The Importance of Encryption, Part II: Data in Transit and HTTPS
Unprotected communications on the Internet can be viewed and modified by anyone. Ubiquitous encryption protects against this with little end-user effort.
What is the problem?
In the increasingly digital world that we live in, more and more people rely on the Internet in their daily lives. Not only has it become a primary means of obtaining information, people are now using it for a variety of purposes, from socializing (on Facebook, Twitter, etc.) to online banking. Some even use the Internet to remotely control appliances, using devices that are part of the "Internet of Things".
Many users do not realize one inherent nature of information going through the Internet: unless it is properly protected by encryption, there is no confidentiality and information cannot be trusted to have not been altered by other parties.
Let me elaborate: when two computers communicate via the Internet, they send messages to each other. After one computer sends a message, it is relayed through the network by other computers known as routers and switches until it reaches the final destination. Any of the routers and switches in the way has the ability to read and modify the information being sent.
All unprotected communications on the Internet may be viewed and modified by anyone located between the sender and the receiver.
This includes your Internet Service Provider (ISP, such as Verizon), anyone managing the network (such as your employer), and even anyone on the same network (such as others sharing a Wi-Fi hotspot). If the Wi-Fi network is not secured (no password), then this also includes anyone within wireless range.
So why is this problematic?
- Financial information need to be protected against fraud.
- Personal communications (texts and images) that often reveal a lot about a person and their family & friends should also be protected, for both privacy and security.
- Other people should not be able to hijack your Internet-connected home appliances (smart TVs, refrigerators, thermostats, locks, baby monitors, etc.) because of insecure connections.
- Internet providers should not be able to inject ads that are both intrusive and dangerous into webpages that you access and sell your browsing history without your consent.
- Many governments actively monitor all online communications in bulk without any probable cause or meaningful oversight.
- Some governments even use the ability to monitor all non-encrypted communications to enforce granular Internet censorship, where webpages are censored based on information or keywords that they contain.
- Non-secure communications to websites can be hijacked to deliver malware to end-users and even to attack other computers using the end-user's computer without detection.
But we can fix this problem.
By using strong encryption everywhere, we can effectively address this problem.
On the Internet, we can use HTTPS to protect information against interception and tampering with little effort needed on the end-user's part. All that a user needs to do is look for the secure "lock" icon displayed by their browser in the address bar when the connection to a website has been securely encrypted.
HTTPS encryption prevents information sent over the Internet from being read except by the intended recipient, and provides assurance that the data has not been tampered with by other parties during transit. It's like an obscure envelope with the sender's signature over it that can only be opened by the intended recipient.
As HTTPS is already supported by practically all browsers (Chrome, Firefox, Safari, IE, Opera, etc.) and operating systems (Windows, Mac OS, Linux), users of the Internet are already ready to use it. It is now up to website administrators and app developers to implement it properly and enable it by default so all users can be automatically protected.
It is time to enable HTTPS, everywhere. The hurdles and difficulties that once existed, such as pricey digital certificates and server performance overheads, do not exist anymore. Basic certificates can now be easily obtained for free, and advancements in both hardware and software have reduced the performance impacts to a minimum.
Many companies and organizations have already taken the lead. Technology companies, such as Google, Apple, Twitter, Facebook, GitHub, and many others have already enabled HTTPS protection for their users by default a long time ago. Recently, organizations from other fields, such as Wikipedia (Wikimedia) and The Washington Post have joined in to make the Internet more secure. The U.S. Government now has plans to enforce HTTPS for all of its websites. Chromium and Mozilla, responsible for the Chrome and Firefox, are both planning to eventually phase out non-secure HTTP.
HTTPS is already making a positive impact.
Though only about 20% of websites of the Internet are protected by HTTPS, the benefits of ubiquitous encryption are already obvious. Not only are users' account passwords no longer easily stolen from intercepted communications, users of these websites are protected from mass snooping and injected malware and advertisements that were not from the original website. HTTPS connections are designed to provide security despite potentially malicious entities in the middle of a connection.
HTTPS encryption has also prevented governments and service providers from censoring individual pages on a website. Because they can only see the websites that people are visiting (such as google.com) but not the specific pages that are being visited or terms that are being searched for, governments only have the choice of either blocking the entire website or allowing the entirety of it.
This has made censorship less viable in many cases. Both India and China have attempted to censor certain pages on GitHub and failed, because HTTPS prevented them from selectively blocking pages, and GitHub is too important to be blocked entirely. Recently, Russia attempted to block a page on Wikipedia and was forced to block all of Wikipedia because of HTTPS. The block was removed within a few hours, probably because of the value of Wikipedia and outrage among Russian Internet users.
What you can do:
- If you own or manage a website, consider making the switch to HTTPS today.
- If you regularly use a website that does not use HTTPS, ask them to consider enabling it.
- There are many websites that can be accessed over HTTPS but do not use it by default. HTTPS Everywhere is an open-source browser extension for Chrome, Firefox, and Opera that helps you use HTTPS on as many websites as possible. I highly recommend it.
Hopefully, as more and more traffic become encrypted, the Internet can become a more secure place that is less vulnerable to attacks. This way, we can continue to innovate and create better services without having to worry so much about entities in between users and web servers.