HTTPS Everywhere – what is it good for?

There’s a growing chorus of voices in infosec these days, calling for the effective deprecation of unencrypted traffic over the web. The only useful purpose port 80 serves these days, they argue, is to redirect to port 443.

Their arguments tend to run along these lines:

  1. HTTPS is the right way to handle encryption on your website (and other services, too). That’s true. It’s a well-established, well-understood standard that has gone through some awkward moments, but has emerged from the process as a robust and easy-to-use security layer on your web server.
  2. HTTPS protects you from unethical ISPs/states/actors who like to inject your traffic with unwanted ads and other nasties. That’s somewhat true, but requires a little unpacking, because there are some notable edge cases:
    1. Many corporations install their own certificate authority on approved devices, and use their own certificates to intervene in communications between you and other secure sites. This allows them to sit in the middle of your communication with your bank, for example.
    2. Anyone who can get access to either of the end points can simply watch the unencrypted traffic on either end, rendering any security measures in the communications protocol moot.
    3. Setting up and breaking down a secure session is an extremely difficult process that is well-understood by a very few people. The theory is clear enough, but applying it in practice can get hairy. The 2016 WPAD exploit is a prime example. It was demonstrated that you could use a near-obsolete, insecure method of discovering your network’s proxy settings to eavesdrop on secure communications. (Of course, if you could manipulate that setting, you could pretty much do what you want to the browser anyway. The point here is that there are ways for people to eavesdrop on your secure communications and leave you none the wiser, with or without HTTPS.)
    4. Establishing the identity of remote sites is still a bit fraught. It’s better today than it was in the past, but an SSL cert on its own is insufficient in the absence of a broader, systematic web of trust. These things require international cooperation, protocols and standards. Not all parties want the same thing, and few indeed are focused only on what’s best for the end user’s privacy. HTTPS Everywhere doesn’t move the markers in this part of the debate.
    5. Cross-site tracking cookies are a much more pernicious and troubling way for unscrupulous commercial actors to inject themselves into your day to day web traffic.

None of these are arguments against the use of HTTPS. You should use it when you can. Just because the other guy’s going to win doesn’t mean you shouldn’t at least make him work for it. But these are considerations that have to be borne in mind when people start suggesting that a web with HTTPS everywhere is a safer, more private place for everyone.

  1. HTTPS is growing in use. Get on board! That’s an argumentum ad populum. It’s a useful observation—and a Good Thing—but not reason to move in and of itself.
  2. Plain old HTTP is insecure, and untrustworthy. The first part is true, and people should know it. Google Chrome’s recent decision to mark all plain text websites as insecure is a good move. But the question of trust is more a practical than a technical issue. In other words, you can communicate securely with an untrustworthy information source, and you can communicate insecurely with a trustworthy source. Trust between end points needs to be distinguished from trust in the communications medium. Technical experts who advocate for HTTPS everywhere sometimes confuse the two. Non-technical people often do. Which means we have to be extremely circumspect about what we promise when we talk about making things more secure for them.
  3. HTTPS is secure and will protect you from eavesdropping. Yes it is, and no it will not. Yes, the protocol is solid. It’s really easy to do right (which is incredibly important for security), and it works for the purpose intended. But it’s only one part of a much, much bigger picture. As Bruce Schneier is fond of saying, the bad guys only need to find one way to win. Most systems have more than one way in. Many systems allow state-sanctioned eavesdroppers in through the front door.
  4. Encrypting even normal traffic means that you’re protected from state surveillance across the board. If they can’t differentiate your traffic, it makes it harder for them to single out the things they object to. Sad to say, the real world doesn’t work that way.

If a state wants to watch what you’re accessing over the web, they will find a way. At very least, they will know the end points you’re connecting to. If they’ve singled you out for observation, you’re going to face issues even if you use TOR, VPNs and other tools. Between compromised devices, networks and information providers, your options are quite limited if people decide to watch you individually.

If you’re not being singled out, they probably don’t care what you’re looking at. They might care about individual sources, but in cases like that, they’ll just block the site sources.

But wait—what about someone who’s not yet been targeted, and doesn’t want to be? Good question. There’s a marginal case there, but again, using HTTPS Everywhere is probably not going to be the decisive factor. It sure isn’t in China.

