{"id":50217,"date":"2014-11-24T12:00:57","date_gmt":"2014-11-24T12:00:57","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=50217"},"modified":"2015-05-05T21:27:16","modified_gmt":"2015-05-05T20:27:16","slug":"how-to-encrypt-the-entire-web-for-free","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2014\/11\/how-to-encrypt-the-entire-web-for-free\/","title":{"rendered":"How to Encrypt the Entire Web for Free"},"content":{"rendered":"

\"lets_encrypt-article-display-b<\/a><\/p>\n

If we\u2019ve learned one thing from the Snowden revelations, it\u2019s that what can<\/em> be spied on will<\/em> be spied on. Since the advent of what used to be known as the World Wide Web,\u00a0it has been a relatively simple matter\u00a0for network attackers\u2014whether it\u2019s\u00a0the NSA, Chinese intelligence, your employer, your university, abusive partners, or teenage hackers on the same public WiFi as you\u2014to spy on almost everything you do online.<\/p>\n

HTTPS, the technology that encrypts traffic between browsers and websites, fixes this problem\u2014anyone listening in on that stream of data between you and, say, your Gmail window or bank\u2019s web site would get nothing but useless random characters\u2014but is woefully under-used. The ambitious new non-profit\u00a0Let\u2019s Encrypt<\/a> aims to make the process of deploying HTTPS not only fast, simple, and free, but completely automatic. If it\u00a0succeeds, the project will render\u00a0vast regions of the internet invisible to prying eyes.<\/p>\n

Why does it matter if the web is encrypted?<\/strong><\/p>\n

The benefits of using HTTPS are obvious when you think about protecting secret information you send over the internet, like passwords and credit card numbers. It also helps\u00a0protect\u00a0information like\u00a0what you search for in\u00a0Google, what articles you read, what prescription medicine you take, and messages you send to colleagues, friends, and family from being monitored\u00a0by hackers or authorities.<\/p>\n

But there are less obvious benefits as well. Websites that don\u2019t use HTTPS are vulnerable to \u201csession hijacking,\u201d where attackers can take over your account even if they don\u2019t know your password. When you download software without encryption, sophisticated attackers can secretly replace the download\u00a0with malware that hacks your computer as soon as you try installing it.<\/p>\n

Encryption also prevents attackers from tampering with or impersonating legitimate websites. For example, the Chinese government censors<\/a> specific pages on Wikipedia, the FBI impersonated The Seattle Times<\/em><\/a> to get a suspect to click on a malicious link, and Verizon and AT&T injected tracking tokens<\/a> into mobile traffic without user consent. HTTPS goes a long way in preventing these sorts of attacks.<\/p>\n

And of course there\u2019s the NSA, which relies on the limited adoption\u00a0of HTTPS to continue to spy on the entire internet with impunity. If companies want to do one thing to meaningfully protect their customers from surveillance, it should be enabling encryption on their websites by default.<\/p>\n

So why don\u2019t all websites already use HTTPS?<\/strong><\/p>\n

Setting up HTTPS on a website is complicated and error-prone, requires dealing with certificate authorities\u2014companies that will digitally vouch for your encryption keys so your browser knows what\u00a0web sites are legitimate\u2014and can be expensive, despite the fact that the technology that HTTPS is based on is open source and freely available to everyone.<\/p>\n

Many web hosting companies charge extra money each month to use HTTPS, and some don\u2019t support it at all. Additionally, websites that use HTTPS can\u2019t embed content from websites that don\u2019t.\u00a0This means that sites\u00a0that rely on legacy advertising networks that don\u2019t support encryption need to switch ad networks before\u00a0they\u00a0can start using encryption themselves.<\/p>\n

The Intercept<\/em> is one of the few news websites<\/a>\u00a0that uses HTTPS by default. But things are changing. The<\/em>\u00a0New York Times<\/em> has issued a challenge<\/a> to fellow news websites to switch to HTTPS by default by the end of 2015.<\/p>\n

What does Let\u2019s Encrypt do differently?<\/strong><\/p>\n

httpv:\/\/www.youtube.com\/watch?v=Gas_sSB-5SU<\/p>\n

Let\u2019s Encrypt, which was announced this week but won\u2019t be ready to use until the second quarter of 2015, describes itself as \u201ca free, automated, and open certificate authority (CA), run for the public\u2019s benefit.\u201d It\u2019s the product of years of work from engineers at Mozilla, Cisco, Akamai, Electronic Frontier Foundation, IdenTrust, and researchers at the University of Michigan. (Disclosure: I used to work for the Electronic Frontier Foundation, and I was aware of Let\u2019s Encrypt while it was being developed.)<\/p>\n

If\u00a0Let\u2019s Encrypt works as advertised,\u00a0deploying HTTPS correctly and using all of the best practices will be one of the simplest parts of running a website. All it will take is running a command. Currently, HTTPS requires jumping through a variety of complicated\u00a0hoops that certificate authorities insist on in order\u00a0prove ownership of domain names. Let\u2019s Encrypt\u00a0automates this task in seconds<\/a>, without requiring any human intervention, and at no cost.<\/p>\n

The transition\u00a0to\u00a0a fully encrypted web won\u2019t be immediate. After Let\u2019s Encrypt is available to the public in 2015, each website will have to actually use it to switch over. And major web hosting companies also need to\u00a0hop on board for\u00a0their customers to be able to\u00a0take advantage of it. If hosting companies start work now to integrate\u00a0Let\u2019s Encrypt into their services, they could offer HTTPS hosting by default at no extra cost to all their customers by the time it launches.<\/p>\n

It\u2019s important to realize that\u00a0the goal of Let\u2019s Encrypt is to spread HTTPS support across the\u00a0inherently insecure web, but not necessarily to fix all of the problems\u00a0with how HTTPS currently works.<\/p>\n

The current system relies on a large list of trusted organizations that issue certificates to vouch for the authenticity of web sites. If one of these\u00a0gets hacked\u2014which has happened<\/a>\u2014or if a government compels them to vouch for malicious websites, it can undermine the security of HTTPS. This has always been an issue with the protocol.<\/p>\n

So a\u00a0fully-encrypted web would not be foolproof against attacks. But it would seriously impede\u00a0dragnet internet\u00a0surveillance from working, forcing spy agencies to\u00a0target specific websites for attack (and risk getting caught) rather than silently gathering it all up without anyone having any way of knowing. And attacks against HTTPS\u00a0are out-of-reach for most hackers that\u00a0can\u2019t send legal\u00a0orders to certificate authorities\u2014making all internet users safer.<\/p>\n

_________________________________<\/p>\n

Email the author: micah.lee@theintercept.com<\/a><\/em><\/p>\n

Go to Original \u2013 firstlook.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

If we\u2019ve learned one thing from the Snowden revelations, it\u2019s that what can be spied on will be spied on. Since the advent of what used to be known as the World Wide Web, it has been a relatively simple matter for network attackers\u2014whether it\u2019s the NSA, Chinese intelligence, your employer, your university, abusive partners, or teenage hackers on the same public WiFi as you\u2014to spy on almost everything you do online.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[216],"tags":[],"class_list":["post-50217","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/50217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=50217"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/50217\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=50217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=50217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=50217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}