Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Applauds 'Massive Change' to HTTPS (eff.org)

Posted by EditorDavid on from the securing-your-future dept.

"The movement to encrypt the web reached milestone after milestone in 2017," writes the EFF, adding that "the web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol." In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads on Firefox are encrypted, and Chrome shows even higher numbers. At the beginning of the year, Let's Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let's Encrypt's total issuance volume has exceeded 177 million certificates...

Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users "Not secure" warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a "Not secure" warning for all HTTP pages... The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically...

The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year... [And] there's plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April.

11 of 214 comments (clear)

  1. Fix my ignorance by Anonymous Coward · · Score: 5, Insightful

    If a website doesn't take any private information from you why does it need ssl/tls?

    I'm just not understanding the push for everything to be encrypted when it doesn't need to be.

    1. Re: Fix my ignorance by Anonymous Coward · · Score: 3, Insightful

      Because my little brother, guy sitting next to me at Starbucks, my ISP, and government don't need to have a clear text view of everything, or anything, I'm doing. It's not that I'm doing anything wrong... It's that it's none of their fucking business.

    2. Re:Fix my ignorance by Anonymous Coward · · Score: 0, Insightful

      On top of this model where access must be bestowed by those with authority, HTTPS *removes* anonymity in some cases.
       
      If it's crammed down your throats by Google or the Facebook, chances are that it's a trojan horse.

    3. Re: Fix my ignorance by Anonymous Coward · · Score: 2, Insightful

      ... and they have no interest whatsoever in your fucking business.

      That's not the point.

    4. Re: Fix my ignorance by lgw · · Score: 4, Insightful

      Until you speak out politically. Until you're photographed at a protest. Until you're a nuisance to those in power. Then you may find that you want the government to not have low-effort ways to attack you.

      Remember, there's no telling what topics that are innocuous today will become reputation-wrecking or outright illegal in 20 or 40 years, and the government has a habit of keeping everything in case it might be useful one day.

      Never assume that because the government has no interest in you today, that because you're not doing anything sketchy today that today's actions can't be used against you. And never assume that the government isn't recording everything.

      Anyhow, https is nearly free - why shouldn't it be used everywhere all the time? Low cost for potentially massive benefit.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    5. Re: Fix my ignorance by lgw · · Score: 3, Insightful

      No sign in, no tracking, just pics and text about characters, weapons, levels, etc...now how EXACTLY is forcing all those sites to go to HTTPS gonna make my life any safer?

      So you're researching weapons, eh? On the list with you!

      Do you somehow not understand what HTTPS is? It in no way aids anyone in tracking you (and the days of it being expensive are long gone). It does make it cost-prohibitive for the government to track the contents of everyone's internet activity. It only people doing "interesting" things use encryption, well, on the list with them!

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. Re:To make hiding the malware easier. Slow no cach by suutar · · Score: 4, Insightful

    As I understand it, corporate security has the option of having you accept their keys and MITMing everything, allowing scanning and caching of activity performed from inside the corporate network. Is that incorrect?

  3. mod parent up! by Anonymous Coward · · Score: 0, Insightful

    This https movement is just backlash from people becoming aware everything was being spied upon by the USA. A bigger deal outside the USA; allies and enemies all being spied upon.

    The PROBLEM is that this is pure security theater to make people feel safer! HTTPS is easily broken by the NSA if you use any official signing authority except perhaps Let's Encrypt, but somehow I doubt that was setup as NSA proof. It's not that you are being broken into all the time; only targeted people are being broken - so it's better than previously... although the greater the targeting ability the more people will be targeted and for a longer period.

    The major problems with XSS, server breaches, malware, TRACKING, etc. are not stopped by HTTPS-- it's just 1 network layer of protection, there are other layers to attack it does nothing to help with. It only protects a narrow domain of problems while coming at a much greater cost of CPU and bandwidth that somebody should calculate the CO2 footprint for... (while they are at it the DRM overhead on HDMI would be nice to know as well... since it's a stupid waste as well.)

  4. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion

  5. Just the fist step by Anonymous Coward · · Score: 2, Insightful

    You just watch. In five years the major Web sites, having switched to HTTPS-only, will require personal SSL certificates to use their services. You think Google and Facebook track you now? Just wait until they can tie a browser session with your personal identity with virtual certainty.

  6. Re:To make hiding the malware easier. Slow no cach by AmiMoJo · · Score: 3, Insightful

    Not just governments spying on you, but your own ISP and advertisers too. We have already seen lots of ISPs doing MITM attacks that insert unwanted content into pages.

    Being able to see that you connected to Wikipedia is very different from being able to see that you looked at the Wikipedia page on STDs or pressure cookers or Casio watches.

    Organisation level caching is overrated these days anyway, since so much content is dynamic anyway. The benefits far outweigh the costs, especially considering that people who really need caching can just install their own certificates on their undoubtedly centrally managed computers.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC