BT

Internet Security, TLS, and HTTP/2: A Q&A with ThoughtWorks’ Vuksanovic and Gibson

| by Daniel Bryant Follow 699 Followers on Oct 24, 2015. Estimated reading time: 8 minutes |

InfoQ recently sat down with Marko Vuksanovic and Sam Gibson from ThoughtWorks, and asked about their recent study of TLS/HTTPS and HTTP/2 that was published in the ThoughtWorks P2 magazine. Both Vuksanovic and Gibson shared their expertise on a range of security-focused topics, including ubiquitous computing, the workings of TLS/HTTPS, certificate trust, and the security implications of HTTP/2.

InfoQ: Internet security has been a hot topic this year, with several well-publicised issues. How important do you think security is as a topic today, and could you share your thoughts with why these issues may be emerging now?

Vuksanovic and Gibson: ​Security has always been an issue, but the reason why we hear more about it is that computing has become ubiquitous. The Internet of Things (IoT), inter­connected phones, cars, thermostats, and computers have made the way people live their lives increasingly reliant on technology.

Subsequently, this reliance has meant that people’s private lives have migrated, more than ever before, to platforms where they can be shared, accessed anywhere, and backed up forever. The consequences of poor security have become increasingly dangerous.  

These devices and installed software can reveal a great deal of information about a person; the more people use them, the more information that is revealed. All of this information, when aggregated, becomes a powerful tool for repressing speech and harassing individuals.

Governments around the world have realised that dragnet internet surveillance is possible, and because of Snowden’s leaks, we know that they’ve exploited this fact to spy on millions of people without spending much. Lawmakers are largely apathetic, despite their constituents’ concerns, but thankfully we know that with some basic security and cryptography, we can greatly improve privacy for everyone.

InfoQ: We know that you have recently written an article about HTTPS and TLS for the ThoughtWorks ​P2 magazine​ - could you provide the InfoQ readers with a brief overview of how HTTPS/TLS works please?

Vuksanovic and Gibson: ​First, it’s worth pointing out that TLS is the protocol and HTTPS is just the scheme. TLS is a secure “transport layer” that handles encrypting normal HTTP communications. There are two parts to TLS:

1. A Handshake

2. The Record

When talking about TLS, people mostly refer to the handshake part and not the record part. Even though it’s quite simple, it plays an equally significant role in enabling privacy. The handshake, as the name suggests, involves an exchange of a few messages to agree on how to start a secure session. It relies on cryptographic properties to establish a secure connection over an insecure channel. It also relies on a trusted third party (certificate authority) to guarantee that the sender and receiver are who they claim to be. Traditionally, the certificate trust infrastructure has proven to be the weak point of TLS/HTTPS.

Once the handshake is complete, clients who have established the secure channel, can use that channel to exchange new messages, while being sure that nobody else can read those. Readers can check out the article in the ThoughtWorks P2 magazine, named “Under the covers: HTTPS and certificates​” for a more in depth explanation on how TLS/HTTPS works.

InfoQ: Could you provide some use cases for HTTPS, and also outline some of the limitations or scenarios where the technology won't guarantee security (for example, in terms of authentication, authorisation and non-repudiation).

Vuksanovic and Gibson: ​HTTPS is critical to the modern Internet. It enables people to login to Facebook, access their bank account online, buy cat­ food from Amazon with their credit card, send private messages to their spouse, and lots of other things that we take for granted. Even though it contributes a great deal to our online privacy, it is not “the holy grail”.

HTTPS does not ​guarantee​ privacy. Your ISP or the government will be able to tell which websites you visit, though they won’t know what you’re browsing while you’re there.

Whenever you type an address in your browser URL bar, your browser will query a domain name server in order to find out what the IP address is of the server, associated with that domain name. To do that, computers use DNS protocol. This protocol is not encrypted. This allows ISPs (or anyone else on the route to the DNS server) to identify which websites you’ve visited. I encourage readers to check out ​DNSCrypt​ if they are interested in ensuring that their communication with the DNS server is encrypted.

While TLS does end to end encryption and authentication, it also heavily relies on trusted certificate authorities. There have been cases of signing certificates, which gives the ability to call a certificate “trusted” by browsers, being stolen or given away.

The NSA could use their legal powers to get one of the certificate authorities to issue a fraudulent certificate, or just use their resources to setup an authority of their own and get it trusted by the browser vendors. If this has not happened yet, it is just a matter of time before it does ­ by the NSA or by some other international agency.  

