COMPUTER SECURITY NEWS is usually pretty dismal, from malware crippling the web to ransomware taking down hospitals. But the web is getting safer in an important way.
Today the average volume of encrypted internet traffic finally surpassed the average volume of unencrypted traffic, according to Mozilla, the company behind the popular Firefox web browser. That means when you visit a website, you’re now more likely than not to see a little green lock right next to its address. That little lock indicates that the page you visited came to you via HTTPS, the web’s secure protocol, rather than plain old HTTP. Mozilla’s estimate represents a two-week running average, so the figure could still slide around over the next few days. But this milestone is a still a big deal.
“The significance of this tipping point really can’t be overstated,” says Ross Schulman, co-director of the New America Foundation’s cybersecurity initiative.
Not that you’re free from prying eyes entirely: HTTPS doesn’t hide the fact that you’re visiting a particular website. But it does mean everyone, including internet service providers and the government, will have a harder time seeing what information you’re reading or posting to the web. And it can help ensure that when you visit a website, you’re seeing what its authors intended. Without encryption, it’s all too easy for, say, a repressive government or a malicious hacker to replace Wikipedia entries or other webpages with their own content, or to trick you into downloading malware.
“Billions of users will start to regularly experience a web that is more encrypted than not,” says Josh Aas, the co-founder of Let’s Encrypt, an organization that’s helping millions of sites add HTTPS to their sites for free. “Expectations for security will continue to rise, and as a result we expect to see sites move to HTTPS even faster than they have been.”
Web encryption has been around for years. The original HTTPS protocol was released in 1995. Dubbed Secure Socket Layer, or SSL for short, it enabled companies to handle credit card transactions online by protecting your payment details and helping to prove that the merchants you visited were who they said they were. But it’s taken years for SSL’s successor, Transport Layer Security (TLS), to become widely used outside of credit card payments.
In part, that’s because for many years most website owners didn’t see the benefit of encrypting everything. But as the ease of stealing unencrypted passwords and delivering altered websites became apparent, wider use of encryption became a priority.
Over the years big sites like Facebook, Google, Wikipedia, the New York Times, and, yes, TERABYTE, have switched to HTTPS. Google even announced in late 2015 that its search engine would favor sites that use HTTPS over those that don’t.
The problem was that it was still fairly hard for smaller sites to use HTTPS. TLS certificates cost money and required more technical know-how to install. But that’s starting to change. Let’s Encrypt takes care of the financial part by making all certificates free, thanks to corporate and nonprofit donations. Thanks to Let’s Encrypt, web hosting services like WordPress.com and Squarespace started offering HTTPS to all of their users for free without much demanding any technical expertise on the part of users. Cloud companies like Amazon and CloudFlare also launched free encryption certificate programs for their users as well, contributing to the snowballing number of sites that led to today’s milestone.
“After taking 20 years to get to 40 percent encrypted page loads, it’s incredible that the web jumped to 50 percent in just one year,” Aas says.
Some web hosts still charge for HTTPS, but Aas argues the dangers of an unencrypted internet create a moral imperative to drop the fees. “We’re past the point where treating HTTPS as an add-on is acceptable.”
Even then, HTTPS has some serious limitations. In 2014, security researchers discovered a major vulnerability in the software that actually makes HTTPS work. The flaw, known as Heartbleed, dealt a major blow to the world’s confidence in the protocol. Almost three years later, 200,000 servers remain vulnerable to Heartbleed, a recent study by Internet of Things search engine Shodan found.
And it’s not just technical issues that haunt HTTPS. The protocol depends on organizations called “certificate authorities” like Let’s Encrypt or VeriSign to issue certificates that vouch for a site’s authenticity. If a hacker were to gain control of one of those authorities, they could hijack certificates or issue certificates themselves. That danger has led experts like the pseudonymous white-hat hacker Moxie Marlinspike to propose the idea of new, more decentralized systems to handle certificates. But so far the idea hasn’t caught on.
Then there’s the problem of blind trust in those little green locks. In a recent blog post, Google Chrome security expert Eric Lawrence points to examples of scammers acquiring certificates that make their fraudulent sites imitating the likes of PayPal and Google seem legitimate.
“There’s a risk that people will think they’re more protected than they actually are,” says Amie Stepanovich, a policy manager at the digital rights group Access Now, which has long advocated for more pervasive use of HTTPS. “But even though HTTPS isn’t perfect, nothing offers perfect security.”
Ultimately, using HTTPS, despite its limitations, is better than leaving the web unencrypted. That means Aas and company have more work to do.
“Fifty percent is an important milestone,” Aas says. “But there’s still another 50 percent to go.”