Rise Of The HTTPS Bullies

You may be aware of the SSL conversation going on around you, especially if you own or operate a website and have some sort of SEO awareness. It all started with Google unilaterally deciding to call most of the internet UNSAFE because they did not have an SSL certificate installed, this is what led to the rise of the HTTPS bullies.

Websites Need SSL/TLS

Well of course they do, we rely on the internet for pretty much everything these days and that internet traffic between our web browsers and our online banking websites, gmail, netflix and so on absolutely needs to be secured.

Undoubtedly the internet is a lot safer for users in general now that google have labelled everyone unsafe for not having an SSL certificate, the negligent and the lazy were delivering a service over the internet and not using an SSL certificate to secure their traffic. But the vast majority of websites affected by this change didn't need an SSL certificate for any real tangible cybersecurity reasons that had to do with their website.

The vast majority of the internet was quite happily deciding which internet traffic needed securing and which did not and a lot of these decisions were cost driven because SSL certs used to be really expensive. That's not the case anymore, the price of SSL certs has plummeted to the point where its inexpensive to secure a website with an SSL cert now and if you just don't want to pay for that cert, there is Lets Encrypt free SSL. Cost is no longer an excuse.

But Do All Websites Need SSL?

No, of course they don't. You would have to be an infosec fanatic to look at something like a travel blog and call it unsafe for not having an SSL certificate when there is nothing inherently unsafe about it. Google are data profit mongers who are misleading internet users about the risks of the unsecured websites they were happily browsing. Huge swathes of the websites they have declared unsafe pose no threat whatsoever to anyone but google.

I personally find it distasteful that a company who lives and profits from having unfettered access to our personal data and habits is labelling other websites as unsafe in order to protect their users data.

But what about https://en.wikipedia.org/wiki/Man-in-the-middle_attack (MITM) attacks the HTTPS fanatics scream? For sure they can pull half a dozen examples off the internet involving MITM attacks on unsecured traffic, but its just not the real world for the vast majority of personal blogs and small websites who don't get lots of consistently heavy traffic.

Hackers and cyber criminals do not care about small time personal blog, online travel diaries and the meagre dribble of people who visit them. If an attacker somehow manages to seize control over the internet traffic you form part of, then you have much more to worry about than a website that doesn't have an SSl certificate.

If however your blog publishes politically sensitive material of some sort, or attracts cultural controversy in some way, HTTPS is a good idea.

For sure anyone who can use google will find edge cases that prove me wrong, but this is the cybersecurity space we are talking about here, it's a land of infosec professionals using edge cases to prove their point.

Google Became The Change They Wanted To See In The World

The whole HTTPS certificate apocalypse is Google bullying website owners and using their near web browser monopoly to push the changes they want to see onto the internet. Now you could argue that they are bullying people into being safe with information and that its a good thing generally speaking, I would disagree with you.

Bullying is not a good way to get people to do anything and it causes resentment over the long term amongst those you bully. If you thought it was fun to agressively push your echnical beliefs onto others then you would do well to remember this.

With their bullying Google are not really being altruistic, they just like to posture and signal in that way for PR purposes. Google really pushed this change for entirely self serving reasons, they did it to reinforce a walled garden of security and privacy that they already have the keys to. All Google really did was use Chrome to label millions of websites UNSAFE when there was probably nothing unsafe about the websites or their content.

That didn't stop other browser developers like Mozilla and Microsoft following their lead though and implementing the same mindless UNSAFE WEBSITE warnings in their own browsers when you navigate to a site with no SSL. But of course the rest of the browsers follow Googles lead, they are the leader.

They also followed Google because, on the whole, its not a bad idea and its not an idea that any infosec professional would argue against for very long, especially given the current HTTPS EVERYWHERE climate and culture, its just not worth provoking a naming and shaming campaign from the HTTPS bullies on social media.

Who Are The HTTPS Bullies?

You could argue that Google, Mozilla and Microsoft are HTTPS bullies for forcing everyone to install SSL certificates on their websites by labelling them UNSAFE if they do not, especially because they do so in the name of user safety and use security fears to push through these changes.

I am not going to though. Instead I am going to call out those of you who work in infosec and who should know better, those who are ideologically forcing SSL down everyones throat, they are the most deserving of the label.

HTTPS bullying is the bastard lovechild of infosec and call out culture, we have finally arrived at a place where infosec professionals are bullying others for not having an SSL certificate when they probably don't need one.

These are the guys who like to swoop in on the twitter account of any brand, organization or group that made sort of security blunder and fluffed their responses on social media. The infosec space loves nothing more than to publicly humiliate others who have made cybersecurity mistakes in their twitter feeds and god help anyone who disagrees with them. HTTPS bullying is an extension of this behavior.

HTTPS bullying is a self righteous and patronizing behavior that drives a sensible infosec professional to go well beyond merely advising others into SSL certs for sensible infosec reasons and begin bullying them about it.

The fact these websites still do not have an SSL certificate, even after the browsers have marked them UNSAFE serves to enrage the SSL bullies.

Beneath the cover provided to them by Google, Mozilla and Microsoft they have begun to proactively harangue offenders on social media. With the sort of self righteousness that you usually see in religious fanatics, infosec people are now actively naming and shaming brands, groups, businesses and websites who do not have SSL in place.

This behavior is effective because the actual users, who do not understand the intricacies of the argument for having an SSL certificate protecting a static page, only hear 'the website is making you unsafe'.

Who Is The Leader Of The HTTPS Bullies?

