When you go to pay for something online, or put in your password, it’s a good idea to make sure you’re using encryption. Most of us know to look for https at the beginning of a web address when entering sensitive information – regular unencrypted http connections are like a postcard that anyone can read. But for most web surfing, it doesn’t matter… right?
We are already being profiled – mostly by advertisers, but increasingly by anyone who is interested – based on our participation on Facebook and our searches on Google. Even if your name is hidden, you can be identified by your surfing behavior. In this environment, even if you have nothing to hide, you might want to make your web traffic less easily accessible to prying eyes, and one way is using encryption. (This article is about encrypting your traffic, not completely hiding it, which requires stronger measures like Tor.)
As Cory Doctorow so vividly illustrated in his novel Little Brother, if the only people using encryption are ‘troublemakers,’ then, even if the content of their traffic is unreadable, authorities can identify them by focusing scrutiny on those users who pass large amounts of encrypted data. In some parts of the world, having your communications monitored can not only lose you a job prospect or a loan, but can land you in jail. The more people use https, the less obvious it is who is a political dissident and who is just a reasonably cautious web surfer.
Internet liberty activist group EFF promote a browser plugin called HTTPS Everywhere that makes encrypted browsing easy. If you use Chrome, try HTTPS Enforcer. It’s as simple and sensible as sealing the envelope on a letter you’re mailing. And the increased demand for fully encrypted versions of your favorite sites will drive them to support safer browsing for everyone.
The only current downside of using the https version of a site is that it will tend to load slightly slower than otherwise. Part of the delay is that your browser checks whether the SSL certificate – the guarantee that an encrypted site is who it claims to be – is valid. All the encryption in the world won’t keep your traffic safe if it is being directed to the wrong destination. Unfortunately, the system in place to check the certificates isn’t secure.
SSL critics have long complained that the revocation checks are mostly useless. Attackers who have the ability to spoof the websites and certificates of Gmail and other trusted websites typically have the ability to replace warnings that the credential is no longer valid with a response that says the server is temporarily down.
https://arstechnica.com/information-technology/2012/02/google-strips-chrome-of-ssl-revocation-checking/
So when the check is necessary, it’s useless, and when it’s unnecessary, it wastes time: “The median time for a successful OCSP check is ~300ms and the mean is nearly a second.” [Imperial Violet]
As Ars reports, the Google Chrome team is removing this check and implementing its own list of bad SSL certificates. This will go a long way to making https as convenient as http, and I hope other browser makers will follow suit. Until then, you can consider the slightly longer loading times of secure sites your contribution to making the web more private for everyone.