RIP Plaintext Internet
It is time to kill the plaintext Internet. Not next year, not a couple years down the line. Now.
The Internet, like the rest of us, was born naked. The messages sent between the servers on the network were in plaintext, and that was fine. The Internet was meant to be an open communication platform on which users could exchange information freely. It was designed with interconnectivity, interoperability, and freedom in mind. Security was not part of the equation.
And there was no real reason it should have been, at least not at the beginning. The threat model for most computers at the time consisted of another user on your local machine stealing your password and using your account. Layering encryption on top of the communications protocols just wasn’t necessary in the 1970s. (Not to mention that public key cryptography wasn’t really a thing then, anyway. At least not for the unclassified world.) The architects of the Internet didn’t realize that 30 years later the network would be compromised to its core by intelligence services and be bent to their will, serving as a global surveillance platform of unprecedented scale.
Solving this problem on the Internet scale would require a complete rebuild of the network, which isn’t happening anytime soon. But the good news is that some of the companies that own or operate large chunks of the Internet’s infrastructure have taken it upon themselves to add encryption to as many services, systems, connections, and applications as possible. And they’re making a remarkable amount of progress. Google has been working on this problem for many years, gradually making HTTPS connections the default for services such as Gmail and its main search page, as well as encrypting the long-haul links between its data centers. Those connections have been targets for intelligence agencies, who know that much of the Internet’s traffic flows through them, and until quite recently it was in plaintext. Easy pickings for an adversary sitting on the Internet’s backbone.
Google isn’t alone in this quest. This week, CloudFlare, the massive content delivery network and DNS provider, announced that it is making key changes to its network that will have the effect of making millions of sites available over secure connections and increase the security of the content served by those sites. The changes are mostly done behind the scenes, but they will make a huge difference in the volume of content that’s served over HTTPS connections and also will speed up those connections in the process.
The company is now offering TLS 1.3, the newest version of the security protocol that’s used in HTTPS connections. This version is much faster than previous ones, eliminating much of the workload associated with encrypted content.
“CloudFlare has been heavily involved in the development of the protocol, which is more secure and delivers tangible performance benefits over previous versions. Establishing an HTTPS connection with TLS 1.3 requires fewer messages than previous versions of TLS, making page load times noticeably faster, especially on mobile networks,” Nick Sullivan of CloudFlare said in a post on the changes.
The second change will automatically rewrite HTTP URLs to HTTPS, making the connections secure without needing to make changes on the customer’s end. The idea is similar to what plugins such as the EFF’s HTTPS Everywhere do, forcing secure connections to sites that don’t use them by default. Sullivan said the change also will apply to links on customer pages whenever possible.
CloudFlare also is introducing a feature called Opportunistic Encryption that enables users to access unencrypted sites over HTTP/2, a new version of the protocol that the company only will offer on encrypted connections. Firefox is the only browser that supports HTTP/2 right now, but others are expected to follow soon.
“With Opportunistic Encryption, CloudFlare adds a header to tell supporting browsers that the site is available over an encrypted connection. For HTTP sites, Opportunistic Encryption can provide some (but not all) of the benefits of HTTPS. Connections secured with Opportunistic Encryption don’t get some HTTPS-only features such as the location API and the green lock icon. However, the connection is encrypted (and soon authenticated — we present a valid certificate and Firefox Nightly validates it), protecting data from passive snooping,” Sullivan said.
The threat model on the Internet has changed dramatically in the years since it became available to the general public, and the security community has been slow to adapt to the changes. But the tide is beginning to turn, at least in some respects, and the work that activists and companies such as Google and CloudFlare are doing to encrypt as much of the network’s traffic as possible is clear evidence of that.
The unencrypted Internet had a good run, but it’s time to put it out of our misery once and for all.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business