2016 Saw A Massive Increase In Encrypted Web Traffic (eff.org)

← Back to Stories (view on slashdot.org)

2016 Saw A Massive Increase In Encrypted Web Traffic (eff.org)

Posted by EditorDavid on Saturday December 31, 2016 @08:30PM from the securing-the-electronic-frontier dept.

EFF's "Deeplinks" blog has published nearly two dozen "2016 in Review" posts over the last nine days, one of which applauds 2016 as "a great year for adoption of HTTPS encryption for secure connections to websites." An anonymous reader writes: In 2016 most pages viewed on the web were encrypted. And over 21 million web sites obtained security certificates -- often for the first time -- through Let's Encrypt. But "a sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others," EFF writes. Other factors included the support of Transport Layer Security (TLS) 1.3 by Firefox, Chrome, and Opera.
Other "2016 in Review" posts from EFF include Protecting Net Neutrality and the Open Internet and DRM vs. Civil Liberties. Click through for a complete list of all EFF "2016 in Review" posts.
Chipping Away at National Security Letters: 2016 in Review
Everybody Wants To Rule The World (Wide Web): 2016 in Review
Fighting for Fair Use and Safer Harbors: 2016 in Review
Secure Messaging Takes Some Steps Forward, Some Steps Back: 2016 In Review
Most Young Gig Economy Companies Way Behind On Protecting User Data: 2016 In Review
Dark Skies for International Copyright: 2016 in Review
Congress Gives FOIA a Modest but Important Update For Its 50th Birthday: 2016 in Review
Our Fight to Rein In the CFAA: 2016 in Review
The Patent Troll Abides: 2016 in Review
DRM vs. Civil Liberties: 2016 in Review
The Fight to Rein in NSA Surveillance: 2016 in Review
The Year in Government Hacking: 2016 in Review
What Happened to Unlocking the Box? 2016 in Review
Top 5 Threats to Transparency: 2016 in Review
Technical Developments in Cryptography: 2016 in Review
This Year in U.S. Copyright Policy: 2016 in Review
Open Access Rewards Passionate Curiosity: 2016 in Review
Censorship on Social Media: 2016 in Review
Defending Student Data from Classrooms to the Cloud: 2016 in Review
Protecting Net Neutrality and the Open Internet: 2016 in Review
U.S. Trade Representative Gets Piracy Website Listing Notoriously Wrong
HTTPS Deployment Growing by Leaps and Bounds: 2016 in Review
Defending the Digital Future: 2016 in Review

91 comments

Min score:

Reason:

Sort:

Frist psot by tsa · 2016-12-31 20:34 · Score: 1

A happy new year to you all
And on topic: I don't know much about cybersecurity but I would like to make sure the emails I send can not be read easily by people to whom my emails are not addressed. How can I go about that?

--
-- Cheers!
1. Re:Frist psot by Anonymous Coward · 2016-12-31 21:02 · Score: 0
  
  And on topic: I don't know much about cybersecurity but I would like to make sure the emails I send can not be read easily by people to whom my emails are not addressed. How can I go about that?
  PGP.
2. Re:Frist psot by Anonymous Coward · 2016-12-31 22:39 · Score: 2, Funny
  
  + Enigmail + Full disk encryption + Tor + Tails + Burner laptop @ coffee shop + Groucho Glasses and trenchcoat + getaway car + fake passport.
3. Re:Frist psot by Anonymous Coward · 2016-12-31 23:00 · Score: 1
  
  If you just need them to not be decrypted in transit, you may be ok as long as you and they are both using something that shoves them around with TLS. Google does this, as do many others. If everyone is pushing the data encrypted, it won't be able to be read by someone who is recording that traffic.
  https://www.google.com/transparencyreport/saferemail/
  If you need only your recipients to be able to read the messages EVER, then you need them to do something too. Anything in a gmail inbox, for instance, is readable by google, at the very least. In that case, you might do well with tutanota (you can send an email to a person, who instead gets a link to tutanota, and they must input a preshared password to read it), or you and your communication partners could all use tutanota, or you and your communication partners could use another solution, such as PGP. Either way they have to be on board as well for it to happen.
4. Re:Frist psot by Anonymous Coward · 2016-12-31 23:27 · Score: 1
  
  PGP.
  Recipient deletes your encrypted block of shit, never fucking talks to you again.
5. Re:Frist psot by ls671 · 2016-12-31 23:36 · Score: 1
  
  GPG
  
  --
  Everything I write is lies, read between the lines.
6. Re:Frist psot by Anonymous Coward · 2017-01-01 00:00 · Score: 0
  
  This. Pretty much what happens. The truth is, people do not like to be inconvenienced and PGP et al are simply too much of a bother to install, configure and use effectively. If people have to go through additional steps to read an e-mail or anything, this interrupts the seamless experience they have come to love and enjoy and reject it. Moreover, people tend to shun those they perceive as weird, and being as paranoid as wanting to encrypt their every message are seen as weird. And in the end, what good is any form of encryption if all it takes is a law forcing you to decrypt your data or go to jail, and all is for naught? Forget it. There are things that are just too big for us. Enjoy life to its fullest (which is getting harder and harder every day) and forget about the rest.
7. Re:Frist psot by AmiMoJo · 2017-01-01 00:11 · Score: 1
  
  Try Signal. It's available for Android and iOS. It's messaging as opposed to email, but it's easier to use than the only real option for email (PGP).
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
8. Re: Frist psot by Anonymous Coward · 2017-01-01 00:41 · Score: 1
  
  Fake boobs, high heels, fingerprint prosthetics
9. Re:Frist psot by Anonymous Coward · 2017-01-01 01:00 · Score: 1
  
  That may be too big for you. I do not see how to enjoy my life giving up my fundamental rights first. USA laws do not really seem to really require that.
10. Re:Frist psot by Anonymous Coward · 2017-01-01 01:37 · Score: 1
  
  Anyone who wants to recommend either GPG or PGP should have read and should give a good answer to both of the following articles.
  why Johnny can't encrypt
  why I'm giving up on PGP
  And you should include hello to avoid the issues mentioned if you are making a recommendation.
11. Re:Frist psot by ls671 · 2017-01-01 01:52 · Score: 1
  
  First, it's "helo" not "hello" like in:
  helo localhost
  250 google.com Hello localhost [::1]
  hello localhost
  500 unrecognized command
  Now, I sign all outgoing email, it never hurt anybody. Also, it advertises that I can exchange encrypted mail should to other party ever wish to do so.
  
  --
  Everything I write is lies, read between the lines.
12. Re:Frist psot by Kjella · 2017-01-01 02:50 · Score: 2
  
  And on topic: I don't know much about cybersecurity but I would like to make sure the emails I send can not be read easily by people to whom my emails are not addressed. How can I go about that?
  All you have is an address. To make an analogy to physical mail there's some security in sending letters instead of postcards but really most is in the postal system and the security of the recipient's mailbox which is out of your control. Not much you can do if I want it on my web mail, it's going to semi-permanently live on someone else's server in plaintext. If you want more security than that you need your communication partner to work with you, even if it's so low tech that you call them up and say the password for the encrypted attachment is luggage12345. If they don't want to play ball, no game.
  If your security concerns resonate well with the recipient and all you want is security and not anonymity in a convenient package I'd suggest you both forget email and install Signal. It's mainstream, open source, you need a phone (cell phone, Google Voice, VoIP or landline) to register but you can install a desktop app in Chrome/Chromium after that and gives you easy encrypted text and voice messages. There's more to it if you're really concerned about social engineering, man-in-the-middle attacks, malware-infected phones/computers, metadata analysis etc. but it's overkill for you.
  That works for everyone where you'd have each other's phone numbers. It's not yet perfect for asymmetric, anonymous or covert relationships like whistleblowers, forming an underground organization, operating in a non-democratic country where using encryption tools is in itself outlawed or dangerous or having a secret identity like being a closeted homosexual, mostly because you're tied to a phone number that binds it all together and burner phones are inconvenient and not available in all parts of the world and it depends on a server in the middle that's trivial to block.
  
  --
  Live today, because you never know what tomorrow brings
13. Re: Frist psot by Anonymous Coward · 2017-01-01 02:54 · Score: 0
  
  ProtonMail. If you're OK with leaving your existing mail client. End-to-end encrypted email for the masses. I'm not affiliated with the company but found them after a bit of research.
14. Re:Frist psot by tsa · 2017-01-01 03:53 · Score: 1
  
  There are many relatively secure messaging programs for Android and iOS but for work people use email and that is for some reason still as secure as when I started using the internet in 1992. That's why I asked for a safe way of sending email.
  
  --
  -- Cheers!
15. Re: Frist psot by Anonymous Coward · 2017-01-01 07:00 · Score: 0
  
  What you want is end to end encryption. That way nobody except for the intended recipient can read it. Not google, not the NSA, nobody. Email itself is just a message delivery mechanism. SMTP supports this with X509, but both sender and recipient need email certificates, and need to be able to securely exchange public keys.
Thank you Mr. Snowden!!! by Anonymous Coward · 2016-12-31 20:43 · Score: 5, Insightful

A true hero to anyone concerned about internet privacy.
1. Re:Thank you Mr. Snowden!!! by Anonymous Coward · 2016-12-31 20:48 · Score: 0
  
  A true hero to anyone concerned about internet privacy.
  
  A true hero to anyone concerned about internet privacy.
  He's a hero of all people and should get Nobel Prize.
  How many people N$A have? Why only two people come forward since now? All are coward and they are hero.
  COWARDS.
2. Re:Thank you Mr. Snowden!!! by Anonymous Coward · 2016-12-31 21:28 · Score: 0
  
  Very good message comrade Lewinski
3. Re:Thank you Mr. Snowden!!! by dgatwood · 2017-01-01 02:17 · Score: 4, Informative
  
  Thank you Mr. Snowden!!!
  Snowden's revelations were years ago, and probably had very little impact on this. The reason HTTPS went way up in 2016 is that Apple said that they were going to mandate use of HTTPS in all iOS apps, which forced all the ad networks to switch to HTTPS.
  Unfortunately, their subsequent decertification of StartSSL (the only CA whose free certificates don't require continuous auto-renewal) is likely to make a large number of smaller sites go back from HTTPS to HTTP, erasing much of the benefit.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
4. Re:Thank you Mr. Snowden!!! by Anonymous Coward · 2017-01-01 02:43 · Score: 0
  
  Why do you hate Snowden?
5. Re:Thank you Mr. Snowden!!! by Anonymous Coward · 2017-01-01 08:51 · Score: 0
  
  Think of the children.
6. Re:Thank you Mr. Snowden!!! by tepples · 2017-01-01 13:03 · Score: 1
  
  StartSSL (the only CA whose free certificates don't require continuous auto-renewal)
  StartSSL certificates had to be renewed every 366 days.
7. Re:Thank you Mr. Snowden!!! by fbobraga · 2017-01-02 01:29 · Score: 1
  
  You didn't like it, huh, AC?
8. Re:Thank you Mr. Snowden!!! by fbobraga · 2017-01-02 01:31 · Score: 1
  
  Snowden's revelations were years ago, and probably had very little impact on this.
  You are very wrong (this kind of change takes time...)
9. Re:Thank you Mr. Snowden!!! by fbobraga · 2017-01-02 01:36 · Score: 1
  
  Here in Brazil the "Snowden" movie had an extended title: "Snowden: herÃi ou traidor?" (in portuguese - english version: "Snowden: hero or traitor?")
  
  * the translated movie titles here normally are funny, by having so few relation to original title :P
Encrypted is in the eye of the beholder by Anonymous Coward · 2016-12-31 21:10 · Score: 0

HTTPS is not secure and as long as you use a CA neither are you.
1. Re:Encrypted is in the eye of the beholder by AmiMoJo · 2017-01-01 00:15 · Score: 4, Insightful
  
  The goal is to stop mass surveillance. If GCHQ or the NSA really want that data, they will hack the site anyway.
  By using HTTPS everywhere it just makes their job harder, so they can't spy on everyone by default.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Encrypted is in the eye of the beholder by Z00L00K · 2017-01-01 02:14 · Score: 1
  
  You mean a public CA. If you run your private CA it's a different matter.
  However it won't stop the gun to your head or banging your knuckles with a hammer attacks.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
3. Re:Encrypted is in the eye of the beholder by Anonymous Coward · 2017-01-01 02:56 · Score: 0
  
  HTTPS doesn't hide what computers contacts other computers.
  I doubt NSA cares that much about the actual content of the communication.
  By just checking the metadata they can see if someone is communicating with someone on their naughty-list and add them to it.
  It doesn't matter if you just asked what time it was. If you are talking with a terrorist you are considered to be a terrorist.
4. Re:Encrypted is in the eye of the beholder by Anonymous Coward · 2017-01-01 03:38 · Score: 0
  
  Nothing is going to stop mass surveillance. Get over it. If you inconvenience them, they will not give up, they will - successfully - lobby politicians into banning encryption that is not State-approved. Want to go to prison for 10 years for downloading some software? Keep challenging the sociopath with guns and complete immunity and sooner or later you end up dead.
5. Re:Encrypted is in the eye of the beholder by Kjella · 2017-01-01 03:42 · Score: 3, Insightful
  
  HTTPS doesn't hide what computers contacts other computers. I doubt NSA cares that much about the actual content of the communication. By just checking the metadata they can see if someone is communicating with someone on their naughty-list and add them to it. It doesn't matter if you just asked what time it was. If you are talking with a terrorist you are considered to be a terrorist.
  The metadata NSA is after is not your computer contacting to facebook.com, it's Alice sending a Facebook message to Bob. They very much want to unwrap HTTPS to get to their level of metadata. And I'm pretty sure they slurped up the content too, because we're the NSA and the rules don't apply to us.
  
  --
  Live today, because you never know what tomorrow brings
6. Re:Encrypted is in the eye of the beholder by Anonymous Coward · 2017-01-01 08:27 · Score: 0
  
  Keep challenging the sociopath with guns and complete immunity and sooner or later you end up dead.
  They can't kill all of us. They need us to work more than we need them to lead.
7. Re:Encrypted is in the eye of the beholder by BitterOak · 2017-01-01 08:36 · Score: 1
  
  The goal is to stop mass surveillance. If GCHQ or the NSA really want that data, they will hack the site anyway.
  By using HTTPS everywhere it just makes their job harder, so they can't spy on everyone by default.
  Wrong. The NSA only needs to hack the CAs. Once they do that once, it takes no further effort on their part to engage in the kind of mass surveillance they did before people started using encryption for their web surfing. You're only fooling yourself if you think that using https is going to make the job any more difficult for the NSA.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
8. Re:Encrypted is in the eye of the beholder by tepples · 2017-01-01 13:06 · Score: 1
  
  If you run your private CA it's a different matter.
  If you run a private CA, forget about owners of bring-your-own devices being able to figure out how to trust its root certificate.
9. Re:Encrypted is in the eye of the beholder by Anonymous Coward · 2017-01-01 17:42 · Score: 0
  
  Excuse you, but I dare the GCHQ or NSA to hack my hardened OpenBSD web server behind a properly configured pfsense firewall.
  Protip: they can't. No, they really can't. No, I know someone is writing a post trying to say I'm wrong, but they really really can't. For real, they can't.
10. Re:Encrypted is in the eye of the beholder by Anonymous Coward · 2017-01-01 22:31 · Score: 0
  
  This town needs an enema.
11. Re:Encrypted is in the eye of the beholder by Anonymous Coward · 2017-01-02 00:50 · Score: 0
  
  The metadata NSA is after is not your computer contacting to facebook.com, it's Alice sending a Facebook message to Bob. They very much want to unwrap HTTPS to get to their level of metadata.
  No need to unwrap https for this. When nearly everybody uses the same messaging system, (facebook), the NSA (or cops or other spies) simply install their snooping inside Facebook. Facebook conveniently decrypt their end of the communication, and then the agencies snoop on raw information. Https everywhere is not much of a problem, because most sites are not two-way communication sites. NSA (and NSA competitors) doesn't care that you read your news using https. They know what's in that communication because they can read the news site themselves.
12. Re:Encrypted is in the eye of the beholder by Anonymous Coward · 2017-01-02 01:04 · Score: 0
  
  Excuse you, but I dare the GCHQ or NSA to hack my hardened OpenBSD web server behind a properly configured pfsense firewall.
  Protip: they can't. No, they really can't. No, I know someone is writing a post trying to say I'm wrong, but they really really can't. For real, they can't.
  They may not be able to hack through a well-made firewall, but a firewall doesn't stop physical access. If they want in, they access the server while you're away. Door locks are easier, in many ways.
13. Re:Encrypted is in the eye of the beholder by fbobraga · 2017-01-02 01:38 · Score: 1
  
  I doubt NSA cares that much about the actual content of the communication.
  By just checking the metadata they can see if someone is communicating with someone on their naughty-list and add them to it.
  Not 100% accurate, but a very good point to consider
14. Re:Encrypted is in the eye of the beholder by fbobraga · 2017-01-02 01:41 · Score: 1
  
  Nice catch
15. Re:Encrypted is in the eye of the beholder by Anonymous Coward · 2017-01-03 16:53 · Score: 0
  
  Re: "Get over it."
  Ah, no. You've given up, certainly that much is clear. Your participation in democracy will be missed. When the system gets cleaned up it will be without you, and perhaps you may have to explain to your children (assuming you have any) how you threw in the towel when things got difficult. Why you abandoned your values in the face of some resistance.
  There was a time in Western Europe when no right-thinking, patriotic, educated and aware citizen could imagine a governing system not based upon a monarchy. All the intrusions into citizen's lives were just part and parcel. The King or Queen were the boss, what could anyone do?
  The TLAs want you to "Get over it". That is the role they have assigned to you and you've taken the bait. You are beaten.
  Remember McCarthyism? Imagine someone questioning the trials, the Congressional investigations, the blacklists. Imagine a citizen (or even 2 citizens!) standing up to Joe McCarthy. Why, he was a veritable king, an emperor, a god! And who can be for the godless Communists anyway?
  Yes, you resent Big Brother now, but soon you will learn to love him. Then the struggle will be over for you. Rest In Peace.
Slashdot what is your excuse?? by Anonymous Coward · 2016-12-31 21:21 · Score: 1

Why doesn't /. have an .onion site?
You can set this up in like 5 mins., and you can generate an 8 char. vanity domain using Garlic in probably an hour or two.
What is the excuse?
1. Re: Slashdot what is your excuse?? by Anonymous Coward · 2016-12-31 22:45 · Score: 0
  
  You think the mods know anything about tech?
  Hahahhaahahahah!!
2. Re:Slashdot what is your excuse?? by Anonymous Coward · 2017-01-01 01:03 · Score: 0
  
  Why doesn't /. have an .onion site?
  You can set this up in like 5 mins., and you can generate an 8 char. vanity domain using Garlic in probably an hour or two.
  What is the excuse?
  Orin Hatch has garlic in his rectum.
Yes but by Artem+S.+Tashkinov · 2016-12-31 21:35 · Score: 3, Interesting

It would have been all great if governments couldn't exert power over certificate authorities. The reality however is different.
We need a universally adopted system which doesn't allow to circumvent the process of issuing certificates or at least protect against rogue certificates - then we may sing praises.
1. Re:Yes but by SuricouRaven · 2016-12-31 22:54 · Score: 3, Interesting
  
  Governments can do that, but not nearly so easily. If they use bulk interception that way, the site operator may well notice eventually - it's trivial to check for. Just contact a few random site users and ask them what cert hash they are seeing. It also destroys trust in the CA, which means people switch to another on that cannot be so easily compromised by that specific government.
  SSL and a CA system doesn't make it impossible to monitor individuals, just makes it impossible to monitor entire populations without a substantial risk of detection.
2. Re:Yes but by Anonymous Coward · 2016-12-31 23:37 · Score: 2, Insightful
  
  That was a close one, wasn't it? We could almost have had DNSSEC based key management, but instead "we" managed to perpetuate the borken certificate authority system, now with less verification.
3. Re:Yes but by Artem+S.+Tashkinov · 2017-01-01 02:03 · Score: 2
  
  If they use bulk interception that way, the site operator may well notice eventually - it's trivial to check for. Just contact a few random site users and ask them what cert hash they are seeing.
  You must be smoking some strong weed if you believe that the average Joe even grasps the concept of CA. Most of them don't even understand what connection encryption is. All they understand is that if there's a green lock sign next to the domain name then they are secure. Then we've already seen how a lock sign can be faked, how the domain name can be faked, etc. etc. etc. Most people don't even understand what the address bar is - they usually enter domain names into ... a search string of their favorite search engine. Just a week ago I had a client who said he couldn't access the URL I'd sent to him earlier because ... it turned out the client tried to enter it into ... Google. And since the URL was internal Google of course couldn't index it and showed zero results.
  Unless we make HTTPS more or less unbreakable (so that it is fully transparent to the user and doesn't require any additional actions) your "measures" aren't worth a penny: "the site operator", "check a website hash against the known hash", etc. etc. etc. - this all won't work ever.
  Over the years we've seen millions of websites being hacked because site operators "forgot" to update their software. Over the years we've seen many high profile attacks against users who opened whatever attachments they received via e-mail. Computing and the Internet are way too difficult for most people - they regard it as an instrument.
4. Re:Yes but by chihowa · 2017-01-01 03:10 · Score: 3, Informative
  
  We've had a viable system on the table for years now, but certain big players have backed away from it in favor of a doubling down on the CA model.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
5. Re:Yes but by Kjella · 2017-01-01 03:35 · Score: 2
  
  You must be smoking some strong weed if you believe that the average Joe even grasps the concept of CA. Most of them don't even understand what connection encryption is.
  You don't need random users, just traffic appearing like it so they don't MITM everyone but your test connection. Try it from home or your private cell phone. Ask a friend or family member to check. Use a public WiFi spot or go to a library. Use a proxy or VPN. Ask some privacy watchdog organization for volunteers. If any of them get the wrong certificate it's happening. You're not trying to find targeted attacks, you just want to know if they have a giant dragnet doing it to everyone. Did you see the Snowden movie? If they're not doing doing it until they have a particular reason to, that's still a huge win for privacy.
  
  --
  Live today, because you never know what tomorrow brings
6. Re:Yes but by Anonymous Coward · 2017-01-01 03:58 · Score: 3, Insightful
  
  > It also destroys trust in the CA, which means people switch to another on that cannot be so easily compromised by that specific government.
  $DEITY, I wish. CAs have inappropriately issued _wide_ certs (for names such as "mail" or "news") to people, issued certs to entities that clearly didn't control those domains, left their private keys on a publicly accessible portion of their website (!), issued certs that could be used to issue _more_ certs for _any_ domain(!!), and on and on and on. AFAIK, only _one_ CA has ever been removed from web browsers' trusted issuer lists, and that's DigiNotar.
  CAs should have been getting killed left and right for the shit many of them have done, but that just doesn't happen.
7. Re:Yes but by FeelGood314 · 2017-01-01 06:50 · Score: 3, Interesting
  
  Certificate transparency (CT) is making it unlikely any CA will ever issue a certificate to anyone other than the legitimate owner of a site. The risk of getting caught is nearly 100%. Once CT gets some added auditing features built into the browsers even the NSA will have difficulty preventing a target from knowing they have been presented with a fraudulent certificate. https://en.wikipedia.org/wiki/Certificate_Transparency/
8. Re:Yes but by tepples · 2017-01-01 13:17 · Score: 1
  
  AFAIK, only _one_ CA has ever been removed from web browsers' trusted issuer lists, and that's DigiNotar.
  Certificates issued by StartCom and WoSign on or after 2016-10-21 are distrusted because of backdating to circumvent SHA-1 phase-out.
9. Re:Yes but by fbobraga · 2017-01-02 01:51 · Score: 1
  
  mod parent up
10. Re:Yes but by cryptizard · 2017-01-02 02:09 · Score: 1
  
  https://en.wikipedia.org/wiki/...
Lets encrypt by ruir · 2016-12-31 21:44 · Score: 1

At which point is not lets encrypt a conspiracy to reduce the number of sites with self-signed certificates?
1. Re:Lets encrypt by Anonymous Coward · 2016-12-31 22:39 · Score: 0
  
  Essentially no meaningful sites use self-signed certificates, because browsers throw fits when they see such certs. Those few people who are willing to pay that price are unlikely to be using LetsEncrypt or any other CA-based certificate provider.
2. Re:Lets encrypt by fbobraga · 2017-01-02 01:55 · Score: 1
  
  Let's Encrypt is just an low price alternative to small webservers...
  
  * hurry: get the tinfoil hat!
HTTPS/TLS not really secure? by Anonymous Coward · 2016-12-31 21:59 · Score: 0

Correct me if I am wrong, but isn't every public server handling TLS connections basically non-secure as a middle man, between a website and someone's web browser?
Surely not to be confused with end-to-end encryption?
1. Re:HTTPS/TLS not really secure? by WaffleMonster · 2017-01-01 06:46 · Score: 2
  
  Correct me if I am wrong, but isn't every public server handling TLS connections basically non-secure as a middle man, between a website and someone's web browser?
  Surely not to be confused with end-to-end encryption?
  There are at least two answers.
  Answer 1 - It is E2E and secure against active man in the middle attack:
  Browser maintains a list of entities it trusts. Secure websites advertise a certificate blessed by one of those entities. Since an active middleman does not possess secure websites private key it does not have the means to trick browsers into thinking attacking site / proxy was blessed by a trusted entity.
  Answer 2 - Answer 1 is in real terms just an illusion:
  It is also necessary to consider practically how trust is managed in the real world. Today "blessing" by trusted entities is a completely lights out automated process often relying exclusively on unsecured communications in the areas of naming, addressing and web server probe (e.g. leap of faith) to achieve.
  Lets say you have access to see/change traffic to or from a victim server. You can use this access to go to any legitimate SSL provider and rewrite probe requests from this SSL provider to trick it into thinking you have demonstrated ownership of a system you are requesting a certificate for.
  You may now leverage your shiny new blessed certificate using your own private key to intercept servers TLS connections with victim browsers having no idea their communications are being compromised.
CNN by Anonymous Coward · 2016-12-31 22:00 · Score: 0

Meanwhile CNN and other fake news sites including slashdot don't bother to encrypt.
1. Re:CNN by Anonymous Coward · 2016-12-31 22:37 · Score: 0
  
  Says https://yro.slashdot.org/story... on my url bar
2. Re:CNN by Z80a · 2016-12-31 22:43 · Score: 1
  
  And how i can be sure YOU are not a fake news disguised as a user?
3. Re:CNN by Z00L00K · 2017-01-01 02:19 · Score: 1
  
  But you can't be sure that there isn't a "man in the middle" attack on this. As long as governments are involved they have the power to get approved certificates to place in proxies.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
4. Re: CNN by Anonymous Coward · 2017-01-01 07:33 · Score: 0
  
  Just as well. I am in a hotel that redirects to an internal page until you register. And https pages get all messed up because the certs don't match the site. The workaround is to go to the unencrypted cnn.com which let's me register my phone for the day. After that all is good.
How much of it didn't need to be? by Anonymous Coward · 2016-12-31 22:21 · Score: 0

I hope I did my part by streaming a few terabytes of unencrypted music last year.
Google is the reason by yuvcifjt · 2017-01-01 00:11 · Score: 5, Interesting

As much as I hate and disdain the spying empire Google; private companies only thought about adopting https because of Google's hint of ranking sites based on utilising https encryption.
Anything Google does is for its own selfish purpose, not for the good of humanity - so the reason for the push towards https is so that Google (almost alone) has analytics and information about site visitors and the amount of money e-commerce and such sites are making. Without encryption, countless other firms (such as alexa) was capturing user analytics through approaching different providers, and often directly from ISP's.
Remember, Google's trackers are almost ubiquitous (unlike facebook), so they want to own alone the vast amounts of info on users and organisations - and then use this info to either catalogue people and/or sell this to evil companies/organisations, such as insurance firms and governments.
Information is power, user information is even more power, especially if you alone hold that data.
1. Re:Google is the reason by dgatwood · 2017-01-01 02:50 · Score: 1
  
  That's no doubt part of it, but I think the bigger cause was Apple threatening to stop allowing new submissions of apps unless they moved to HTTPS (with only narrow exceptions for web views), which meant that every ad network was forced to switch to HTTPS if they wanted to keep their lucrative iOS clients. As a side effect, most ads shown on normal websites are now served via HTTPS, too.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
2. Re:Google is the reason by Anonymous Coward · 2017-01-01 02:54 · Score: 0
  
  With Google, YOU , YOUR LIFE and EVERYTHING about YOU, YOUR Family, Friends the rest is the PRODUCT.
  They own the history of your life, what you buy, where you go, who your online friends are.
  They own you. You are not a free person. You are a Number (the Prisoner was right) in their Database of Humanity.
  They will sell your life to the highest bidder without flinching.
  Get used to it. It will only get worse.
3. Re:Google is the reason by NotAPK · 2017-01-01 03:15 · Score: 1
  
  I went to set up a iPod Touch for a friend the other day. Can't believe that in addition to asking for a lot of personal identifying information (date of birth, address, email, three security questions quite similar to those used in banking, etc...) the Apple ID account creation process *forces* you to enter a credit card to sign up. What possible justification has Apple made to substantiate this requirement? All I want to do is install a few programs to make the little thing more useful for my friend. Even though this item was a Christmas present, I advised her to return it and tell her other friend that it's just a shiny paperweight.
4. Re:Google is the reason by Anonymous Coward · 2017-01-01 03:48 · Score: 0
  
  You just lost two friends. That's it. Oh, they won't tell you to get lost right away, this is the 21st Century. You will simply be ghosted. Your messages or mails won't be replied to, if you ever ask one of them if they would like to meet for a drink or anything, they will be busy. In time you will give up and wonder what happened. Meanwhile a Cool Kid will have done what they asked for. You are the paperweight now. Still all techno-smug, nerd?
5. Re:Google is the reason by NotAPK · 2017-01-01 03:54 · Score: 2
  
  Ha ha, very funny. As it happens, and not that you care, but I gave up helping people to "be popular" over a decade ago. Best thing I ever did. Helping people is a gift, not an obligation, and when you give freely you become free yourself. Try it sometime, it will make you a much better person.
6. Re: Google is the reason by Anonymous Coward · 2017-01-01 08:23 · Score: 0
  
  Ah yes, solitude... The ultimate freedom. It must be a great consolation in those long, cold, lonely nights.
7. Re:Google is the reason by Anonymous Coward · 2017-01-01 09:15 · Score: 0
  
  > As much as I hate and disdain the spying empire Google; private companies only thought about adopting https
  > because of Google's hint of ranking sites based on utilising https encryption.
  Now we just need Google to announce, that as of 2020 all mails to Gmail without working STARTTLS will be rejected...
8. Re:Google is the reason by tepples · 2017-01-01 13:34 · Score: 1
  
  Unless "being popular" is how you find a potential coworker. They used to call it "professional networking" before LinkedIn coopted that phrase.
9. Re:Google is the reason by tepples · 2017-01-01 13:55 · Score: 1
  
  Registering an Apple ID on a device requires a payment method in order to reduce friction toward the user's first App Store, iTunes Store, or IAP purchase. This makes the platform more attractive to developers so that they don't have to rely on ads so much.
10. Re:Google is the reason by Anonymous Coward · 2017-01-01 22:41 · Score: 0
  
  Correction, if true: Just lost two morons pretending to be friends, but in fact wanting you as their free computer repair person.
  Friends don't let friends use crapware.
11. Re:Google is the reason by Anonymous Coward · 2017-01-01 22:48 · Score: 0
  
  Ah, LinkedIn, the king of spamming using people's email credentials. We never forget bad behavior on that scale of awful. It must have been pretty annoying to be trying to get a job using LinkedIn when everyone started blocking any mail with "LinkedIn" in it.
12. Re:Google is the reason by Anonymous Coward · 2017-01-02 00:54 · Score: 0
  
  You just lost two friends. That's it. Oh, they won't tell you to get lost right away, this is the 21st Century. You will simply be ghosted. Your messages or mails won't be replied to, if you ever ask one of them if they would like to meet for a drink or anything, they will be busy. In time you will give up and wonder what happened. Meanwhile a Cool Kid will have done what they asked for. You are the paperweight now. Still all techno-smug, nerd?
  Is this domestic propaganda? I strongly believe it is. The US government has teams of people for domestic propaganda. They want it to be uncool to avoid surveillance. They use grassroots-looking propaganda, like this comment, as one way to influence the population.
13. Re:Google is the reason by Anonymous Coward · 2017-01-02 01:25 · Score: 0
  
  the Apple ID account creation process *forces* you to enter a credit card to sign up.
  Android also wants that - but at least there is an offer to postpone the credit card stuff. (You may be setting up a device without a credit card on hand, wanting to get going NOW.)
  So I never gave my phone a credit card number. That means no purchased apps - but also zero risk of unexpected in-app expenses. When my card only has one month left, I plan on using it to purchase a few interesting apps; in the meantime I use the ad-supported versions.
14. Re:Google is the reason by fbobraga · 2017-01-02 02:21 · Score: 1
  
  calm down sir: you are slobbering (it can be a disease, that can transmit to others...)
Also router-based content blockers... by CrankyOldEngineer · 2017-01-01 00:49 · Score: 1

which are used by businesses, schools, government agencies, and do-it-yourselfers who don't want to rely on the users to maintain and use an end-point filter. Google and Facebook want you to be able to see their ads at work! There are two known solutions to filtering encrypted content at the border: explicit proxy configured by group policy, or transparent proxy with dedicated certificate authority. Both have reliability and privacy issues.

--
COE
tapping glass and Room 641a by Anonymous Coward · 2017-01-01 03:51 · Score: 2, Insightful

The goal is to stop mass surveillance. If GCHQ or the NSA really want that data, they will hack the site anyway.
By using HTTPS everywhere it just makes their job harder, so they can't spy on everyone by default.
Specifically it stops them from 'tapping glass' in places like Room 641a:
* https://en.wikipedia.org/wiki/Room_641A
There are valid reasons for surveillance and wire tapping on individuals; there are few-to-no valid reasons for mass surveillance. HTTPS everywhere stops the latter.
1. Re:tapping glass and Room 641a by WaffleMonster · 2017-01-01 06:09 · Score: 2
  
  Specifically it stops them from 'tapping glass' in places like Room 641a:
  * https://en.wikipedia.org/wiki/...
  There are valid reasons for surveillance and wire tapping on individuals; there are few-to-no valid reasons for mass surveillance. HTTPS everywhere stops the latter.
  HTTPS doesn't prevent leakage of timing and size of content. Server name is sent in the clear and TLS identifier used for session resumption is not obscured allowing activities within a site to be linked to specific browser instances.
  With some analysis they can still deduce exactly what many people are doing despite encryption.
Don't use email by Anonymous Coward · 2017-01-01 06:29 · Score: 0

Noted cybersecurity expert Baron Trump recommends people use carrier pigeons instead.
X509 seems easier. by Anonymous Coward · 2017-01-01 06:42 · Score: 0

Many email clients support this, and if you don't trust a CA use self signed certs.
Bulk interception isn't the problem... by Anonymous Coward · 2017-01-01 07:05 · Score: 0

It is the leaking of private host keys via the cloud provider, or physical hardware ME exploits that should be concerning to people.
Those with the keys control the world and all that.
If they can get both the encrypted traffic and the keys then you might as well just go back to plaintext for 9/10s of internet traffic, since outside of online ordering and maybe service passwords the traffic content is already available to the parties you are concerned about.
Really at this point in time what is needed is not encrypted connections, but private key signed javascript, website content, and authentication tokens/session keys. If the server side of that content is all signed offline, the key can remain secure, ensuring the published content is what was uploaded and subverting the mitm threat, provided the site is consistent in key usage and you pinned the signing keys by hostname or URI. This WOULD slow down web publishing since the key would need to be on either an airgapped computer, or some sort of smartcard/tpm device that was only connected during the signing process (and ideally not connected to the network during that time, to reduce chances of malicious code using the signing device to sign a 'mirror script' with their own modifications included.)
Done as stated above the majority of internet malware could be eliminated, end to end encryption would only be required for the semblance of security, and certificate authorities would not need to be implicitly trusted every time, since you would be pinning the scripting key the first time you visited a site, triggering an error the first time either malicious content attempts to be served, or the first time you connect to the 'correct' website if a malicious replacement site's key was pinned instead (the latter of which is already possible with HTTPS, especially in foreign countries/domestic corporations that perform MITM attacks using private CA keys added to the OS keychain and proxy the connections as secure after decrypting them first, which completely mitigates the desired protection AND provides a false sense of security to citizens/employees who are ignorant of the web browser security model's shortcomings.)
1. Re:Bulk interception isn't the problem... by Anonymous Coward · 2017-01-02 01:09 · Score: 0
  
  It is the leaking of private host keys via the cloud provider,
  When you care about security, you DO NOT use 'a cloud provider'. Especially if you try to keep secrets from governments. The cloud is strictly for stuff whose security you DON'T CARE about. I.e. pictures of kittens and such.