Hypertext transfer protocol (http) is the heart of the web, providing the
means to retrieve content from remote servers. It is an unencrypted,
protocol which allows malicious intermediaries to snoop on and potentially
modify the traffic.
Unfortunately, internet service providers (ISPs) are getting increasingly
bold in manipulating the traffic that they carry. This has lead some to call for
the elimination of http, in favor of encrypted http (aka secure http or
An ISP is perfectly situated to gather an enormous amount of information
about its users, their website preferences and habits (often called
clickstream data). Some have reportedly
been selling some of that data in a thinly-anonymized form to
advertisers and others. As AOL's well-intentioned, but poorly implemented,
search queries showed, it is rather easy to analyze this kind of
data and pierce the anonymity, deriving the specific user.
Another recent ISP trick is to modify a retrieved web page to display other
information – under the control of the ISP – which looks like
it comes from the website itself. Canadian ISP Rogers Internet has been testing a system to add
content to the Google homepage for their customers who are near their
monthly bandwidth limits. There are also plans afoot for ISPs to use
clickstream data to target advertising – though just where those
ads would show up is far from clear.
This kind of manipulation is unlikely to be what internet users expect
– to the extent they think about it all. The model folks tend to use
is that of a phone company; we do not expect them to sell our call records
to the highest bidder, nor do we give them license to modify our calls.
Various telecommunications privacy laws protect that data, but those laws
have not (yet) been applied to internet traffic. In addition, ISPs tend to
have a monopoly or near-monopoly, which restricts alternative,
less-intrusive ISPs from competing.
Fortunately, there are technical solutions possible in the internet realm
that would be difficult or impossible to implement network-wide in the
phone system. Encrypting website traffic will go a long way towards
eliminating this kind of ISP abuse, though it is no panacea. As more of
these kinds of privacy invasions occur, we should see more routine use of
https by websites.
Currently, https is almost exclusively used for e-commerce transactions;
typing in credit card numbers and the like. Authentication via username
and password is another area that sees widespread encrypted pages. Sites
may start to use https for their entire site to combat clickstream and page
rewriting abuse – though there will still be some information leakage
as the ISPs can still see what sites are being visited.
In order to make an https connection, the server must have a certificate
with its public key. Typically those are signed by an authority recognized
by browsers which allows the browser to authenticate that the certificate
belongs to the host visited. Getting signed certificates is a bit
cumbersome, costs some money, and they need to be renewed periodically
– all of which adds up to a headache for a site, especially a small,
non-commercial site, that wants to switch
to using https. Self-signed certificates are an alternative, but because
they are susceptible to man-in-the-middle attacks, browsers warn their
users when they receive one.
Another problem with this approach is the extra processing required on the
server to support encrypting each and every request. There is a
non-trivial amount of extra work that must be done per request and cannot
be cached. Sites that wish to avoid the problems that some ISPs are
introducing will just have to bear that cost.
Pushing bits is not very glamorous, but that is really what one hires an
ISP to do. Since they seem to be finding new and exciting ways to
interfere with those bits – Comcast
messing with BitTorrent traffic
for example – internet users will have to find ways to thwart their
schemes and encryption will be a big part of that effort. Using https
site-wide is only one step, other services will also need to be protected
from ISP abuse. What if an ISP started manipulating the results returned
from DNS queries, perhaps routing some to a server they control?
to post comments)