I vaguely like Troy Hunt and I say vaguely because I do not really know him, I just know of his good works. He is an infosec twitter superstar, maintains a killer blog and is paid to speak at all the best conferences, Troy is a bonafide infosec celebrity and he probably deserves his fame too.

I like him because he does great work, his HaveIBeenPwned website is fantastic and provides a hugely valuable service. His talks and writing also cannot be faulted, Troy is a genuine infosec professional with deep knowledge and experience.

The problem I have with him is that he recently promoted himself to leader of the SSL bullies for no apparent reason. Maybe the success of [haveibeenpwned](https://haveibeenpwned.com/ went to his head, maybe he felt he just wasn't doing enough good in the world and needed to do more, maybe its because he is a Microsoft golden child and likes to please his patrons?

You can tell that it's not for the good of 'the internet users' though, this is something else completely different to altruism, its cyberbullying.

I like to think its because Troy is an infosec hero, one bent on imposing his will onto the world so that he may bask in the glow of his own goodness.

He has executed his SSL master plan in a very cunning way, first he launched a very helpful little website that assists those looking to install SSL on their own websites. Then for stage two, he launched a global name and shame directory of websites who do not have an SSL certificate installed, he knew that there would be pushback and launching the helpful site first bolsters the perception that his move is altruistic.

Ultimately, when it comes to SSL, Troy is peddling an extreme view of internet security and crying wolf, seemingly leveraging his credentials and domain authority to bully others.

To what end I have no idea.

MITM Attacks Are Suddenly Everywhere

Troy cares deeply about the world adopting SSL certificates, so deeply that he made a twenty five minute long video explaining why static websites need an SSL certificate. He has a box full of edge cases where unsecured sites were compromised, where corrupt governments convince weak ISPs to manipulate traffic, he evens rolls out a WiFi Pineapple to prove that traffic interception is a real thing.

He then proves beyond doubt that traffic interception is a real thing by picking on somebody from twitter who said that their static website does not need an SSL certificate and going to work on their website to prove them wrong.

The foundation on which his whole argument lies seems to be his fairly extreme worldview that the internet is made up of websites where MITM attacks are ok and websites where MITM attacks are not ok, which is a bit odd.

I think this is where the manipulation in his messaging really shows and I also think that he is being misleading about the actual likelihood of an MITM attack targeting your average every day internet user. Troy is a man making a point about why he is right using cyber fear, a tactic commonly seen used by sales people working for cybersecurity vendors.

He is also being indirectly misleading in that he isn't really talking about the threat posed by unsecured websites, he is talking about the threat of unscrupulous actors seizing control over network traffic, which is something else completely different and a next level cyber threat to worry about.

If a malicious actor takes the time and spend the resource to seize control over an internet users (or group of users) internet traffic then you have much more to worry about than the lack of HTTPS certificate on a blog about cats. Its much more likely that a hacker would hack the site itself to inject malicious code, in which case a HTTPS certificate will not protect you at all.

Troy's video is effectively a MITM horror story with a promotion for his good works tagged onto the end. Internet users have a whole host of real cybersecurity threats to worry about before they factor MITM attacks on unsecured websites into their threat models.

Undoubtedly the internet would be a safer place if everyone had HTTPS, but in the real world internet users are not afflicted by cybercriminals launching MITM attacks on them and there are far more profitable purposes for MITM attacks than making crude points about HTTPS certificates.

There are a thousand other cyber risks that are more likely to impact an internet user, but man-in-the-middle attacks seem to be the best justification to hand for starting up the HTTPS bully bandwagon.

The HTTPS Bully Bandwagon

The worst part of this is that people who push HTTPS EVERYWHERE do not seem to care about how much resentment they are creating by forcing this down the throats of experienced technical professionals. Ones who thought they knew better before the HTTPS climate changed and the bullies tried to normalize it.

You have people like Scott Helme comparing people to anti-vaxxers, despite the fact this his primary evidence for the importance of HTTPS everywhere is that very popular people say that you should. He even has a list of them.

Beneath the cover provided to them by Troy and his HTTPS crusader website, a thousand infosec bullies are out there working their way down Troys offender list for fun. They are out there on social media naming and shaming brands, organizations and individuals who have the audacity to say that they don't thing they need to secure those totally static pages on their website.

Remember that most of the non essential parts of the internet has been unencrypted for the last two decades and it is only recently that the more rabid infosec professionals have launched their HTTPS bullying crusade.

Troy's latest adventure cynically capitalizes on call out culture and security theatre, my concern is that if we let SSL bullies completely have their their own way, it will validate their sanctimonious behavior and inspire others to jump on the bully bandwagon the next time they find a righteous technical cause that needs to be pushed.

People like Troy publicly bullying on social media gives license to a thousand others who suddenly see a self righteous technical crusade ahead.

The last thing that the infosec space needs is more people who "know what's best" without understanding threat models, spreading around misinformation and scaring users into not trusting anything without a magical green bar.

The most compelling reason for securing your site is to avoid the SEO penalty and provide a browser alert free user experience to your visitors, all the bullies are really doing is causing resentment. They certainly aren't making the internet any more secure than Google and Mozilla already have.

My advice to Troy and his gang of HTTPS posers is to stop posturing in self righteousness and bullying others because you can. It's not a great look.

Main Image Credit : The awesome piece of artwork used to head this article is called 'Barrio Bully' and it was created by graphic designer Jose Da Silva.

Infosec Scribe

Infosec Scribe

Founder of @Secjuice and freelance writer for discerning #infosec organizations and publications. I like to help others find their voice and tell their story. - @InfosecScribe

Read More
Rise Of The HTTPS Bullies
Share this

Subscribe to Secjuice.com