There are very good reasons to support the spread of HTTPS. Anybody who tells you otherwise is just… wrong. You should use it when you’re doing anything that involves your personal information. That includes everything from chatting with friends about what movies are good to transferring millions into your superyacht fund.

But to conclude from this that ‘the only purpose for port 80 these days is to redirect to HTTPS’ is a bit naïve, sad to say. It assumes that there are technical solutions to social/political problems. That’s not necessarily true:

  1. We’d be vastly better off with regulatory/legislative intervention to stop ISPs and others from messing with your web traffic. The reason for this is that removing the mandate to inject gunk into your web traffic is a far more effective way of circumscribing what ISPs are allowed to do. Let’s call it (part of) Net Neutrality. With or without HTTPS, we still need this regulation. Politically, cynical ISPs can point to HTTPS Everywhere and use it as an argument against net neutrality regulation. It’s not entirely rational, but that’s not to say the argument would be ineffective.
  2. When changing collective behaviour, it’s often better to proscribe the behaviour rather than prescribe the technical cure. People will always seek ways to fulfil the letter of the law and still achieve their own selfish ends. So an emphasis on better law is generally more effective than emphasising better tech.
  3. State actors and other surveillance groups generally don’t care that you’re looking at public access websites. When they do care, they just block the site at the ISP level. Yes, there are edge cases where you can get in before they know it matters, but that’s true with and without HTTPS. Encryption does add a slight advantage when it comes to internet whack-a-mole, but it’s only slight. And it’s likely to be ephemeral.
  4. If someone really wants to track you, they will compromise your end points, not the network layer. This is what China does. They just sit people inside the offices of the main online services. Law enforcement and signals intelligence agencies do much the same thing. They’ll either compromise your devices, or they’ll compromise the other end-point, often with the assistance of the service provider. The FBI attempted this with TOR, with partial success.
  5. HTTPS is easy, yes, but easy is not the same as simple. Just because you’ve got your cert properly set up doesn’t mean you’re safe. Focusing on HTTPS to the exclusion of other considerations or overselling its benefits could create a false sense of security. It’s far easier to designate something ‘untrusted’ than it is to determine that the same thing is ‘trusted’. We need to be careful about what we’re selling when we say that HTTPS Everywhere makes us more secure.

Widespread use of HTTPS is a Good Thing, and should be encouraged. But mandating its use everywhere is of limited additional utility where your practical security is concerned.

In a nutshell, universal HTTPS alone is insufficient to change or curb malicious human behaviour; and the additional measures that are necessary don’t require HTTPS everywhere to succeed.

HTTPS everywhere would achieve only a marginal and possibly ephemeral gain. In practical terms, people who are most vulnerable to unwanted collective or individual surveillance by state actors gain very little from this.

But let’s keep perspective: Opposing HTTPS Everywhere is a foolish waste of time and effort. We should encourage its spread. What we should NOT do, though, is pretend that the end of port 80 is the end of our privacy concerns, or even a particularly notable win. It’s a marginal improvement at best.

My beef is with people who think this is a big win for privacy. It’s emphatically not.

The intelligence game

Some may express a lack of concern about evidence of intelligence agencies ‘hoovering up’ every single communication across the southwest Pacific. But that doesn’t mean it isn’t illegal and wrong. Comprehensive surveillance of the kind we are experiencing under the NSA’s regime of total information awareness is a threat to our freedom of conscience, expression and association. More the point, it’s just not how allies should act.

Samoan prime minister Tuilaepa Sailele recently offered a public reaction to the news that New Zealand’s Government Communications Security Bureau, or GCSB, had moved in 2009 from occasional, targeted electronic surveillance tactics to ‘full-take’ collection. Mr Sailele showed his trademark forthrightness in asserting that the proper term for spying was ‘diplomacy’ and that it happened all the time.

This is a mischaracterisation. To conflate the sometimes confidential and always delicate role of the diplomat with someone rooting through literally everything you send over a wire is misguided, and does a significant disservice to diplomats. It’s a little rich, too, when someone who has ‘nothing to hide’ also has no problem with the physical intimidation of the Samoan media.

Let’s be perfectly clear about one thing: There is a world of difference between the intelligence gathering that allies conduct between themselves—often cooperatively—and the kind of thing of which New Zealand stands accused. Continue reading

Poettering Uber Alles

The wisdom of Dear Leader Lennart Poettering:

The design of systemd as a suite of integrated tools that each have their individual purposes but when used together are more than just the sum of the parts, that’s pretty much at the core of UNIX philosophy.

