As more websites switch to the HTTPS protocol, which encrypts connections to websites, authoritarian governments may increase their censorship regime.
On July 24, the Chinese government blocked all BBC sites and apps after they migrated to HTTPS. For major news sites, HTTPS provides significant security and defense against censorship or modification of their content. For a regime such as China, HTTPS threatens its internet censorship model.
Whereas before it was possible to only block specific content, such as a page that mentions Tiananmen Square, the high security of HTTPS changes this. Selectively blocking sites cannot be achieved with HTTPS, so as a result, blocking a website altogether is a solution.
Troy Hunt, a security expert who co-founded WhyNoHTTPS?, a site that ranks the biggest websites that load insecurely, told WikiTribune that one part of the “motivation” for blocking HTTPS site is that “it does make it harder for government oversight.”
“If the reason they blocked [the BBC] is solely because of HTTPS then that would seem to point to a lack of ability to actually monitor what’s being viewed.”
What is HTTPS?
HTTPS stands for Hyper Text Transfer Protocol Secure, and is the secure version of HTTP. This means communications between a user’s browser and the website are encrypted. A HTTPS site is indicated by a green lock icon in the address bar.
A simple analogy is to compare the protocol to a meeting. With HTTP, you’re aware that a meeting is going on and what’s being discussed. With HTTPS, you’re aware a meeting is going on but you don’t know what’s being discussed.
Migration of sites to HTTPS is becoming the new web standard. Recently Google started to mark non-HTTPS sites as “not secure” for those using version 68 of Google Chrome. The aim is to eventually make the web secure by default.
According to a blog post by Google:
- Over 68% of Chrome traffic on both Android and Windows is now protected
- Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
- 81 of the top 100 sites on the web use HTTPS by default
HTTPS was originally intended for the most sensitive data, such as passwords and payment, but recent developments in data misuse means there’s a growing demand for security and privacy. The entire web is now moving towards it.
“There’s really no excuse for having missed this and it’s time to get on board with the evolution of the web,” wrote Scott Helme on his blog, a security researcher and co-founder of WhyNoHTTPS?
HTTPS complicates censorship
Secure sites do present problems for authoritarian regimes. Though the reasons for why countries censor certain websites or content are complex, the migration of sites to HTTPS does, as it stands to reason, force the hand of these regimes to censor sites altogether.
When looking at the ranking on WhyNoHTTPS?, it’s striking to see how high up China is on the list. The top five sites are Chinese, with Baidu, a Chinese multinational technology company, at the top.
“My gut feel is that it has more to do with the interception requirements in China than what…the technology requires. Because those technology requirements exist everywhere,” said Hunt.
“So if there was a requirement from the government to be able to access data in transit, which would then lead us to the discussion about things like the BBC situation when they recently went HTTPS.”
China, of course, stands out for its sheer size on the WhyNoHTTPS? list, so it’s difficult to say if this would extend elsewhere, though Turkey proves to be another case.
In 2017, the Turkish government blocked Wikipedia. In a statement issued by the Information and Communication Technologies Authority (BTK) was the following: “Since Wikipedia broadcasts in HTTPS protocol, it is technically impossible to filter by individual URLs to block only relevant content. Therefore, the entire Wikipedia content had to be filtered.”
Threats of non-HTTPS is higher
One threat of a HTTP site is that it’s likely to be modified.
A report by security researchers at the University of Toronto show how the Egyptian Government hijacked local internet users’ connection to secretly mine the Monero cryptocurrency “en masse.” Researchers identified a scheme called “AdHose” – which relies on hardware installed within the networks of Telecom Egypt – that covertly redirects internet users’ web traffic to malware that mines the cryptocurrency or to display ads.
One of the most prominent industry examples was in 2015, when the Chinese government took a dislike to the GreatFire Project on GitHub by hitting it with a massive distributed denial of service (DDos) attack. The other GitHub project that was hit was the Chinese translations of the New York Times. The traffic that was directed towards GitHub came from Chinese internet giant Baidu, which so happened to be number one on WhyNoHTTPS?.
“GitHub managed to weather that storm and put in defences in place such that it wouldn’t knock them off. But that was a really, really good example of malicious activity. That was a targeted attack against GitHub, they just weaponized individual’s browsers,” said Hunt.
An insecure website also means your information is more likely to be compromised. An intermediary can usually see which website you’re going to. But what HTTPS does it that it can no longer see which pages you’re going to on the website. For example, not being able to see the dollar amount on a banking app. Not having HTTPS puts individuals at more risk of having their credentials compromised.
China will find itself top on ranking for insecure sites
In the future, more sites will migrate to HTTPS and drop off the HTTP list on Hunt’s site. 81 of the top 100 sites on the web already use HTTPS by default.
“What I think is going to happen over time,” said Hunt, “is we will see [China] more prominently represented in this list [WhyNoHTTPS?]. Because I don’t see anything changing anytime soon in China.”