Naked Security bids farewell to HTTP

Image of portcullis courtesy of ShutterstockFarewell HTTP, it’s been fun but we’ve moved on.

From now on Naked Security will only be available over secure, encrypted HTTPS with Strict Transport Security and Forward Secrecy.

Did you even notice? Perhaps not. Will the NSA have sleepless nights now? We doubt it.

But do we like it better this way?

Yes we do, and judging by the comments you left when we first rolled out HTTPS as an option a few months ago, some of you do too.

We have always used HTTPS where it was absolutely necessary – on our admin interface and login pages for example – but back in June, to coincide with Reset the Net, we decided to make all the pages of Naked Security available over HTTPS too, for anyone who preferred them that way.

To begin with it was voluntary and only available to those who used the HTTPS Everywhere browser plugin or who added the ‘S’ to the protocol in the address bar themselves.

Over the intervening period we’ve ratcheted up the number of visits that are encrypted by using HTTPS on the links published via our syndication channels like Facebook and our daily news email.

Finally, a week ago, we pulled the plug on HTTP completely.

Some of you are probably thinking that the NSA doesn’t care if you read Naked Security, so why did we bother?

HTTP is unencrypted and therefore vulnerable to both eavesdropping and man-in-the-middle attacks by anyone – from opportunists using the same coffee shop Wi-Fi as you, to government agencies plugged into the internet backbone.

Most of the time those vulnerabilities are not worth exploiting, and even if they are exploited they don’t turn up anything useful anyway – it just isn’t worth hacking your web traffic to discover that you read Naked Security, for example.

And that’s the way the web grew up – with unencrypted HTTP as the default and HTTPS the exception, reserved for situations where it’s essential that your traffic isn’t spied upon because it might include sensitive information like passwords, private data or, latterly session tokens.

Increasingly though, people are demanding that privacy should be the rule and not the exception. Most of us don’t think of our browsing or email as public but that is, in effect, what it is and always has been.

Groups as diverse as Reset the Net and Google are now encouraging users and organisations to adopt encryption as a matter of course, while the Internet Engineering Task Force is putting encryption front and centre in the design of HTTP 2.0.

Slowly but inexorably HTTPS is becoming the rule rather than the exception for websites and that’s a trend we’re happy to be a part of.

Image of portcullis courtesy of Shutterstock.