You’ve no doubt noticed that chrome now marks any non https-site as insecure. Its no longer that ‘https is secure the rest is unspoken’. Its actively insecure.
Some sites have no support for https (shame). Some have support, but you have to remember to use that URL (should redirect).
But, what is the thinking behind ones that actively down-grade you? Witness Canadian Cire. A great spot to buy a belt perhaps. But why if i try ‘https://www.canadiantire.ca/’ it will force me to ‘http://www.canadiantire.ca’?
Here’s the tale of the tape. We see the server has a valid certificate. It even supports HTTP/2. But, it forces me to drop to non-encrypted flow. You see those last couple of lines? These are your session cookies. They maintain if you do switch to ssl to buy something online w/ them. This is terrible.
Google has also started to raise the search relevance of secure sites, so it actively hurts them.
So who’s with me in starting a campaign. If we see a web site that is not TLS, lets say something. Let’s Encrypt has made it free and easy. Google has launched the .app domain, SSL included w/ your name. Its 2018. We should be demanding TLS 1.3 w/ encrypted SNI, 0-RTT, elliptic-curve only. We should not be accepting ‘downgrade to in-the-clear’.
Lets make a ‘see something say something’ type campaign. #tlsorbust ? #tlswallofshame?
$ curl -v https://www.canadiantire.ca/ * Trying 220.127.116.11... * TCP_NODELAY set * Connected to www.canadiantire.ca (18.104.22.168) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: ... * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: C=CA; ST=Ontario; L=Toronto; O=Canadian Tire corporation; CN=www.canadiantire.ca * start date: May 9 00:00:00 2018 GMT * expire date: Aug 8 12:00:00 2019 GMT * subjectAltName: host "www.canadiantire.ca" matched cert's "www.canadiantire.ca" * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018 * SSL certificate verify ok. > GET / HTTP/1.1 > Host: www.canadiantire.ca > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Content-Type: text/html; charset=iso-8859-1 < Content-Length: 250 < X-Frame-Options: SAMEORIGIN < Location: http://www.canadiantire.ca/en.html < Cache-Control: max-age=86400 < Expires: Thu, 30 Aug 2018 20:56:26 GMT < Content-Encoding: gzip < Date: Wed, 29 Aug 2018 20:56:26 GMT < Connection: keep-alive < Set-Cookie: disp_id_prd11=173769bf046e88 ...; path=/ < Set-Cookie: BIG_COOKIE_PRD2=rd40o000 ...; path=/ < Set-Cookie: TS01915929=012ceeafe60a6c ... Path=/