Making Data Public on Private Connections
Encrypted connections are becoming an industry standard for high-traffic websites, and for good reason.
When people think about attackers, they tend to think of them as a monolithic whole. One group of people with bad intentions and nothing but time on their hands to invent new schemes for separating victims from their money.
But the truth is there are as many different types of attackers as there are types of attacks and types of victims. From petty thieves at the bottom of the barrel all the way up to nation state actors at the top, the one thing they all have in common is the desire to steal information. In one way or another, all of these people rely on the ability to locate, steal, and monetize victims’ data.
In today’s world, that data is everywhere: sitting on laptops and mobile phones, streaming through the air, and stored in cloud services. The job of defenders, of course, is to make it as difficult as possible for attackers to get their hands on that data, and perhaps the most effective method for doing so at the moment is the use of encryption. Encryption has the wonderful property of protecting information against all manner of attackers, regardless of their level of skill or funding.
Many in the security community have been pushing for the expanded use of encryption, especially for data in transit, for a long time now. But the urgency of those calls has picked up significantly in the years since the Edward Snowden leaks began, as it became clear how much cleartext traffic intelligence agencies were collecting, storing, and mining. Major Internet companies such as Google, Yahoo, Amazon, and Twitter have moved to HTTPS connections by default in recent years, with more to follow. Google has been at the forefront of this movement, and the company is now publishing a section in its transparency report that details not just its own work to move to encrypted connections, but also the status of other top sites’ HTTPS usage.
Google’s data shows that more than 75% of the traffic to its own (non-YouTube) sites is now over encrypted connections. That’s a jump of more than half since January 2014, when the number was around 50%. The data, published earlier this week, also shows that many of the top 100 global sites now are running HTTPS by default, a fact that represents a major win for users and a significant barrier for attackers looking to eavesdrop on that traffic. Facebook, LinkedIn, Instagram, PayPal, WhatsApp, Yahoo, and WordPress are all among the sites using modern TLS connections by default now.
But there is still plenty of work to be done, both at Google and on the wider Web. And that’s why Google’s engineers are continuing to roll out new encrypted services and plan on publishing continuous data on not just the company’s efforts but also other sites’. Plenty of other sites don’t have HTTPS available by default yet, including Amazon and Yelp, and still others don’t even work on encrypted connections.
“We're committed to making the web a safer place not only for Google users, but for all users. HTTPS makes it difficult for Internet Service Providers, governments and others to watch what you're doing online. We are open to working with all sites listed below to help them move to HTTPS by the end of 2016,” Google said in its report.
The publication of this data not only holds Google accountable on its work, but also puts public pressure on other top sites to follow the company’s lead. More encryption is good for everyone, except attackers, and that’s always the name of the game.