Last month we wrote about Mozilla’s move to deprecate HTTP in favor of encrypted HTTPS, which followed on Chrome’s move to do something similar. What surprised me a bit was the response from many in our comments who didn’t think this was a good idea. People talked about how it added complications to development, or pointed to problems with the whole concept of trusting certificate authorities and a variety of other problems. Some worried about the costs associated with getting a certificate. Ben Klemens, who has written eloquently for years about the problems of software patents, wrote an article noting that this would make it difficult for individuals to easily set up their own web platforms, and require them to rely on a third party with whom you’d have to identify yourself (the certificate authority).
Of course, there are many attempts to deal with these issues, such as the big Let’s Encrypt project from EFF and others to offer free certificates. And, if you’re hosting websites online, you’re likely already going through a third party hosting provider, and it’s not clear how dealing with a certificate authority is really all that different.
But the most compelling argument I’ve seen for why this is so important comes from Eric Mill, who discusses why this is so important by highlighting the many, many ways in which the web has changed over the past few years — allowing both companies and governments to readily abuse the unencrypted nature of the legacy web, putting all of us at risk. This is a real problem that HTTPS goes a long way in solving:
But when I look at the last few years, I see a very different web than the one I was introduced to:
- Verizon injects tracking headers into unencrypted traffic so they can sell your browsing activity to advertisers. This program started in 2012, after Verizon realized they “had a latent asset”, but wasn’t noticed until 2014.
- Other companies like Turn piggyback on Verizon’s tracking header to sell your data to even more people, because they “are trying to use the most persistent identifier that we can in order to do what we do”, says Turn’s chief privacy officer.
- Comcast injects ads into unencrypted traffic, because “it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast”.
- Andreas Gal (Mozilla’s CTO, in his personal capacity) has claimed that Yahoo and Bing “can acquire search traffic by working with large Internet Service providers” to harvest users’ Google search results to improve their own — and strongly implies that they used to do this before Google shut them out through encryption. Even if you support better competition against Google, I doubt you expected your ISP to make deals to sell your traffic to other corporations without your knowledge.
- The nation of India tried and failed to ban all of GitHub. HTTPS meant they couldn’t censor individual pages, and GitHub is too important to India’s tech sector for them to ban the whole thing.
We discussed that last one last month as well, in noting how HTTPS would prevent attacks like the one China launched (and is constantly launching elsewhere as well).
And, also, it’s not just corporate abuse, but government/intelligence community abuse as well:
The NSA scans just about everything that goes through the internet backbones and saves as much of it as possible, in collaboration with intelligence agencies around the world. This is called “upstream collection”, and their “posture” is to “collect it all”. The NSA’s upstream collection program has not been reformed. It will not be reformed by the current draft of the USA Freedom Act, in fact was endorsed by the only government agency whose job it is to review it, and the most meaningful court victory so far — while a wonderful and important precedent — addresses a separate program that only touches data about telephone calls. After the Charlie Hebdo attacks, France is now making bulk internet spying explicitly legal and giving its intelligence services vast powers to work with ISPs to surveil the network. The United Kingdom is likely to do something similar, after Cameron’s strong re-election means he can make good on his pledge to make all online communication subject to monitoring.
Pretty much everyone agrees that the security certificate system has its problems. We’ve been pointing that out for years. But encouraging more encryption now is solving real problems today. And, as Mill notes, Klemens’ and others’ concerns about this move towards HTTPS being a kind of “recentarlization” of the web are also misguided. All of those examples above show how big companies and governments are, themselves, abusing the unencrypted nature of the internet to take control and force a distributed system to act more like a centralized system by inserting themselves in the middle. HTTPS actually helps protect a more decentralized web by blocking those man in the middle attacks:
When I look at all these things, I see companies and government asserting themselves over their network. I see a network that is not just overseen, but actively hostile. I see an internet being steadily drained of its promise to “interpret censorship as damage”.
In short, I see power moving away from the leafs and devolving back into the center, where power has been used to living for thousands of years.
What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.
The security certificate system isn’t perfect. But an unencrypted web has serious and dangerous flaws that put us all at risk. In the old days, people could keep their homes unlocked as well, but that got widely exploited so now most of us lock our doors. It’s not perfect and it has problems, but the overall protection is worth it. That’s even more true online where encryption is important in enabling greater freedom of expression and protection of privacy.