service indicated that GitHub was no longer available in China. Following an outcry by China’s software-development community, the site was unblocked on January 23, 2013. China couldn’t continue blocking GitHub because of its critical role as a software-development resource–making the site vital to its information economy. A few days later, Greatfire.org said it spotted attempts by China to intercept HTTPS connections to GitHub. However, GitHub uses HTTPS extensions designed to protect against this sort of attack and alert browsers when it’s occurring.
GitHub is host to all sorts of software and other projects, including copies of websites blocked in China and other material that may be objectionable to Chinese censors. Since GitHub is available only over HTTPS, it is not possible for China to block only that specific content–it could either block the entire site, or not at all. And because of GitHub’s vital importance to software development, it would be economically disadvantageous to block it outright.
When using insecure HTTP, every aspect of a reader’s browsing is open to observation and modification. A snoop can see every page that a reader loads, the contents of that page, and any usernames, passwords, or cookies used to log in. A censor can subtly change the apparent contents of a site, hiding articles or pages the censor finds objectionable, or modifying contents of articles.
When browsing with HTTPS rather than HTTP, connections to websites are encrypted. A would-be-snoop or censor can see which site a reader is connected to (github.com, The New York Times, or the Guardian for instance) and the approximate details of requests–when the reader asks for another article, or how big that article is. However, specific details remain securely encrypted and authenticated. It’s not possible to see which article is being read, or change what it says. For major news sites, HTTPS provides a significant defense against heavy-handed and subtle censorship.
The distributed denial of service attack against GitHub demonstrated just how powerful a defense HTTPS can be. On March 27, GitHub reported a sophisticated large-scale attack that it said it believed was intended to convince it to take down certain content. Robert Graham, who heads security research group Errata Security, analyzed the traffic that formed part of the attack and concluded it was being perpetrated by China’s “great firewall.” Because China couldn’t selectively censor GitHub due to HTTPS, and couldn’t block it outright for economic reasons, it seems to have resorted to a brute-force attack in an attempt to coerce GitHub into self-censorship.
This shameful behavior is why the Committee to Protect Journalists calls on all websites to default to HTTPS, especially news sites. Many news sites are simply too important to block outright. Moving to HTTPS may protect them–and most importantly their readers–from censorship altogether. HTTPS not only protects privacy and prevents censorship, it protects a site’s users from sophisticated attacks that can compromise their computers just by visiting an HTTP website, even if the site itself has not been compromised.
And implementing HTTPS might become much easier soon. To make the switch, sites must ensure that all embedded content is available over HTTPS, and that includes advertising. Advertising is often outside those sites’ control, managed by independent agencies and exchanges. Persuading advertisers to enable HTTPS has been a challenge for many news sites, especially since all possible advertisers need to support HTTPS before they can make the switch. However, on March 25, the Interactive Advertising Bureau called for widespread adoption of the HTTPS standard by online advertising companies. If online advertisers heed this call, it could pave the way for easier HTTPS adoption by news sites.