Screenshot of WhyNoHTTPS? homepage showing the world's top five insecure websites are all Chinese.

Rise in HTTPS threatens China's internet censorship


As more websites switch to HTTPS protocol, which encrypts connections both ways between internet users and servers, authoritarian governments may increase their censorship efforts in response.

On July 24, the Chinese government blocked all BBC sites and apps after they migrated to HTTPS just days earlier. (Read the WikiTribune story: All BBC websites blocked in China, after migrating to HTTPS.)

For major news sites, HTTPS provides significant security and defense against censorship or the modification of content. However, HTTPS also threatens the internet censorship model of a country such as China.

The high security of HTTPS means a government can no longer block specific content, such as articles that mention Tiananmen Square (New York Times), something the Chinese government has done before. So blocking a website altogether is another solution.

You can edit or expand this story

Edit

Troy Hunt, a security expert who co-founded WhyNoHTTPS?, a site that ranks the biggest websites that “load insecurely,” told WikiTribune that one part of the “motivation” for blocking HTTPS sites is that “it does make it harder for government oversight.”

“If the reason they blocked [the BBC] is solely because of HTTPS then that would seem to point to a lack of ability to actually monitor what’s being viewed.”

(For the data-inclined, here are two crawlers created by WhyNoHTTPS? co-founder and security researcher Scott Helme which show all sites with HTTP and HTTPS.)

What is HTTPS?

HTTPS stands for Hyper Text Transfer Protocol Secure, and is the secure version of HTTP, meaning that communications between a user’s browser and a website are encrypted. A HTTPS site is usually indicated by a green lock icon in the address bar.

A simple analogy is comparing the protocols to a meeting taking place between two representatives – the browser and the user. With HTTP, a possible intermediary between the representatives would be aware that the meeting is going on and know what is being discussed. With HTTPS, the intermediary would be aware that the meeting is happening but have no idea about the content.

Discuss or suggest changes to this story

Talk

The migration of sites to HTTPS is becoming the new web standard. Recently Google started to mark non-HTTPS sites as “not secure” for those using version 68 of the Google Chrome browser. Internet groups, activists, and companies aim to eventually make the web secure by default.

According to a blog post by Google, since 2016:

  • 76 percent of Chrome traffic on Android is now protected, up from 42 percent
  • 85 percent of Chrome traffic on ChromeOS is now protected, up from 67 percent
  • 83 of the top 100 sites on the web use HTTPS by default, up from 37

HTTPS was originally intended for the most sensitive data, such as passwords and payments, but recent developments in data misuse means there’s a growing demand for security and privacy. The entire web is now moving towards it.

“There’s really no excuse for having missed this and it’s time to get on board with the evolution of the web,” wrote Helme on his blog.

HTTPS complicates censorship

Secure sites do present problems for authoritarian regimes. Though the reasons why countries censor certain websites or content are complex, the migration of sites to HTTPS does, as it stands to reason, force the hand of these regimes to censor sites altogether.

When looking at the ranking on WhyNoHTTPS?, it’s striking to see how high China is on the list. The top five sites are Chinese, with Baidu, a Chinese multinational technology company and internet giant, at the top.

Screenshot of WhyNoHTTPS? homepage showing the world’s top five insecure websites are all Chinese.

China, of course, stands out for its sheer size, though Turkey offers another case.

In 2017, the Turkish government blocked Wikipedia. A statement issued by the Information and Communication Technologies Authority said: “Since Wikipedia broadcasts in HTTPS protocol, it is technically impossible to filter by individual URLs to block only relevant content. Therefore, the entire Wikipedia content had to be filtered.”

Risks of non-HTTPS sites are higher

One danger of a HTTP site is that it can be vulnerable to modifications.

A report by security researchers at the University of Toronto show how the Egyptian government, or its associates, hijacked local internet users’ connections to secretly mine the Monero cryptocurrency “en masse.” Researchers identified a scheme called “AdHose” – which uses hardware installed on Telecom Egypt networks – that covertly redirects internet users’ web traffic to malware that mines cryptocurrency. The hardware can also be used as a censorship device.

Know a fact to enhance this story? You can edit it

Edit

One of the most prominent industry examples of the risks to HTTP was in 2015, when the Chinese government hit the GreatFire Project on GitHub by with a massive distributed denial of service (DDos) attack. At the same time it also attacked the GitHub project of Chinese translations of the New York Times. The traffic that was directed towards GitHub came from Baidu.

“GitHub managed to weather that storm and put in defenses in place such that it wouldn’t knock them off. But that was a really, really good example of malicious activity. That was a targeted attack against GitHub, they just weaponized individual’s browsers,” said Hunt.

An insecure website also means your information is more likely to be compromised. An intermediary can usually see which website you’re going to. But HTTPS does not let an intermediary see which individual pages a user is going to on the website. For example, not being able to see the dollar amount on a banking app. Not having HTTPS puts individuals at more risk of having their credentials compromised.

China will find itself top on ranking for insecure sites

In the future, more sites will migrate to HTTPS and drop off Hunt’s site – now 83 of the top 100 sites on the web already use HTTPS by default.

“What I think is going to happen over time,” said Hunt, “is we will see [China] more prominently represented in this list [WhyNoHTTPS?]. Because I don’t see anything changing anytime soon in China.”

Subscribe to our newsletter and be the first to collaborate on our developing articles:

WikiTribune Open menu Close Search Like Back Next Open menu Close menu Play video RSS Feed Share on Facebook Share on Twitter Share on Reddit Follow us on Instagram Follow us on Youtube Connect with us on Linkedin Email us