HTTP vs HTTPS: What it Means for Internet Censorship

The difference between HTTP and HTTPS in the general Internet industry has been prominently emphasized -- after all, HTTPS is the more “secure” option, and having a more secure option means that your information is less likely to be compromised. To most users, that sounds like a plus.

However, to Internet filters, this small change opens up a can of worms. In this blog post, we’ll explain the technical difference between the two terms, and more importantly -- what this means for those wanting to censor the Internet.

Talking to the Server

HTTP, which stands for hypertext transfer protocol, is a method of communicating to the servers that host the various websites you frequent. Whenever you type “http” into your browser, you’re actually instructing your browser to open an HTTP connection to the server mentioned in the rest of the URL.

Once this connection is opened, the browser then sends data to the server via TCP (Transmission Control Protocol), which sends back data, allowing your browser to load up the website.

Talking to the Server (Safely)

But HTTP isn’t perfect, because the data sent over HTTP connections can be intercepted and read by anyone with access to the wires the data uses to get from you to the server. It’s as if you were talking to someone standing on the opposite side of a room; if neither of you wanted to move any closer to each other, anyone sitting in between you two would be able to hear what you were saying.

This can be problematic when people have to deal with sensitive information online, such as credit cards for online purchases or Social Security numbers when e-filing taxes.

The solution to this comes in the form of HTTPS -- hypertext transfer protocol secure -- which operates on the same basic framework as HTTP. However, the data in an HTTPS connection travel are scrambled in a special way, encrypted with Transport Layer Security (TLS).

Essentially, in this model, the data your browser sends is scrambled during transportation, and then decoded once it reaches the server. Data received from the server is also transmitted in this way -- so even if a third party was able to intercept the data, they’d have no way of reading it.
This way, sensitive information, such as credit card numbers, runs a lower risk of being compromised as decryption happens only after the information has been received by the intended party.

A Headache for Internet Filters

Today, HTTPS is the best practice followed by many major websites -- in fact, in Internet Monitor’s 2017 study, 40% of the sites we tested exclusively use HTTPS, including big names like Facebook, Google, and Twitter. This means that if a user attempts to connect to their site through HTTP, the site will automatically redirect them to the HTTPS connection.

Traditionally, Internet filters often used the information being sent over browsers to determine which web pages to block. Because they could see the exact page that a user was trying to access, the censors could choose to only block that specific page without blocking the rest of the site. Pakistan’s Internet censors, for example, would be able to block access to an anti-Islamic Facebook page without blocking the entirety of Facebook.

With an HTTPS connection, third parties are no longer able to get the exact data transmitted between a user’s browser and the server. They can no longer see the exact page the user is requesting: if a Pakistani user is trying to access an anti-Islam Facebook page, the censors would only be able to tell that they were trying to reach Facebook.

Iran, Turkey, and HTTPS: A Case Study

HTTPS presents a dilemma for censors: should they indiscriminately block any site where unwanted information could potentially appear, or should they give up on blocking those sites entirely?

We can see these two different approaches to HTTPS connections in action with two different government censors -- Iran’s and Turkey’s. When Wikipedia switched to HTTPS-only content delivery in June 2015, Iran chose to allow access to the entirety of Wikipedia in their country, even though it meant some controversial information might slip through. On the other hand, Turkey opted instead to block Wikipedia from their country entirely in April 2017, claiming that Wikipedia was running a “smear campaign” against Turkey.

As it stands, the long-term effect of HTTPS connections on filtering regimes is still unclear, but for most Internet users, it makes things a little more convenient -- and a lot safer.