The Rise of HTTPS…
…and other global, socio-political crises

Daniel Appelquist (@torgo)

Open Web Advocate, Telefónica

Co-Chair, W3C Technical Architecture Group

Who am I?

  • American living in London, working for Spanish company
  • I work in the Firefox OS group in Telefónica
  • I work on web standards developer advocacy
  • I represent Telefónica in the W3C
  • I co-chair the W3C Technical Architecture Group with Sir Tim Berners-Lee and Peter Linss of HP
  • advise the UK government on the use of open standards
  • I tweet at @torgo

The TAG

STRINT Workshop

February 2014 in London

https://www.w3.org/2014/strint/

+

“Pervasive Monitoring
is an Attack”

  • Pervasive monitoring is “surveillance at widespread observation points, without any particular target in mind at time of surveillance, and without any modification or injection of of network traffic.” - Trammell, et al.
  • “The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible.” - Farrell & Tschofenig

It's all about trust

  • The web is supporting more and more of the world’s communications
  • Trustworthiness is key
  • Pervasive monitoring undermines that trust
  • HTTPS was originally deployed so that people could have trust in spending money online
  • Now, more and more of what we do online requires that level of trust

TLS all of the things!

TAG Finding:
Securing the Web

  • Moving the Web to https
  • Motivations thereof
  • Coordinating with the web community

http://www.w3.org/2001/tag/doc/web-https

Some commonly raised objections to HTTPS

(and why they’re wrong)

Credit to Yan Zhu of Yahoo! & member of W3C TAG

1. HTTPS is expensive and hard to set up

  • This is getting better
  • Many hosting providers already offer point-and-click wizards for setting up TLS
  • EFF “LetsEncrypt” initiative in the near future
    • New certificate authority
    • Free certificates
    • New cert management protocol: ACME
    • Entire process < 30 seconds
    • Wide industry support

2. There is no value in using HTTPS for public data (e.g. news articles)

  • Misses the point that aggregating browser data can reveal a lot
  • What’s public and non-controversial in one country may be subversive in another
  • What article you visit on The Guardian
  • What symptoms you search for on health websites
  • This is a cousin of the “it’s just metadata” argument

Metadata is Data

3. TLS is Slow

  • Mostly not
  • Modern versions optimize away most of the performance issues
  • c.f. https://istlsfastyet.com (spoiler: it is)
  • HTTP/2 also offers performance gains

4. TLS breaks feature “X”

  • Usually having to do with “mixed content”
  • Yes, there is more work to do than just switching to https
  • Modern developer tools can help you debug these issues
  • “https everywhere” tool also can help to debug issues
  • Does this break the web?
  • probably still the thorniest issue

5. HTTPS offers “false sense of security”

  • …compared to what?
  • Yes, there are holes in the current CA system, these are being addressed
  • It’s better than the alternative which is no encryption
  • It mitigates against pervasive monitoring
  • Data minimization

Why should you care?

Because Snowden!!!1!

Secure Internet == Freedom of Expression

  • Freedom to communicate securely and privately is important in democracies and stuff
  • Secure, anonymous communications enablers confidential sources, whistler blowers and the like, vital for a free press
  • Anonymous participation especially important for marginalized or oppressed groups
  • Blanket surveillance (pervasive monitoring, warehousing of “metadata”) is overreach and should be challenged
  • There are actually more than one government in the world

I am not making this up

It's not only Governments we need to be wary of

  • Ad networks and big data are damaging user privacy
  • This is particularly important for sensitive social topics
    • ZDNet: Google Outed Me: http://zd.net/1nYZ5L0
    • Mashable: How One Women Hid Her Pregnancy from Big Data: http://on.mash.to/PNxfFo
  • Carnegie Mellon research shows users think the way internet ads really work should be “illegal”
  • People need to have more understanding of their digital footprint and the mechanisms they can use to preserve data privacy

US Whitehouse Proposal

BTW: Whitehouse seeks comment on proposal via GitHub

The web needs to clean up its act on security & privacy

So what's happening?

Security & Privacy Self-Review

Opportunistic Encryption

That “s” – and some of the web's other greatest mistakes

Permissions API

Finer-grained control over permissions-requesting APIs

A permissions anti-pattern

Ask permission
for a purpose

Content Security Policy (CSP) 1 & 2

A HTTP header that can help reduce XSS attacks

Privileged Contexts

  • Née “Powerful Features”
  • Joint work between TAG and Web Apps Security Group

https://w3c.github.io/webappsec/specs/powerfulfeatures/

What's a Powerful Feature?

  • The feature provides access to sensitive data
  • The feature provides access to sensor data on a user’s device 
  • The feature provides access to or information about other devices a user has access to
  • The feature exposes temporary or persistent identifiers
  • The feature introduces some state for an origin which persists across browsing sessions
  • The feature manipulates a user agent’s native UI in some way which could trick the user
  • The feature requests user permission 

…and the web is adding more and more of these, all the time!

Another Powerful Feature:
http/2

  • http/2 is here – work is complete in ietf
  • It offers great performance gains over ubiquitously deployed http/1.1 (especially for mobile)
  • Derived from Google’s SPDY project
  • Google, Mozilla & Microsoft are only implementing http/2 over HTTPS
  • If you’re not already working with it, you should be
  • Good http/2 explainer: http://daniel.haxx.se/http2/

One does not simply…

…encrypt the web.

Thanks!

Daniel Appelquist

@torgo@w3ctag@tefdigital

Obligatory xkcd:

The Rise of HTTPS

By Daniel Appelquist

The Rise of HTTPS

For Dev Talks Romania, Cluj, May 2015

  • 3,182