Why are you forced to insert ads? Talking about HTTPS connections

I believe many of my friends have encountered the situation where advertisements are forcibly inserted into web pages. A clean page is often inserted with a small window that says "click on the dragon-slaying sword" and sends you a gift. It is very annoying to see.

This phenomenon of web page hijacking and forced advertising is very common in China, and is often caused by HTTP hijacking by operators. A good solution to this hijacking is HTTPS.

​​

HTTPS can encrypt the content transmitted by web pages, which can not only prevent forced advertising, but also prevent account theft. However, such a good technology has not become mainstream. Many large websites at home and abroad still do not use HTTPS for encryption.

According to statistics, only 21.7% of the top one million websites in Alexa ranking use HTTPS by default, and the situation in China is even worse, with only 0.11% of the total registered domain names using HTTPS. Why is this the case? Let's talk about the topic of HTTPS today.

What is HTTPS

We usually browse websites using the HTTP protocol, which is also one of the most widely used protocols on the Internet. This protocol works roughly like this: when browsing a website, you first send a request. If you send a URL, it will be resolved to the corresponding IP address through the DNS server.

The server's port 80 will listen to the request, and if there is no problem, it will return a response message to you, and then the connection is established, and you can start transmitting data. This is a typical TCP link. It takes several steps for the user and the server to establish an effective connection, but without exception, the data transmission in these steps is plain text and not encrypted.

​​

Without encryption, it means giving people with ulterior motives many opportunities to eavesdrop - just like when you pass a note to a girl in class, anyone can open it and take a look during the process of passing it, and the evil ones will even add information to the note. It's roughly the same when you open a web page and the operator inserts advertisements into it.

How can we prevent information from being tampered with? Encryption is a good solution. HTTPS is the encrypted version of HTTP.

​​

HTTPS uses SSL/TLS for encryption, which is an encryption system that uses a public key/private key mechanism. After using HTTPS, the public key based on the certificate system ensures that the user is connected to the correct website on the one hand, and on the other hand, combined with the private key, it can ensure that network data will not be eavesdropped.

Therefore, HTTPS can prevent phishing (websites are digitally signed, and if the signature is incorrect, you cannot connect). Secondly, it encrypts the transmitted data, making it impossible for others to eavesdrop and add data, steal accounts, or insert advertisements. Compared with HTTP, HTTPS can indeed better guarantee the privacy and security of users.

Why is HTTPS still not mainstream?

Although the benefits of HTTPS are obvious, there are still a large number of websites that have not yet deployed HTTPS. Even if they are deployed, they are only deployed in a few places with strict security requirements such as login pages. Why don't everyone switch to HTTPS? The main reason behind this is money.

HTTPS will bring certain cost issues. Most people open a website to make money. If they improve the user experience but lose money, it is better not to open it.

Converting from HTTP to HTTPS requires a certain amount of cost. For example, HTTP uses port 80 while HTTPS uses port 443. At the same time, HTTPS consumes more resources than HTTP. The SSL handshake requires more data packets, and encryption and decryption also require additional operations.

To ensure user experience, after switching to HTTPS, the equipment also needs to be upgraded, such as purchasing SSL acceleration cards, etc. For some high-traffic sites such as video sites, this cost cannot be ignored.

For small websites, certificates are also a cost. HTTPS certificates need to be issued by a specialized organization. Certificates issued by large organizations are not free, and you have to pay hundreds or thousands of dollars every year to apply for a certificate. Although certificates from small organizations are cheap or even free, they are not as applicable as certificates from large organizations, and applying for a certificate is always a hassle.

For small websites, hosting them on a server with a certificate is a good idea, but most people are too lazy to do that. Small websites are more casual to begin with, and it doesn’t mean they can’t be used if the connection is not encrypted, so there’s no need to bother getting a certificate.

​​

In addition, there are also some issues with HTTPS compatibility. For example, after a website deploys HTTPS, if the page wants to embed content from other sites, some problems may occur if the embedded content is just ordinary HTTP content. You can see that some HTTPS websites cannot embed videos such as Youku and Tudou, and you need to click to jump to watch the video. This is also due to this reason.

Therefore, HTTPS is mainly used by some large companies with strong capital and websites with strict security requirements. For example, Google has money anyway, so it can afford to deploy HTTPS on all its websites; Taobao, for example, has money on one hand, but as a shopping website, spending money is not worth mentioning compared to the security issues, so all Taobao pages are deployed with HTTPS.

Is HTTPS foolproof?

Does using HTTPS mean everything is safe? Not really. HTTPS certificates may have security issues because some certificate issuing agencies do not follow the rules.

Some organizations will abuse certificates and even create fake certificates, which can be used for man-in-the-middle attacks. For example, when you use HTTPS to connect to a site, the browser tells you that the site connection is secure HTTPS, but sorry, in fact, this HTTPS is just a connection based on a fake certificate, and everything you do on the website may be eavesdropped by the organization with the fake certificate.

This kind of thing really exists. For example, Gmail uses Google's own certificate, but MCS has forged a fake certificate for Gmail. When users connect to Gmail, because both Google and MCS are trusted by the system and browser, the fake certificate of MCS can also be used for Gmail's HTTPS connection, which is equivalent to bypassing Google's HTTPS encryption for Gmail, and Gmail is hijacked by MSC.

The best way to deal with fake certificates is to delete the organization that issued the fake certificates. Major browsers such as Chrome and Firefox will announce the decision to revoke the certificates of certain organizations from time to time. You can pay more attention to the news in this regard.

​​

In addition to preventing eavesdropping, HTTPS can also prevent others from modifying the transmitted content, such as preventing operators from interfering with TCP connections. However, since operators cannot see the transmitted data, they may still be able to mess with you, such as throwing a few packets at you.

Some websites will have their entire IP blocked due to switching to HTTPS, so it takes quite a bit of courage for some sites to switch to HTTPS.

Summarize

However, HTTPS is still a major trend. Many industry giants are vigorously promoting secure connections such as HTTPS. For example, Apple requires all apps in its store to use HTTPS to connect to the network, and the next generation HTTP protocol HTTP/2 will also force the use of encrypted connections.

Therefore, it is only a matter of time before major sites switch to encrypted connections such as HTTPS. HTTPS can indeed solve many problems. I hope that the Internet can switch to encrypted connections as soon as possible to better protect the privacy and security of users.