Seth Schoen began his Getting HTTPS Everywhere talk at
Linuxfest Northwest (LFNW) with an optimistic take. All that's required to
have HTTPS Everywhere is
that a few million more sites deploy HTTPS, the ones that have deployed
HTTPS fix their implementations, find a way to fix the problems with the Certificate Authorities (CAs), and it's done. Piece of cake.
Perhaps it's not that simple after all. Schoen, senior technologist for the Electronic Frontier Foundation (EFF), explained early in the talk that the EFF isn't pursuing HTTPS adoption everywhere for grins — Schoen talked about Wireshark and Firesheep, and the ease with which people could snoop on others' Web traffic. He used examples of sniffing conversations over VoIP and other traffic, and said that it's "just out of convenience and courtesy" that most of the traffic that goes over a network isn't sniffed and viewed by someone else. However, convenience and courtesy only go so far — there are always those who are willing to go the extra mile to violate others privacy for fun, profit, or other nefarious purposes.
Thus the need for encryption over all connections, and not just for
e-commerce sites, online banking, etc. The EFF and Tor Project released a Firefox extension called HTTPS
Everywhere last year to help make it easier for users to enforce the
use of HTTPS where it's supported. Schoen says that HTTPS adoption is much
better than a year ago, particularly with popular sites like Google and
Facebook. Even the US Federal Trade Commission (FTC) has called on Web services to start using HTTPS. Many sites now offer HTTPS as an option, though few offer HTTPS as the default.
So far, Schoen says that they estimate 500,000 users of the extension
— though that is merely a drop in the bucket when you consider the
number of people using Firefox (which passed 100 million downloads a few
weeks ago). The extension now supports more than 700 sites, which may sound
paltry until one realizes what's involved. It is not as simple as simply
adding "s" to the "http" in a request, but actually requires users to
verify that the same content is available at the URL if it is requested as
In some cases, like Wikipedia, it is not. For instance, requesting "http://www.wikipedia.org" will call up (as one might expect) the front page of Wikipedia. Requesting "https://www.wikipedia.org" gives an error. Users who want secure access to Wikipedia want "secure.wikipedia.org" instead. Requesting the Mozilla homepage without the "www" gives an error for an untrusted certificate, though requesting the HTTPS version of "www.mozilla.org" works fine. In short — too many sites on the Internet do not allow the user to simply assume that HTTPS will work with all links.
So the EFF is looking for more users to help. Schoen called on users to
install HTTPS Everywhere, send bug reports when it doesn't work properly or
sites have changed, and to help write rules for it. Naturally, it would
also help if everyone responsible for a Web site would actually turn on HTTPS.
Users of Chrome and Chromium will be able to take advantage of the HTTPS
Everywhere extension soon. Schoen said that Chrome/Chromium was not
originally targeted because Chrome lacked the APIs necessary for HTTPS
Everywhere. There's also an effort afoot to provide an HTTPS Everywhere Web
proxy. He also gave a shout-out to the DuckDuckGo search engine, which has an
option for rewriting searches so that users will be sent to the secure
version of the resulting sites if available.
It doesn't help much to have the HTTPS Everywhere extension if sites don't have a secure version to redirect to. To that end, the EFF is working with Access on a program called HTTPS Now.
This effort includes resources for correctly
deploying HTTPS and the ability to search for sites and see how (or if)
they've deployed HTTPS. It also has a reporting system for users to explain how sites use HTTPS. For instance, users can report the name of the site, whether it only uses HTTPS on some pages or all pages, whether it uses secure cookies, has a valid SSL certificate, the key size of the certificate, and more. The reporting page has a lot of help to guide users who might not understand what a technology is, or how to determine if it's used. For instance, the help page for HTTPS Strict Transport Security (HSTS) explains HSTS and guides users to Qualys SSL Labs which has a SSL Server Test page which will examine a site and provide much of the information they want. (LWN, by the way, gets an overall rating of B from the service.) [ Editor's note: it would seem that accepting weak ciphers is the main thing dragging down our grade, which is something we plan to look into and fix in the near future. ]
Part of turning HTTPS on everywhere requires having a certificate — preferably not self-signed if one expects much traffic from users who have no way of verifying the veracity of a self-signed certificate. Not that certificates from CAs are always reliable. Schoen also talked about the SSL Observatory, another effort from the EFF to investigate certificates.
This is no small feat. According to Schoen the effort is trying to
examine all publicly visible SSL certificates on the Internet. This
has required making TLS connections to every IPv4 address. The EFF has
found that certificates are signed by about 650 organizations that are
trusted directly or indirectly by Mozilla and/or Microsoft as CAs.
Schoen says that the CA system has been subject to "a lot of little
scandals," that are worrisome. For example, signing
unqualified domain names like "exchange" instead of
"exchange.host.tld", which is what the CAs are supposed to do. Then there's
the recent Comodo incident where a reseller
of Comodo certificates was compromised and an intruder obtained
certificates for a number of targets. Though the certificates were almost
immediately revoked, it demonstrated a potential problem with the CA and reseller structure.
Schoen noted that the system as it stands is rather fragile — not
surprising given that it was invented by Netscape as a Band-Aid to calm fears about online credit card transactions.
For now, the EFF has been gathering data and examining it on its own. Schoen says that eventually the HTTPS Everywhere plugin would allow users to submit data to the Observatory. He also noted a few other efforts along the same lines, like the Perspectives Firefox extension and Google's certificate catalog.
The combined HTTPS efforts from the EFF and its partner organizations are enormous undertakings. Having all sites on the Internet (or even most) providing secure connections, and helping to reform the current CA mess, could take quite a few years. Pushing the awareness of the need for secure connections outside the tech community that understands the issues at hand will take quite a bit of effort, not just at the user level, but also at the site level. For instance, while Google and Microsoft have HTTPS for their Webmail offerings, Yahoo only offers HTTPS at login — when one logs into Yahoo Mail using HTTPS, they're immediately shunted to HTTP after login.
This will not be an easy fix, but the EFF's efforts are already
bearing fruit. While a half-million users is a drop in the bucket,
it's an impressive uptake for one year's effort. The EFF (and tools
like Firesheep) have helped drive awareness over the last year and
encouraged some major sites to push their users to secure connections,
which is a good start — but not enough. Users would do well to
check out the resources offered by the EFF, to participate in the
Observatory and other efforts as time allows, and push their own
organizations to offer HTTPS everywhere as well.
to post comments)