2016 Saw A Massive Increase In Encrypted Web Traffic

EFF's "Deeplinks" blog has published nearly two dozen "2016 in Review" posts over the last nine days, one of which applauds 2016 as "a great year for adoption of HTTPS encryption for secure connections to websites." An anonymous reader writes: In 2016 most pages viewed on the web were encrypted. And over 21 million web sites obtained security certificates -- often for the first time -- through Let's Encrypt. But "a sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others," EFF writes. Other factors included the support of Transport Layer Security (TLS) 1.3 by Firefox, Chrome, and Opera.
Other "2016 in Review" posts from EFF include Protecting Net Neutrality and the Open Internet and DRM vs. Civil Liberties. Click through for a complete list of all EFF "2016 in Review" posts.
Chipping Away at National Security Letters: 2016 in Review
Everybody Wants To Rule The World (Wide Web): 2016 in Review
Fighting for Fair Use and Safer Harbors: 2016 in Review
Secure Messaging Takes Some Steps Forward, Some Steps Back: 2016 In Review
Most Young Gig Economy Companies Way Behind On Protecting User Data: 2016 In Review
Dark Skies for International Copyright: 2016 in Review
Congress Gives FOIA a Modest but Important Update For Its 50th Birthday: 2016 in Review
Our Fight to Rein In the CFAA: 2016 in Review
The Patent Troll Abides: 2016 in Review
DRM vs. Civil Liberties: 2016 in Review
The Fight to Rein in NSA Surveillance: 2016 in Review
The Year in Government Hacking: 2016 in Review
What Happened to Unlocking the Box? 2016 in Review
Top 5 Threats to Transparency: 2016 in Review
Technical Developments in Cryptography: 2016 in Review
This Year in U.S. Copyright Policy: 2016 in Review
Open Access Rewards Passionate Curiosity: 2016 in Review
Censorship on Social Media: 2016 in Review
Defending Student Data from Classrooms to the Cloud: 2016 in Review
Protecting Net Neutrality and the Open Internet: 2016 in Review
U.S. Trade Representative Gets Piracy Website Listing Notoriously Wrong
HTTPS Deployment Growing by Leaps and Bounds: 2016 in Review
Defending the Digital Future: 2016 in Review

Thank you Mr. Snowden!!!

A true hero to anyone concerned about internet privacy.

Re:Thank you Mr. Snowden!!!

[dgatwood]

Thank you Mr. Snowden!!!

Snowden's revelations were years ago, and probably had very little impact on this. The reason HTTPS went way up in 2016 is that Apple said that they were going to mandate use of HTTPS in all iOS apps, which forced all the ad networks to switch to HTTPS.

Unfortunately, their subsequent decertification of StartSSL (the only CA whose free certificates don't require continuous auto-renewal) is likely to make a large number of smaller sites go back from HTTPS to HTTP, erasing much of the benefit.

Yes but

[Artem+S.+Tashkinov]

It would have been all great if governments couldn't exert power over certificate authorities. The reality however is different.

We need a universally adopted system which doesn't allow to circumvent the process of issuing certificates or at least protect against rogue certificates - then we may sing praises.

Re:Yes but

[SuricouRaven]

Governments can do that, but not nearly so easily. If they use bulk interception that way, the site operator may well notice eventually - it's trivial to check for. Just contact a few random site users and ask them what cert hash they are seeing. It also destroys trust in the CA, which means people switch to another on that cannot be so easily compromised by that specific government.

SSL and a CA system doesn't make it impossible to monitor individuals, just makes it impossible to monitor entire populations without a substantial risk of detection.

Re:Yes but

That was a close one, wasn't it? We could almost have had DNSSEC based key management, but instead "we" managed to perpetuate the borken certificate authority system, now with less verification.

Re:Yes but

[Artem+S.+Tashkinov]

If they use bulk interception that way, the site operator may well notice eventually - it's trivial to check for. Just contact a few random site users and ask them what cert hash they are seeing.

You must be smoking some strong weed if you believe that the average Joe even grasps the concept of CA. Most of them don't even understand what connection encryption is. All they understand is that if there's a green lock sign next to the domain name then they are secure. Then we've already seen how a lock sign can be faked, how the domain name can be faked, etc. etc. etc. Most people don't even understand what the address bar is - they usually enter domain names into ... a search string of their favorite search engine. Just a week ago I had a client who said he couldn't access the URL I'd sent to him earlier because ... it turned out the client tried to enter it into ... Google. And since the URL was internal Google of course couldn't index it and showed zero results.

Unless we make HTTPS more or less unbreakable (so that it is fully transparent to the user and doesn't require any additional actions) your "measures" aren't worth a penny: "the site operator", "check a website hash against the known hash", etc. etc. etc. - this all won't work ever.

Over the years we've seen millions of websites being hacked because site operators "forgot" to update their software. Over the years we've seen many high profile attacks against users who opened whatever attachments they received via e-mail. Computing and the Internet are way too difficult for most people - they regard it as an instrument.

Re:Yes but

[chihowa]

We've had a viable system on the table for years now, but certain big players have backed away from it in favor of a doubling down on the CA model.

Re:Yes but

[Kjella]

You must be smoking some strong weed if you believe that the average Joe even grasps the concept of CA. Most of them don't even understand what connection encryption is.

You don't need random users, just traffic appearing like it so they don't MITM everyone but your test connection. Try it from home or your private cell phone. Ask a friend or family member to check. Use a public WiFi spot or go to a library. Use a proxy or VPN. Ask some privacy watchdog organization for volunteers. If any of them get the wrong certificate it's happening. You're not trying to find targeted attacks, you just want to know if they have a giant dragnet doing it to everyone. Did you see the Snowden movie? If they're not doing doing it until they have a particular reason to, that's still a huge win for privacy.

Re:Yes but

> It also destroys trust in the CA, which means people switch to another on that cannot be so easily compromised by that specific government.

$DEITY, I wish. CAs have inappropriately issued _wide_ certs (for names such as "mail" or "news") to people, issued certs to entities that clearly didn't control those domains, left their private keys on a publicly accessible portion of their website (!), issued certs that could be used to issue _more_ certs for _any_ domain(!!), and on and on and on. AFAIK, only _one_ CA has ever been removed from web browsers' trusted issuer lists, and that's DigiNotar.

CAs should have been getting killed left and right for the shit many of them have done, but that just doesn't happen.

Re:Yes but

[FeelGood314]

Certificate transparency (CT) is making it unlikely any CA will ever issue a certificate to anyone other than the legitimate owner of a site. The risk of getting caught is nearly 100%. Once CT gets some added auditing features built into the browsers even the NSA will have difficulty preventing a target from knowing they have been presented with a fraudulent certificate. https://en.wikipedia.org/wiki/Certificate_Transparency/

Re:Frist psot

+ Enigmail + Full disk encryption + Tor + Tails + Burner laptop @ coffee shop + Groucho Glasses and trenchcoat + getaway car + fake passport.

Google is the reason

[yuvcifjt]

As much as I hate and disdain the spying empire Google; private companies only thought about adopting https because of Google's hint of ranking sites based on utilising https encryption.

Anything Google does is for its own selfish purpose, not for the good of humanity - so the reason for the push towards https is so that Google (almost alone) has analytics and information about site visitors and the amount of money e-commerce and such sites are making. Without encryption, countless other firms (such as alexa) was capturing user analytics through approaching different providers, and often directly from ISP's.

Remember, Google's trackers are almost ubiquitous (unlike facebook), so they want to own alone the vast amounts of info on users and organisations - and then use this info to either catalogue people and/or sell this to evil companies/organisations, such as insurance firms and governments.

Information is power, user information is even more power, especially if you alone hold that data.

Re:Google is the reason

[NotAPK]

Ha ha, very funny. As it happens, and not that you care, but I gave up helping people to "be popular" over a decade ago. Best thing I ever did. Helping people is a gift, not an obligation, and when you give freely you become free yourself. Try it sometime, it will make you a much better person.

Re:Encrypted is in the eye of the beholder

[AmiMoJo]

The goal is to stop mass surveillance. If GCHQ or the NSA really want that data, they will hack the site anyway.

By using HTTPS everywhere it just makes their job harder, so they can't spy on everyone by default.

Re:Frist psot

[Kjella]

And on topic: I don't know much about cybersecurity but I would like to make sure the emails I send can not be read easily by people to whom my emails are not addressed. How can I go about that?

All you have is an address. To make an analogy to physical mail there's some security in sending letters instead of postcards but really most is in the postal system and the security of the recipient's mailbox which is out of your control. Not much you can do if I want it on my web mail, it's going to semi-permanently live on someone else's server in plaintext. If you want more security than that you need your communication partner to work with you, even if it's so low tech that you call them up and say the password for the encrypted attachment is luggage12345. If they don't want to play ball, no game.

If your security concerns resonate well with the recipient and all you want is security and not anonymity in a convenient package I'd suggest you both forget email and install Signal. It's mainstream, open source, you need a phone (cell phone, Google Voice, VoIP or landline) to register but you can install a desktop app in Chrome/Chromium after that and gives you easy encrypted text and voice messages. There's more to it if you're really concerned about social engineering, man-in-the-middle attacks, malware-infected phones/computers, metadata analysis etc. but it's overkill for you.

That works for everyone where you'd have each other's phone numbers. It's not yet perfect for asymmetric, anonymous or covert relationships like whistleblowers, forming an underground organization, operating in a non-democratic country where using encryption tools is in itself outlawed or dangerous or having a secret identity like being a closeted homosexual, mostly because you're tied to a phone number that binds it all together and burner phones are inconvenient and not available in all parts of the world and it depends on a server in the middle that's trivial to block.

Re:Encrypted is in the eye of the beholder

[Kjella]

HTTPS doesn't hide what computers contacts other computers. I doubt NSA cares that much about the actual content of the communication. By just checking the metadata they can see if someone is communicating with someone on their naughty-list and add them to it. It doesn't matter if you just asked what time it was. If you are talking with a terrorist you are considered to be a terrorist.

The metadata NSA is after is not your computer contacting to facebook.com, it's Alice sending a Facebook message to Bob. They very much want to unwrap HTTPS to get to their level of metadata. And I'm pretty sure they slurped up the content too, because we're the NSA and the rules don't apply to us.

tapping glass and Room 641a

The goal is to stop mass surveillance. If GCHQ or the NSA really want that data, they will hack the site anyway.

By using HTTPS everywhere it just makes their job harder, so they can't spy on everyone by default.

Specifically it stops them from 'tapping glass' in places like Room 641a:

* https://en.wikipedia.org/wiki/Room_641A

There are valid reasons for surveillance and wire tapping on individuals; there are few-to-no valid reasons for mass surveillance. HTTPS everywhere stops the latter.

Re:tapping glass and Room 641a

[WaffleMonster]

Specifically it stops them from 'tapping glass' in places like Room 641a:

* https://en.wikipedia.org/wiki/...

There are valid reasons for surveillance and wire tapping on individuals; there are few-to-no valid reasons for mass surveillance. HTTPS everywhere stops the latter.

HTTPS doesn't prevent leakage of timing and size of content. Server name is sent in the clear and TLS identifier used for session resumption is not obscured allowing activities within a site to be linked to specific browser instances.

With some analysis they can still deduce exactly what many people are doing despite encryption.

Re:HTTPS/TLS not really secure?

[WaffleMonster]

Correct me if I am wrong, but isn't every public server handling TLS connections basically non-secure as a middle man, between a website and someone's web browser?

Surely not to be confused with end-to-end encryption?

There are at least two answers.

Answer 1 - It is E2E and secure against active man in the middle attack:

Browser maintains a list of entities it trusts. Secure websites advertise a certificate blessed by one of those entities. Since an active middleman does not possess secure websites private key it does not have the means to trick browsers into thinking attacking site / proxy was blessed by a trusted entity.

Answer 2 - Answer 1 is in real terms just an illusion:

It is also necessary to consider practically how trust is managed in the real world. Today "blessing" by trusted entities is a completely lights out automated process often relying exclusively on unsecured communications in the areas of naming, addressing and web server probe (e.g. leap of faith) to achieve.

Lets say you have access to see/change traffic to or from a victim server. You can use this access to go to any legitimate SSL provider and rewrite probe requests from this SSL provider to trick it into thinking you have demonstrated ownership of a system you are requesting a certificate for.

You may now leverage your shiny new blessed certificate using your own private key to intercept servers TLS connections with victim browsers having no idea their communications are being compromised.