By Klint Finley via Wired.com
The Heartbleed bug crushed our faith in the secure web, but a world without the encryption software that Heartbleed exploited would be even worse. In fact, it’s time for the web to take a good hard look at a new idea: encryption everywhere.
Most major websites use either the SSL or TLS protocol to protect your password or credit card information as it travels between your browser and their servers. Whenever you see that a site is using HTTPS, as opposed to HTTP, you know that SSL/TLS is being used. But only a few sites — like Facebook and Gmail — actually use HTTPS to protect all of their traffic as opposed to just passwords and payment details.
Many security experts — including Google’s in-house search guru, Matt Cutts — think it’s time to bring this style of encryption to the entire web. That means secure connections to everything from your bank site to Wired.com to the online menu at your local pizza parlor.
Cutts runs Google’s web spam team. He helps the company tweak its search engine algorithms to prioritize certain sites over others. For example, the search engine prioritizes sites that load quickly, and penalizes sites that copy — or “scrape” — text from others.
If Cutts had his way, Google would prioritize sites that use HTTPS over those that don’t, he told blogger Barry Schwartz at a conference earlier this year. The change, if it were ever implemented, would likely spur an HTTPS stampede as web sites competed for better search rankings.
Cutts, who didn’t respond to our request for comment, told Schwartz that it’s a controversial idea, and it faces some opposition within Google. A Google spokesperson would only tell us that the company has nothing to announce at this time. So this change won’t happen overnight.
Dump the Plain Text Internet
White hat hacker Moxie Marlinspike knows as well as anyone how insecure SSL/TLS can be. A former Twitter engineer, he’s uncovered multiple critical bugs in the protocols over the course of his career and has proposed an alternative way handling trust and verification in the protocol. But he still thinks that using HTTPS in as many places as possible would be a good thing. “I think there’s value to making network traffic as opaque as possible, even for static content,” he says. “Ideally we would replace plain text on the internet entirely.”
When you use HTTPS, the data is coded so that, in theory, only you and the server you’re communicating with read the contents of the messages passing back and forth between your computer and the server.
Most major websites only use HTTPS to protect your password when you login, or your credit card information when you make a purchase. But that started to change in 2010 when software developer Eric Butler released a free tool called FireSheep to show just how easy it was to temporarily take control of someone else’s account over a shared network — such as a public Wi-Fi connection.
Butler agrees that more use of HTTPS would be a good thing, pointing out that using HTTP makes it easier for governments or criminals to spy on what internet users are doing online. And Micah Lee, a technologist for The Intercept, points out that there are many situations in which it makes sense to use HTTPS besides just protecting passwords or other sensitive information.
For example, HTTPS doesn’t just encrypt the information passing between a server and your computer: It also verifies that the content you’re downloading is coming from the people you expect it to be coming from — again, in theory. That’s something that a regular HTTP connection can’t do.
“Any sort of attacks that involve tricking the victim into connecting to the attacker’s server instead of the real server gets halted by HTTPS,” Lee said via email. “And this is really important, even for non-secret content, because of integrity: you really don’t want attackers modifying the content of websites you’re visiting without your knowledge.”
For example, a country that doesn’t want its citizens getting certain information from Wikipedia can set up a system that feeds users fake Wikipedia pages. “Without HTTPS, censorship isn’t just possible,” Lee says. “It’s simple for powerful attackers like governments, and it’s impossible for ordinary users to detect.”
There are other ways that a rogue government or criminal hacker could cause problems by replacing insecure content with their own fake pages. Lee points out that many journalists post their PGP encryption keys on their websites using only HTTP. An attack could show a potential whistleblower a fake page with a fake encryption key, causing them to turn incriminating evidence over to, for example, the government or their employer.
One of the most dangerous possibilities, however, is that hackers could replace software downloads with malware. “Websites that publish software have no business ever using HTTP,” Lee says. “They should always use HTTPS. If they don’t, they’re putting software users at risk.”
The Argument Against Total SSL
But if HTTPS is so great, then why don’t all websites use it already? There are several disadvantages to using HTTPS everywhere, the World Wide Web Consortium’s HTTPS expert Yves Lafon told us in 2011.
The first is the increased cost. You have to purchase TLS certificates from one of several certificate authorities, which can cost anything from $10 dollars per year to about $1,000 dollars a year, depending on the type of certificate you purchase and the level of identify verification it provides. Another issue is that HTTPS increases server resource consumption and can slow sites down. But Marlinspike and Butler say the costs and resource overhead are actually greatly overestimated.
An issue for smaller sites is that it’s historically been hard to set up unique certificates on sites that use cheap shared hosting. Also, sites that used content delivery networks — or CDNs — to speed up their responsiveness also frequently faced challenges when implementing SSL. Both of these issues have been largely resolved today, though the costs, performance and complexity varies from host to host.
But even if the entire web isn’t ready to switch completely to HTTPS, there are plenty of reasons that more sites should start using HTTPS by default — especially sites that provide public information and software. And given how far we’ve already come since the days of FireSheep, we can expect HTTPS to continue to continue to spread, even if Google doesn’t start prioritizing sites that use it.