The steady march toward a secure web (but we’re not there yet)
5 years ago, the thought of ubiquitous HTTPS on the World Wide Web was nothing more than a pipe-dream amongst privacy-aware types and the security community at large. Today, the prospect of the Alexa Top 1 Million sites being TLS-enabled-by-default is no longer a distant desire, it may even become a reality.
Cisco released their annual cybersecurity report and in it declared 50% of global web traffic is now encrypted. I cynically responded to this revelation by posing the thought that Cisco may be playing an angle, because so far they are the only player in the industry working on a product that detects malware within encrypted streams of traffic. Cisco’s CSO John Stewart responded with a fair assessment:
So how did we get so far in 5 years time? There are a few prevailing factors. One of which is good old fashioned awareness. As regular people (not us jaded, cynical IT types) see more and more how the world is impacted by poor security online, an awakening is starting to happen. This is both expected and welcome. Back in the day the web was a giant community of the curious…we were exploring together, sharing ideas, having fun, building new things. Security wasn’t built into the protocols that drove the rapid growth of the internet. But it became very apparent very quickly that security was needed — and banks were among the first to serve up secure websites. SSL was created by Netscape in 1994 almost specifically so people could do their banking online — but more broadly it came to be out of the midst of people become more concerned about securing their online communications.
Other than simple awareness comes the next reason. The bad guys keep getting better at exploiting unsecure channels. We’ve seen this with a myriad of MITM attacks that could have been mitigated with TLS, and most recently nation-state attacks uncovered by a Citizenlab investigation.
And yet another important reason, it’s become easier to configure HTTPS largely because of automation in the major cloud providers and the efforts of the smaller players in providing robust support communities with great documentation.
Now one of the biggest reasons. Let’s Encrypt has made obtaining a valid SSL certificate free. This has completely altered the landscape. Along with free certs, the EFF has built CertBot to make the tedious task of deploying your cert much easier.
All of this, and we can see why more sites are adopting security. But it will take a while longer before we see security as a default, and a secure web through-and-through.
Case in point. I was recently required to test some Java Runtime Environments in my browser in an attempt to diagnose a problem with a vendor Java tool (the massive security issues with Java will be good fodder for another post). I need to find an old version, and a pre-release version. Basically I needed to test against anything but the current stable release.
Ok, so fine. I went to java.com (nicely secure by default) and hunted for not the downloads. It was very easy to find the current stable release and the download was available via HTTPS. But when I searched the version previous, or the pre-release new version? Only available via insecure, clear-text HTTP. I, for one (the cynical guy), do not wish to download anything and install it on my machine if I’m dealing with an insecure source.
But wait…the stable release download. It’s on https://java.com right? So it's secure? Not so fast. The website with the download button is secure, but the download itself is NOT. This is particularly troubling as it could create a false-sense that you are downloading from a secure site — so the download content is also from a secure source:
This is just one example. Oracle (parent company of Java) is a giant organization. Surely they could afford to throw a cert on all of their external services. Why wouldn’t they? Perhaps they are too big. Complexity is the enemy of security. I don’t know. But this shows HTTP is still out there and will be for a long while.
