If we’ve learned one thing from the Snowden revelations, it’s that what can be spied on will be spied on. Since the advent of what used to be known as the World Wide Web, it has been a relatively simple matter for network attackers—whether it’s the NSA, Chinese intelligence, your employer, your university, abusive partners, or teenage hackers on the same public WiFi as you—to spy on almost everything you do online.
HTTPS, the technology that encrypts traffic between browsers and websites, fixes this problem—anyone listening in on that stream of data between you and, say, your Gmail window or bank’s web site would get nothing but useless random characters—but is woefully under-used. The ambitious new non-profit Let’s Encrypt aims to make the process of deploying HTTPS not only fast, simple, and free, but completely automatic. If it succeeds, the project will render vast regions of the internet invisible to prying eyes.
Why does it matter if the web is encrypted?
The benefits of using HTTPS are obvious when you think about protecting secret information you send over the internet, like passwords and credit card numbers. It also helps protect information like what you search for in Google, what articles you read, what prescription medicine you take, and messages you send to colleagues, friends, and family from being monitored by hackers or authorities.
But there are less obvious benefits as well. Websites that don’t use HTTPS are vulnerable to “session hijacking,” where attackers can take over your account even if they don’t know your password. When you download software without encryption, sophisticated attackers can secretly replace the download with malware that hacks your computer as soon as you try installing it.
Encryption also prevents attackers from tampering with or impersonating legitimate websites. For example, the Chinese government censors specific pages on Wikipedia, the FBI impersonated The Seattle Times to get a suspect to click on a malicious link, and Verizon and AT&T injected tracking tokens into mobile traffic without user consent. HTTPS goes a long way in preventing these sorts of attacks.
And of course there’s the NSA, which relies on the limited adoption of HTTPS to continue to spy on the entire internet with impunity. If companies want to do one thing to meaningfully protect their customers from surveillance, it should be enabling encryption on their websites by default.
So why don’t all websites already use HTTPS?
Setting up HTTPS on a website is complicated and error-prone, requires dealing with certificate authorities—companies that will digitally vouch for your encryption keys so your browser knows what web sites are legitimate—and can be expensive, despite the fact that the technology that HTTPS is based on is open source and freely available to everyone.
Many web hosting companies charge extra money each month to use HTTPS, and some don’t support it at all. Additionally, websites that use HTTPS can’t embed content from websites that don’t. This means that sites that rely on legacy advertising networks that don’t support encryption need to switch ad networks before they can start using encryption themselves.
The Intercept is one of the few news websites that uses HTTPS by default. But things are changing. The New York Times has issued a challenge to fellow news websites to switch to HTTPS by default by the end of 2015.
What does Let’s Encrypt do differently?
Let’s Encrypt, which was announced this week but won’t be ready to use until the second quarter of 2015, describes itself as “a free, automated, and open certificate authority (CA), run for the public’s benefit.” It’s the product of years of work from engineers at Mozilla, Cisco, Akamai, Electronic Frontier Foundation, IdenTrust, and researchers at the University of Michigan. (Disclosure: I used to work for the Electronic Frontier Foundation, and I was aware of Let’s Encrypt while it was being developed.)
If Let’s Encrypt works as advertised, deploying HTTPS correctly and using all of the best practices will be one of the simplest parts of running a website. All it will take is running a command. Currently, HTTPS requires jumping through a variety of complicated hoops that certificate authorities insist on in order prove ownership of domain names. Let’s Encrypt automates this task in seconds, without requiring any human intervention, and at no cost.
The transition to a fully encrypted web won’t be immediate. After Let’s Encrypt is available to the public in 2015, each website will have to actually use it to switch over. And major web hosting companies also need to hop on board for their customers to be able to take advantage of it. If hosting companies start work now to integrate Let’s Encrypt into their services, they could offer HTTPS hosting by default at no extra cost to all their customers by the time it launches.
It’s important to realize that the goal of Let’s Encrypt is to spread HTTPS support across the inherently insecure web, but not necessarily to fix all of the problems with how HTTPS currently works.
The current system relies on a large list of trusted organizations that issue certificates to vouch for the authenticity of web sites. If one of these gets hacked—which has happened—or if a government compels them to vouch for malicious websites, it can undermine the security of HTTPS. This has always been an issue with the protocol.
So a fully-encrypted web would not be foolproof against attacks. But it would seriously impede dragnet internet surveillance from working, forcing spy agencies to target specific websites for attack (and risk getting caught) rather than silently gathering it all up without anyone having any way of knowing. And attacks against HTTPS are out-of-reach for most hackers that can’t send legal orders to certificate authorities—making all internet users safer.