During my outreachy internship at Mozilla I am working on the Improving the User Experience of HTTPS-Only Mode, which is a new security feature in Firefox, the Mozilla Browser.
In my next blog post I will explain what HTTPS-Only Mode is. But before we dive into that I will explain the basic concepts. What even is HTTPS and why is it preferable? And since it’s a browser feature, let’s begin with what a browser is:
What is a Browser?
Firefox is the browser from Mozilla. There are lots of other browsers like Safari or Chrome or Internet explorer, and there are differences but over all they all serve the same purpose: browsers are programmes that access documents on the web and show those documents to a user. In fact, you are using one right now to read this blog. This blog post is not stored on your computer but on a server. Your browser communicates with this server and asks it to send over all necessary resources to show you this blog (the text, the images, the rules for the background color, …)
Let’s take a closer look at the communication between browser and server. Since there are a lot of different servers and different browsers a shared understanding of how to ask for and send the information around is important. That’s what protocols are for.
What are the protocols for the communication between browsers and servers?
HTTP stands for Hypertext Transfer Protocol and defines the rules of how to transfer data between server and browser. This protocol allows browsers to request documents that are stored on the web at a specific URL (Uniform Resource Locator) and the servers that store those documents to send them to the browsers that requested it.
Regrettably, there is one big downside to the HTTP protocol: it is not encrypted! So every server between the browser and the server with the requested documents (in this case the server where my blog post is stored at) could read everything that is sent. Kind of like a postcard. In the case of my blog this is not a huge problem, since it is public anyway and you don’t have to send any vulnerable information like passwords or credit card numbers to be able to read it. But still. Does it really feel good that everyone could easily watch you while you surf the web?
And that is where HTTPS comes in. HTTPS stands for Hypertext Transfer Protocol Secure (or HTTP over TLS which stands for Transport Layer Security). It is visualized by a small lock symbol in front of the URL – this blog has one.
HTTPS does basically the same thing as HTTP, so it’s a protocol that defines how your browser talks with the server that hosts the content you want to see, but the connection between those two is now encrypted. We are no longer sending metaphorical postcards through the internet but more like metaphorical safes where only your browser and the server have the key to unlock it. All the servers in between still see that your browser is talking to the server storing my blog, but they don’t see what data the server is sending and they don’t see which website you are on (the server probably stores more than just my blog). This is even more important when communicating with e.g. your bank of course.
Why not use HTTPS all the time?
According to Let’s Encrypt, a non-profit organisation that provides free and easy HTTPS certification, more than 80% of all connections in Firefox use HTTPS now. In 2014 that number was only ~25%. That increase is due to the fact that it has become much easier to get certified for HTTPS in recent years – in huge parts due to Let’s Encrypt. But if you only enter the URL without specifying HTTPS by typing https:// at the beginning, the browser will connect over HTTP by default. The server can update this connection to HTTPS and tell the browser that it should remember to always use HTTPS in the future. That mechanism is called HSTS (HTTP Strict Transport Security) and will update every visit to that web page after the first one. In the case of my blog, you are connecting over HTTPS. Even if you try to visit http://blog.leli-schiestl.de you are automatically redirected to the HTTPS version.
Why are there still ~20% HTTP connections than? Some websites are old and haven’t been well maintained since it’s easier to get certified. Others just don’t have it. Nothing much we can do there. But a lot of websites actually offer HTTPS but don’t use HSTS so the browser will never know about it. Some have outdated links. So you start with a HTTPS connection but then click a link on the site that has not been updated and still sends you to a HTTP page. And that is where HTTPS-Only comes in, which I will explain next time.