I would say that he misunderstands the essence, the substance and possibly even the purpose of the UNIX philosophy… but I think he actually does understand. I think he’s simply being disingenuous, twisting the definition to meet his desires. It’s clear that this is a man who believes that he knows what’s good and what’s not.
Continue reading

Torrenting clichés live on for a reason

Freddie de Boer has a post up, decrying pro-torrenting ‘myths’ that need to die.

Down in the comments, he writes,

Many of you are dramatically underestimating the kind of resources that are necessary to make great artwork. Sgt Pepper could not have been made by dedicated amateurs. Even today, high-quality recording costs are far higher than people realize. Lawrence of Arabia could not be made by some kids with a GoPro and a dream. Nobody laboring alone in his bedroom could code Half-Life 2.

But Counter Strike absolutely WAS coded by a bunch of volunteers as a result of their own enthusiasm. Likewise Team Fortress.

Oh – and the Linux kernel, which drives most of the web today. And BSD Unix – the framework on which Mac OS X is built.

And pretty much all of deviantart.com. And a majority of the stuff on 500px.com. And a great deal of good writing.

Lawrence of Arabia could not be made by some kids with a GoPro, but that does nothing to diminish what a couple of kids with a GoPro can do. And Sergeant Pepper – oh, this is silly and childish. Freddie, your proposition is that Great Art is not possible without significant resources being brought to bear. The real proposition is that some kinds of creative endeavour (the majority of which are decidedly not great) are not possible without significant resources. Continue reading

Snowdrift? Toboggan hill!

Paul Chiusano, in the course of reinventing the world, writes:

One of my personal pet causes is developing a better alternative to HTML/CSS. This is a case where the metaphorical snowdrift is R&D on new platforms (which could at least initially compile to HTML/CSS).

The problem with the ‘snowdrift’ here, to abuse the metaphor, has nothing to do with IP law, and nothing to do with lack of innovation. It has everything to do with the size of the drift. You don’t have any choice but to wait for someone else to come along to help shovel. But the author is trying to say, If everyone doesn’t shovel, nobody gets out. And that’s not always true.

A quick reminder: When HTML first came out, the very first thing virtually every proprietary software vendor of note did was create their own, better alternative. Web design tools were so common, it became difficult to market oneself as someone who actually knew how to create HTML by hand. And each of those tools used proprietary extensions and/or unique behaviour in an attempt to provide a ‘better alternative’ to consumers – and of course to corner the market on web development, and therefore on the web itself.
Continue reading

The ‘Digital Divide’ is a chasm

The ITU, bless their binary souls, just released the 2014 Measuring the Information Society report. The headline is – or should be – that something is very wrong on the internet, and we need to fix it.

I used to scoff at the phrase ‘digital divide’, which was used to soft-peddle the glaring technological inequalities between rich and poor nations. I still don’t like it, but for different reasons. I used to think that the technological gap between the developed and developing was evanescent, a transient blip which would rapidly disappear as wireless broadband technologies proved viable in even the most marginal markets.

Not so. At least, not so far. The 2014 ITU report shows a widening gap between rich and poor, in spite of the fact that growth in the global digital economy is driven entirely by the developing world.

Let’s look at who’s got access to broadband on their mobile:

 

 

The disparity between the richest and the poorest countries is glaring, and unlikely to right itself. The developed world and the Least Developed Countries are on completely different trajectories. Even the developing countries are showing a rate of increase that would require radical change even to come close to the level of ubiquity seen in Europe and North America. Continue reading

Systemd and The Unix Way

What follows is not for the benefit of systemd supporters. I write it because somewhere out there In the wilds of the internet, there might still be some youngster with a clue who needs to get this:

Systemd, OOP and a number of other technologies have been touted by people who have a curious mixture of cleverness and a lack of imagination or experience (something altogether too common in the world of software development). They claim that because they have solved a problem, they are therefore entitled to use the same approach to Solve All Problems Ever. So instead of exercising a little humility and moving their work ahead in a way that’s accepting of other approaches, they charge in full speed, damn the torpedoes and devil take the hindmost.

It happened with Microsoft and ActiveX. It happened with Object Oriented Programming languages – most notably with Java: there was a time when it was hard to find work programming in anything else. It happened, to a smaller degree, with design patterns. You can find numerous other examples if you search for them.

