How Far Have We Come With HTTPS? Google Turns On the Spotlight (networkworld.com)

← Back to Stories (view on slashdot.org)

How Far Have We Come With HTTPS? Google Turns On the Spotlight (networkworld.com)

Posted by BeauHD on Wednesday March 16, 2016 @07:12AM from the legitimacy-of-websites dept.

alphadogg writes from an article on NetworkWorld: HTTPS is widely considered one of the keys to a safer Internet, but only if it's broadly implemented. Aiming to shed some light on how much progress has been made so far, Google on Tuesday launched a new section of its transparency report dedicated to encryption. Included in the new section is data highlighting the progress of encryption efforts both at Google and on popular third-party sites. "Our aim with this project is to hold ourselves accountable and encourage others to encrypt so we can make the Web even safer for everyone," wrote HTTPS evangelists Rutledge Chin Feman and Tim Willis on the Google Security Blog.

3 of 84 comments (clear)

Min score:

Reason:

Sort:

Backing the wrong horse by ickleberry · 2016-03-16 07:27 · Score: 3, Interesting

HTTPS isn't that safe. Any agency that can coerce one of the numerous CA's can snoop traffic quite easily. Of course Eric Schmidt is an avid fan of the surveillance society so thats why they weren't going to back anything less centralised than CA-based HTTPS
1. Re:Backing the wrong horse by shawn2772 · 2016-03-16 10:08 · Score: 3, Interesting
  
  HTTPS isn't that safe. Any agency that can coerce one of the numerous CA's can snoop traffic quite easily.
  While your concerns are real, I think they're overstated.
  A coerced CA cert does allow MITM attacks, but they have to be used very carefully and on a targeted basis, because if they're used too broadly it will be noticed. A TLS MITM attack is very noticeable to anyone who is looking. Google Chrome has caught a few subverted CAs now, thanks to certificate pinning of intermediates for Google, Verisign, GeoTrust and some others. Firefox pins large numbers of intermediates, for lots of domains. I think other browsers are also getting into it.
  
  Of course Eric Schmidt is an avid fan of the surveillance society so thats why they weren't going to back anything less centralised than CA-based HTTPS
  Nice cheap shot. In fact Google has a couple of significant projects to address the shortcomings of the CA system. One is to increase pinning, but that's kind of a hack. The other is the Certificate Transparency project, which aims to ensure that any certificate produced by any CA for any domain is visible to the owner of that domain. If that succeeds covert certificate issuance will be impossible.
  At bottom, the problem with the CA isn't centralization, it's more complicated than that. The CA system is decentralized in the sense that there are many CAs... but that makes every one of them a single point of failure. In some ways we'd be safer with a truly centralized CA system, because then we'd have one single point of failure rather than a few hundred. The semi-decentralized system we have is pretty decent... if we can enable the world to easily recognize improperly-issued certificates. Certificate Transparency is one good way to do that. I'm also a fan of the Convergence system, but in addition to the existing CA system, rather than as a replacement.
  In any case, although the CA system has some issues, and we have seen a handful of cases where they've been exploited, by and large it works very well, securing more connections and more data than anything else ever has. We'd be foolish to replace it, but augmenting it to address the problems is a good idea.
Re:Congrats Slashdot! by Lennie · 2016-03-16 10:29 · Score: 3, Interesting

You know what is good about HTTPS these days:
- HTTP/2 using HTTPS is faster than HTTP/1.x without HTTPS and it's getting easier to deploy it. For example by using the H2O webserver ( https://h2o.examp1e.net/ ) as a proxy, it comes with built in SSL/TLS library for easier deployment and support for replicating sessions.
HTTPS itself is becoming easier to deploy and manage:
- HTTPS doesn't need a dedicated IP-address any more (older browsers/operating systems had problems with the HTTPS equivalent of 'virtual hosts'):
https://en.wikipedia.org/wiki/...
- certificates are available for free with an automatic request and renewal system. So no more messing around, you can automate it. -> with Let's encrypt Beta: https://letsencrypt.org/ and for example with acmetool: https://hlandau.github.io/acme....
There are finally ways to fight the silly CA-system, not completely, but things are improving.
For regular visitors on a site you can add headers which will prevent an other CA issuing a rogue certificate for your site.
https://developer.mozilla.org/...

--
New things are always on the horizon