What HTTPS Doesn't Do
HTTPS has several important limitations. IP addresses and destination domain names are
not encrypted during communication. Even encrypted traffic can reveal some information
indirectly, such as time spent on site, or the size
of
requested resources or submitted information.
HTTPS-only guarantees the integrity
of
the connection between two systems, not the
systems themselves.
It
is not designed to protect a web server from being hacked or
compromised, or to prevent the web service from exposing user information during its normal
operation. Similarly,
if
a user's system is compromised by an attacker, that system can be
altered so that its future HTTPS connections are under the attacker's control. The guarantees
of
HTTPS may also be weakened or eliminated by compromised or malicious certificate
authorities.
Challenges and Considerations
Site Performance: While encryption adds some computational overhead, modern software and
hardware can handle this overhead without substantial deleterious impact
on
server performance
or latency.
6
Websites with content delivery networks or server software that supports the SPDY
or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site
performance substantially improved as a result
of
migrating to HTTPS.
Server Name Indication: The Server Name Indication extension to TLS allows for more
efficient use
ofiP
addresses when serving multiple domains. However, these technologies are
not supported by some legacy clients.
7
Web service owners should evaluate the feasibility
of
using this technology to improve performance and efficiency.
Mixed Content
8
:
Websites served over HTTPS need to ensure that all external resources
(images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers
will refuse to load many insecure resources referenced from within a secure website. When
migrating existing websites, this can involve a combination
of
automated and manual effort to
update, replace, or remove references to insecure resources. For some websites, this can be the
most time consuming aspect
of
the migration process.
APis and Services
9
: Web services that serve primarily non-browser clients, such as web APis,
may require a more gradual and hands-on migration strategy, as not all clients can be expected to
be configured for HTTPS connections or to successfully follow redirects.
Planning for Change: Protocols and web standards improve regularly, and security
vulnerabilities can emerge that require prompt attention. Federal websites and services should
deploy HTTPS in a manner that allows for rapid updates
to
certificates, cipher choices
6
https://istlsfastyet.com
7
https://https.cio.gov/sni/
11
Server Name Identification"
8
https://https.cio.gov/mixed-content/
11
Mixed
Content"
9
https://https.cio.gov/apis/'Migrating
APis"
3