The Rise of HTTPS…
…and other global, socio-political crises
Daniel Appelquist (@torgo)
Open Web Advocate, Telefónica
Co-Chair, W3C Technical Architecture Group
Who am I?
- American living in London, working for Spanish company
- I work in the Firefox OS group in Telefónica
- I work on web standards & developer advocacy
- I represent Telefónica in the W3C
- I co-chair the W3C Technical Architecture Group with Sir Tim Berners-Lee and Peter Linss of HP
- I advise the UK government on the use of open standards
- I tweet at @torgo
The TAG
+
“Pervasive Monitoring
is an Attack”
- Pervasive monitoring is “surveillance at widespread observation points, without any particular target in mind at time of surveillance, and without any modification or injection of of network traffic.” - Trammell, et al.
- “The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible.” - Farrell & Tschofenig
It's all about trust
- The web is supporting more and more of the world’s communications
- Trustworthiness is key
- Pervasive monitoring undermines that trust
- HTTPS was originally deployed so that people could have trust in spending money online
- Now, more and more of what we do online requires that level of trust
TLS all of the things!
TAG Finding:
Securing the Web
- Moving the Web to https
- Motivations thereof
- Coordinating with the web community
Some commonly raised objections to HTTPS
(and why they’re wrong)
Credit to Yan Zhu of Yahoo! & member of W3C TAG
1. HTTPS is expensive and hard to set up
- This is getting better
- Many hosting providers already offer point-and-click wizards for setting up TLS
- EFF “LetsEncrypt” initiative in the near future
- New certificate authority
- Free certificates
- New cert management protocol: ACME
- Entire process < 30 seconds
- Wide industry support
2. There is no value in using HTTPS for public data (e.g. news articles)
- Misses the point that aggregating browser data can reveal a lot
- What’s public and non-controversial in one country may be subversive in another
- What article you visit on The Guardian
- What symptoms you search for on health websites
- This is a cousin of the “it’s just metadata” argument
Metadata is Data
3. TLS is Slow
- Mostly not
- Modern versions optimize away most of the performance issues
- c.f. https://istlsfastyet.com (spoiler: it is)
- HTTP/2 also offers performance gains
4. TLS breaks feature “X”
- Usually having to do with “mixed content”
- Yes, there is more work to do than just switching to https
- Modern developer tools can help you debug these issues
- “https everywhere” tool also can help to debug issues
- Does this break the web?
- probably still the thorniest issue
5. HTTPS offers “false sense of security”
- …compared to what?
- Yes, there are holes in the current CA system, these are being addressed
- It’s better than the alternative which is no encryption
- It mitigates against pervasive monitoring
- Data minimization
Why should you care?
Because Snowden!!!1!
Secure Internet == Freedom of Expression
- Freedom to communicate securely and privately is important in democracies and stuff
- Secure, anonymous communications enablers confidential sources, whistler blowers and the like, vital for a free press
- Anonymous participation especially important for marginalized or oppressed groups
- Blanket surveillance (pervasive monitoring, warehousing of “metadata”) is overreach and should be challenged
- There are actually more than one government in the world
I am not making this up
It's not only Governments we need to be wary of
- Ad networks and big data are damaging user privacy
- This is particularly important for sensitive social topics
- ZDNet: Google Outed Me: http://zd.net/1nYZ5L0
- Mashable: How One Women Hid Her Pregnancy from Big Data: http://on.mash.to/PNxfFo
- Carnegie Mellon research shows users think the way internet ads really work should be “illegal”
- People need to have more understanding of their digital footprint and the mechanisms they can use to preserve data privacy
US Whitehouse Proposal
- The Whitehouse has proposed to require federal web sites to be https-only
- They posted this proposal to github for comment: https://github.com/GSA/https
- W3C TAG has +1’d this proposal https://github.com/GSA/https/issues/94
BTW: Whitehouse seeks comment on proposal via GitHub
The web needs to clean up its act on security & privacy
So what's happening?
Security & Privacy Self-Review
Opportunistic Encryption
That “s” – and some of the web's other greatest mistakes
Permissions API
Finer-grained control over permissions-requesting APIs
A permissions anti-pattern
Ask permission
for a purpose
Content Security Policy (CSP) 1 & 2
A HTTP header that can help reduce XSS attacks
Privileged Contexts
- Née “Powerful Features”
- Joint work between TAG and Web Apps Security Group
What's a Powerful Feature?
- The feature provides access to sensitive data
- The feature provides access to sensor data on a user’s device
- The feature provides access to or information about other devices a user has access to
- The feature exposes temporary or persistent identifiers
- The feature introduces some state for an origin which persists across browsing sessions
- The feature manipulates a user agent’s native UI in some way which could trick the user
- The feature requests user permission
…and the web is adding more and more of these, all the time!
Another Powerful Feature:
http/2
- http/2 is here – work is complete in ietf
- It offers great performance gains over ubiquitously deployed http/1.1 (especially for mobile)
- Derived from Google’s SPDY project
- Google, Mozilla & Microsoft are only implementing http/2 over HTTPS
- If you’re not already working with it, you should be
- Good http/2 explainer: http://daniel.haxx.se/http2/
One does not simply…
…encrypt the web.
Thanks!
Daniel Appelquist
@torgo – @w3ctag – @tefdigital
Obligatory xkcd:
The Rise of HTTPS
By Daniel Appelquist
The Rise of HTTPS
For Dev Talks Romania, Cluj, May 2015
- 3,213