There is no reason for a website to not at least have an HTTPS connection available to users. When websites like StartSSL provide free certificates the old excuse of costs is no longer even applicable. Computer hardware has increased to the point where offering secure connection isn’t really that big of a drain on a server. And HTTP is just plain dangerous. Not only can any traffic sent over HTTP be viewed by anybody between the two communicating points but it can be altered without either point knowing. That is what Verizon is now doing to its customer’s HTTP traffic:
Over the past couple of days, there’s been an outpouring of concern about Verizon’s advertising practices. Verizon Wireless is injecting a unique identifier into web requests, as data transits the network. On my phone, for example, here’s the extra HTTP header.1
X-UIDH: OTgxNTk2NDk0ADJVquRu5NS5+rSbBANlrp+13QL7CXLGsFHpMi4LsUHwAfter poring over Verizon’s related patents and marketing materials, here’s my rough understanding of how the header works.
[…]
In short, Verizon is packaging and selling subscriber information, acting as a data broker on real-time advertising exchanges. Questionable. By default, the information appears to consist of demographic and geographic segments.2 If a user has opted into “Verizon Selects,” then Verizon also shares behavioral profiles built by deep packet inspection.
This is a dirty trick only made possible over unsecured connections. Secure connections, in addition to preventing anybody in between two communicating points from snooping on the communications, also provides mechanisms to verify that the data wasn’t altered when traversing between its start and end points. This is done with a wonderful algorithm called hashbased message authentication codes (HMAC). If the contents of the message are altered in any way the HMAC will not match and the receiver can verify that the message received doesn’t match the message that was sent. HTTP, unfortunately, has no way of providing this functionality so there is no way to know whether or not the data has been altered in transit.
The bottom line is HTTP needs to die and HTTPS needs to replace it for every website.