Minerva Studio - Fotolia

What are the challenges of migrating to HTTPS from HTTP?

Migrating to HTTPS from HTTP is a good idea for security, but the process can be a challenge. Expert Matthew Pascucci explains how to make it easier for enterprises.

HTTPS is better for security, but the transition to it is proving difficult (as shown by USPTO switching back to HTTP). What are the challenges of migrating to HTTPS, and what should enterprises do?

The United States Patent and Trademark Office (USPTO) recently had an issue switching from HTTP to HTTPS on its website, and had to temporarily revert back to HTTP during the process.

In June of 2015, the U.S. government mandated that all publicly accessible federal websites provide secure connections to their services to protect data in transit. This is important because all traffic going to these sites and services is being sent in the clear, and has the risk of being eavesdropped on by an attacker.

Migrating to HTTPS has gotten much easier over the past couple years, but there are still issues and concerns that should be considered when making the move. A few large vendors, like Google, are depreciating HTTP by alerting the user when they try to access a site in Chrome that uses HTTP and that may send sensitive data. Google Chrome will eventually have a security warning set for all HTTP sites.

In the past, one of the major pain points for organizations moving to SSL was the cost of the certificate, but Let's Encrypt stepped in to issue free certificates for anyone who requested them, which helped push the progress of those looking to make the jump to HTTPS.

When migrating to HTTPS, an organization should review a few things: the web server in use, the ciphers available and if it can perform TLS 1.2. There could potentially be a higher technical overhead on the system where the HTTPS connection is being established, and organizations will want to verify that they have the proper hardware to handle these requests. This will be different for every organization, and could be no issue at all, but it's always better to check first.

It is also a good idea to use the latest ciphers if the web server allows them. This will give the SSL connection as much security as possible. However, having an SSL certificate on your web server alone doesn't mean that you're completely secure. Using TLS 1.1 or 1.2 will also increase the security of the connection, but depending on customer requests to the site, this has to be reviewed on an organization-by-organization basis.

When migrating to HTTPS, it's also highly recommended to configure perfect forward secrecy to secure the sessions in case the private key is ever compromised. Lastly, run your site through an SSL checker to validate your SSL configuration after it's live (companies such as Qualys and DigiCert offer this as a free service). If there are any SSL issues or security concerns, then they'll show up in the scan.

Often, there are a few housekeeping issues to take care of after migrating to HTTPS. The first would be to set up a 301 redirect from anything HTTP to HTTPS. This will send users who are accustomed to accessing a site via HTTP to the same resource on HTTPS. If this isn't done, the site could be seen as inoperable to the user.

It's also important to make sure all the internal links on the page are adjusted so they do not cause performance issues with the page and potentially cost your site an SEO hit.

Also, verify where the SSL connection is going to be terminated. Will it be on the server itself or will load balancing occur? If end-to-end encryption is needed and load balancing is used, make sure the connection is re-encrypted after being decrypted by the load balancer to the web server.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out how an HTTPS session can get hijacked with the Forbidden attack

Learn how to avoid HTTPS traffic exploits

Discover the benefits and drawbacks of switching to HTTPS

This was last published in July 2017

Dig Deeper on Application and platform security