However, HTTPS is still extremely useful, and for nearly all people using it, very secure. While it might not stop targeted attacks from ‘three ­letter ­agencies’, it does make dragnet surveillance ­ where a government can listen to all internet traffic indiscriminately ­much more expensive for governments.

What is disappointing is that only about 50% of Alexa top 1000 websites use HTTPS everywhere. The rationale for why there are still so many websites that use plain HTTP remains unclear. Often, organisations claim that HTTPS is too expensive, because encryption requires more computer power than plain text.  

For smaller organisations or individuals, especially in developing nations, the cost of a certificate could also be prohibitive. Luckily, we should soon see a new CA (L​et’s Encrypt​) which will enable anyone to get a certificate for free.

InfoQ: We hear that Thoughtworks are working quite extensively with microservices. Do you think HTTPS is relevant/beneficial for internal microservice­-to-­microservice communication?

Vuksanovic and Gibson: ​Microservices is still an emerging field, so there are still lots of unsolved problems. TLS is beneficial in some scenarios, while in others it might be an overhead. Setting up TLS definitely adds to the complexity of the solution and should be used only where appropriate. For example, if two services are always running on the same host, it’s very likely that TLS is on overhead. However, if the two services communicate across multiple machines, maybe even across multiple datacenters, using TLS will probably be a good idea (or some other form of encryption). As with any problem, my advice is to use common sense when deciding whether to use TLS or not.  

InfoQ: How does the emergence of the HTTP/2 protocol affect HTTP and transport level security?

Vuksanovic and Gibson: ​HTTP/2 does not mandate using TLS. The standard itself describes how to use HTTP/2 over unencrypted connection. The reason why it will affect TLS usage is that none of the browser vendors support HTTP/2 over unencrypted connection. Some of the issues that are present when using TLS over HTTP will be gone. For example, with HTTP, every time a new connection is established, we would need to go through the TLS handshake, which as we know is quite expensive and can significantly contribute to overall page load time. With HTTP/2, things change. HTTP/2 introduces a new concept of streams. This, technically, allows us to use same TLS connection to deliver multiple resources, which in turn means the total number of TLS handshakes will be greatly reduced and thus, the overall page load time will be reduced.

HTTP/2 also introduces some other improvements that will contribute to initial page load time like header compression and server push.

One thing that I’m a little concerned about is the ability to debug HTTP/2 connections, but hopefully not many people will have to do that!

HTTP/2 is still not available in major web servers (nginx and apache), but support is on its way. We should see HTTP/2 support in those web servers by the end of the year. I expect HTTP/2 adoption to jump as soon as support is widely available. This will nicely coincide with “Let’s encrypt” which should be fully operational by that time. Once these two events happen (free TLS certificates and widely available HTTP/2 implementation), I can’t see any reason why not to use HTTP/2. I believe the time when HTTP/2 is a norm, is only a few months away.

For those who want to try out HTTP2 today, I recommend ​httpx​ proxy. It is really easy to set up. Another tool that people might find useful is h​2check ​which can be used to verify that a website is served using new HTTP/2 protocol. I highly recommend that people try HTTP/2 and measure how their website performs. Some tweaks that were necessary when using HTTP are not needed any more and some actually slow things down (e.g. spriting, concatenation, sharding). So my advice is: try HTTP/2, measure and see what works for you best. If you find any issues, resolve them sooner rather than later, so that you can reap the benefits of this new protocol as soon as it’s widely available.

InfoQ: Thanks for your time today Marko and Sam. Is there anything else you would like to share with the InfoQ readers (articles, projects, books etc)?

Vuksanovic: ​There’s heaps of interesting stuff that I’d like to get time to do. Within the next month or so, I plan to deep dive into HTTP/2 and explain in more detail how it works and why it is so important. Another topic that I plan to look into more is ​NTRUEncrypt​. This is a cryptographic algorithm based on relatively new mathematical construct called lattices and is one of the candidates for post-quantum cryptography. It’s interesting, as it’s said to be faster than RSA or elliptic curves and consumes less power. And one last thing, I will be giving a presentation on API security at “​API Days NZ”​. Those readers who happen to be there may come by and say “hi” and the others can look for the recording and slides when they get published/uploaded.

Additional details on Vuksanovic’s and Gibson’s study of TLS/HTTPS can be found in the ThoughtWorks P2 magazine article “Under the covers: HTTPS and certificates​”.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT