EFF Applauds 'Massive Change' to HTTPS

"The movement to encrypt the web reached milestone after milestone in 2017," writes the EFF, adding that "the web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol." In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads on Firefox are encrypted, and Chrome shows even higher numbers. At the beginning of the year, Let's Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let's Encrypt's total issuance volume has exceeded 177 million certificates...

Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users "Not secure" warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a "Not secure" warning for all HTTP pages... The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically...

The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year... [And] there's plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April.

To make hiding the malware easier. Slow no caching

[raymorris]

In my professional judgement, there is little benefit to https for many sites, which simply present publicly available information. This is based on my 20+ years of internet security work throughout my career. Payment pages where people enter credit card information obviously need encryption, but in my opinion most sites see little to no benefit.

Https means it can't be loaded from your ISP or company's cache, making popular sites slower. It also prevents corporate security or your own router / firewall from seeing the malware or whatever that some hacker added to the page, and generally keeping an eye out for security problems. For public sites where you don't log in, I think https is a net reduction of security.

There *is* the argument that it makes it harder for governments to know which pages you're viewing on a site, but they still see which sites you connect to.

Re: Fix my ignorance

[AmazingRuss]

... and they have no interest whatsoever in your fucking business.

Re:To make hiding the malware easier. Slow no cach

[Graymalkin]

So you've got 20 years of professional experience yet don't recognize the dangers of MITM attacks from non-HTTPS pages?

For public sites where you don't log in, I think https is a net reduction of security.

If you are connecting to an unprotected page basically nothing on it can be actually trusted. While a page might look normal every resource and link could have been rewritten to do something malicious. You have no way of knowing that anything loaded over HTTP is what the server actually intended to send.

Links could route through fishing sites and malicious resources could be added. One of the best features of HTTPS is to make resources resistant to MITM attacks. An page with no PII can be intercepted and modified to leak that data without you even knowing.

Most people don't want or need their ISP or corporate gateway caching content. For one a browser's cache is more effective for most content since it's loaded from disk (or RAM) rather than coming over a network. Second it's more effective for ISPs to forego their own caching and simply let CDNs with their colocated edge caches handle the task. The content from the CDN to client is going to be encrypted using the source site's credentials (or authorized credentials) so end users can trust the data path to the server and the ISPs don't need to pay for the hardware. Since CDNs colocate edge caches everywhere they can afford there's little if any performance difference between a third party edge cache to the client and an ISP's edge cache to a client. They're likely to be hosted in the same buildings on the same networks.

Re: Fix my ignorance

Maybe they don't right now, or in a year, or 10 years, or maybe never.
But maybe, at some point, whoever is in control of that data decides they want to smear you by cherry picking the sites you've visited. Or maybe they use it to build a court case against you. Or maybe they use it to watch out for "dissidents" or those who won't submit to a dictatorship.

Would you want to live in a society where the gov knows exactly where you've gone and what you've done both historically and in real time? The US is dangerously close to this stage already.

HTTPS makes it just a little harder for them to do this. Does it solve every security and privacy problem? No, it sure doesn't, but it's a step in the right direction.

A democracy dies when it's people become too complacent to demand their rights be recognized.

Re: Fix my ignorance

How is adding HTTPS making things easier to track? It makes it harder not easier.

Without HTTPS anyone between your web browser and the web server at Megofan can inject HTML, including JavaScript, into the HTTP connection and cause your browser to execute the code they want it to.

The benefit of HTTPS is not JUST securing the content of the message, it's adding integrity to the message. The only way it can be broken is an SSL proxy attack using a stolen Certificate Authority that your browser also trusts. However this can be detected easily with your web browser; just click the pad lock and see what CA certified the SSL certificate in use. There's even plugins to detect this automatically and alert you.