WIRED:With a little work, security and privacy can be provided invisibly to every web user
FOR THOSE who said that privacy was dead, there certainly seems to be a lot of agonising about it.
Facebook, on the eve of announcing 500 million users, has drawn fire for leaking information to advertisers and third-party websites.
Companies like Apple use their attempts to protect their users’ location data as a club to beat more aggressive data-collectors like Google.
But for all of this introspection and pointing-of-fingers, there’s one security flaw in almost all of the sites, a flaw that spills out your most private data to thousands of prying eyes, a flaw that no regulator or pundit seems to be paying any attention to.
It leaks your e-mails, your social networking chatter, what you read, and what you say.
You can spot any web page that’s violating your privacy in this way because its address will start with “http://”. That is to say, almost every page you visit. And the tragedy is we know how to fix this problem, because it’s fixed on every web page that starts with “https://”. Which is criminally few.
The “http” means that your communications with that web page are travelling over the internet unencrypted. That means any computer between you and your final destination can see everything you type and read.
At the beginning of the internet, that didn’t seem to be too worrying an oversight: the web, after all, was built with a degree of trust in its participants, and a fair degree of naivety about how much data could be collected by third parties.
These days we know that third parties are profoundly interested in every part of our online behaviour. Companies such as Facebook make millions from processing the slice of it that they know about, but even your Facebook communications are readily visible to anyone else who can tap your traffic between your computer and their servers.
Regimes such as that in China want to see what their citizens are looking at so they can block what shouldn’t be seen. Governments, and not just authoritarian governments, conduct dragnet surveillance, tapping our digital movements deep within the network. Internet service providers and telecommunication companies want to know what we look at so they can filter and charge for what is most popular.
All of this activity would be impossible, or at the very least far, far harder, if the sites we visit served pages in encrypted form.
Mostly they don’t because historically encryption has a cost: in computer processing time and in unavoidable delays encoding and decoding the data. Securely encrypted, “https” pages were restricted to really precious data, such as forms containing credit card numbers, or passwords on login pages.
These days those costs are far smaller, and the risks far greater. Google, a company for whom the smallest increases in CPU demands and transmission delays can cost millions, has begun to switch to secure web pages. After the attack on its servers by China, it turned on secure web pages by default for all of its Gmail users.
It now also offers an encrypted version of its search engine at https://www.google.com/. Its engineers have begun to argue publicly that the increased CPU loads and delays are as much folklore from the early days of the web as they are real problems.
The truth is that many websites already offer encrypted versions of their website: add an “https” to the web address of the New York Times or blogs at Wordpress.com and you’ll receive a secure, encrypted version of the normal site. But these optionally private sites don’t advertise their security.
Others, like Twitter and Facebook, have secure versions, which regularly break down because they’re not a high priority.
My former employer, the Electronic Frontier Foundation, has recently released a plug-in, Https Everywhere, which turns on secure browsing when it can, and fixes as much of the broken sites as it is able – but that’s only a temporary fix.
What we really need is for the coders and companies that provide web access for major sites to start delivering https by default: and have browsers and web standards that are smart enough to spot https availability and use it by default.
Google has proposed new standards, including one called SPDY, that would not only eliminate the small slow-downs that https creates, but would speed up browsing for everyone.
Even if it’s not the best solution, using it as a straw man for engineers from other companies and for standards bodies such as the Internet Engineering Task force would help move the state-of-the-art forward.
Security and privacy for internet traffic is important. It’s also a solved problem since 1995. We don’t need to worry about confusing users or losing market share, because with a little work we can invisibly provide that security to every web user online without them even noticing.
All it takes is for companies to take their users’ online privacy as seriously as they claim in their press releases.