It’s happening again today with systemd. Continue reading

There’s no app for that

Putting responsibility for our children in the hands of governments and corporations is just wrong

In recent years, the International Telecommunications Union (ITU) has been drumming up support for surveillance and censorship. They do it under the guise of creating measures to protect children and stop what they call cyber-crime. But what they advocate is nothing short of a toolkit fit for a police state.

I’d love to be able to say that I’m overstating the case. I’d love to find out that the technologies and legal levers that are being proffered by the ITU and various other agencies were never used for anything other than good. I’d also love a pony.

I’ve written before about the fractious relationship between the ITU and the technical organisations that actually do run the internet. I’ve written about how Pacific island governments and societies can come to terms with surveillance and censorship. I’ve even talked about this push by the ITU, extending across the developing world, to drum up support for its vision of the internet as a fenced and orderly place. More to the point, I’ve already written about where it leads.

But just last week, at a conference discussing the protection of critical IT infrastructure, I watched a presenter describing the creation of a computer incident response team (in ITU jargon, a CIRT) based on a model adopted by some of the least free countries in the world. This was presented without apology or explanation. Continue reading

Web tricks are not for kids any more

Screen Shot 2014-06-23 at 12.01.22 PMI started writing web apps in 1994. Using CGI.pm in Perl was pretty much state of the art – and the art wasn’t very pretty. ColdFusion appeared shortly thereafter, but only supported basic control structures – no functions or even subroutines at the start. Then came ASP and a disastrous mishmash of security holes, ActiveX objects being called from the only thing worse than PHP for tag soup with spaghetti code for filler. PHP, for our sins, went from being a ‘hey, kids, look – I made a web page!’ app to an actual application platform.

.. and the list goes on.

I’ve lived through the browser standards wars, I’ve seen such sins committed in the name of the Web that I would wake up screaming, ‘Why, Tim Berners Lee?!? WHY???!!’ I’ve lived through <BLINK>, Flash, animated GIFs, <MARQUEE>… and other monstrosities whose names Shall Not Be Spoken.

I’ve used JavaScript since it was a toy.

But this, my child, is the key: It’s not a toy any more. Finally, after two decades of stumbling around blindly, wreaking more chaos and mayhem than a shirtless, drunken Australian on a JetStar weekend in Bali, web development has finally matured. A bit. It’s learned that being cool doesn’t earn you nearly as many friends as being useful. It’s learned that a guy’s gotta eat, fer Chrissakes, and sleep from time to time. It’s learned that popsicle-stick bridges may be neat, but won’t carry the load that a boring old concrete one will.

But, as the scripture says, ‘then I put away my childish things.’ Oh, it’s true that just because we’ve grown up doesn’t mean we’ve learned every lesson ever. It’s true that we Web Developers still get seduced by Teh Shiney. But all in all, we’ve grown; we’ve lost our innocence and our hair. But we sleep at night. And we parallelise. And we scale. We’re grown-ups now. With grown-up tools.

So put down your PHP child. Accept that JavaScript is a language. REST in your Bower and accept that some change is for the better.

Talking Shop

The Internet Governance Forum is sprawling, unfocused and formally useless. You should go.

I hate talking shops. Most sensible people do. If you are involved in any way in policy making, advocacy –or heck, if you just have to work for a living– the last thing you want to do is waste time talking. The Internet Governance Forum is a global conference that draws together governments, telecommunications interests, standards & technical management bodies, NGOs & social development groups… well, pretty much everyone who gives a fig about the internet. It was one of very few tangible results to emerge from the 2003 World Summit on the Internet Society, a UN-sponsored get-together that attempted (and ultimately failed) to address a widely-held perception of US dominance of the internet’s governance structures.

The IGF, quite deliberately, was designed to have no regulatory authority, no policy levers and indeed, no formal mandate to advocate even for issues about which the entire world is in screaming agreement. It can’t even publish findings. And that is its genius.

It’s a sprawling, unfocused event with disparate interests. Discussions cover everything and anything even remotely related to internet governance, from human rights and freedom of speech to child protection to spam and cyber security to standards development and law. It draws thousands of attendees from all walks of life. It’s uneven in quality and sessions range from the enlightened meeting of minds to fractious verbal brawls. As Winston Churchill might have said, it’s the worst possible forum we could possibly have, except for all the others. Continue reading