Individuals and computer systems on the Internet are under attack daily. Incidents of financial fraud, embarrassing leaks of emails and photos, and the hijacking of systems for ransom keep increasing. Governments and private organisations must recognise the threat and take action immediately.
One of the most basic protections they can take is to encrypt all data that traverses the Internet so that only the intended receiver can interpret the data. Website operators who have not turned on encryption for their communications should do so immediately. There is no good reason why all data on the Internet cannot be encrypted.
Most people use the World Wide Web, whether for email, social networking, commerce, banking or searching for information, without knowing or caring about how it all works. There’s nothing wrong with that. People use cars and refrigerators the same way. However, people trust that the car has been built well and meets some minimum requirements to protect their physical safety, such as that the fuel tank won’t just catch fire. Similarly, when it comes to the modern Internet, data security is essential. Without it, not only can people’s privacy, finances or reputations be ruined, but as cars and other devices get connected to the Internet, the physical safety of individuals and their families is also at risk.
Wild Wild Web
To see how encryption protects individuals, consider the path the data takes between a user’s device and the remote server. It may go through a Wi-Fi access point, an Internet service provider, interconnection organisations that link Internet providers together behind the scenes and companies that provide undersea cables to carry data to servers in other countries. All these providers have the opportunity to snoop on data in transit. Additionally, any of them could have their systems compromised by criminals, cyberespionage groups or hostile governments. If the data is not encrypted, then it is open to access by any and all of them.
Many websites, especially those that involve financial transactions, do provide an encrypted connection. A user can tell when this is the case by looking at the address area of their browser. Most browsers display a lock or some other visual indication, and the website address is prefixed with “https”. Here are two examples of how it looks in the Chrome and Firefox browsers.
In contrast, this is how it looks when the communications are not encrypted:
The technology to encrypt web data, known as HTTPS, is nearly as old as the web itself, and the principle is straightforward. In the simplest terms, when someone uses a web browser or an app to connect to a remote server, the server responds with information that the browser can then use to keep secret all further communication with that server. This information is called a certificate, and website operators acquire them from known and recognised organisations known as certificate authorities. The cost of a certificate can be as little as Rs 1000, and there are also sources of free certificates. Certificates are tied to particular domains, so even if someone got access to a site’s certificate and installed it on another site, all modern browsers would raise an alert.
The following images show how invalid certificates appear in Chrome and Firefox.
There are still three privacy issues that HTTPS encryption does not solve. The first is that even though third parties cannot tell what data is being transferred between a person’s browser and the remote server, and so the details of which pages the user is accessing remain private, they can tell that a person has visited a site. That may be fine in the case of a news or information site such as Wikipedia, but if the site exclusively provides romantic matching services, information on a particular disease or political parties, for example, that may reveal some information about an individual that the person may want to keep private. The more specific a site’s purpose, the more information that a person is disclosing about themselves when visiting the site. To hide this activity from third parties, they will need to take extra steps, such as using a VPN or the Tor network.
The second privacy issue with HTTPS is that sometimes the encryption doesn’t go all the way to the remote server is the source of the content or service, known as the origin server. That’s because site operators may choose to use intermediary services that speed up delivery of the content or service and it is the intermediary who does the encryption from their network to the browser. Generally, sites that handle credit card data would not do this, but a content-only site may.
The third issue is that even if the data is encrypted all the way to the origin server, HTTPS does not guarantee that the site is a legitimate business or service provider. When a person sees the green “https” or lock symbol, they may assume that the site is trustworthy. However, it could be a false site set up to collect data or defraud individuals. In March, an encryption expert reported that over 14,000 certificates had been issued to sites with “paypal” somewhere in the domain name, such as “paypal.verification.zrxpu.ru”. Nearly all of the specified domains were not under the control of PayPal Inc. and most of them are suspected phishing sites. Ninety percent of these certificates were issued just in the four months prior to March by LetsEncrypt, an initiative that distributes free certificates to promote the laudable goal of making HTTPS the default standard on the web. Unfortunately, phishers are capitalising on this. At a security conference in April, the online security company Kaspersky revealed that in October 2016 all traffic destined to websites of a Brazilian bank were rerouted to fake sites complete with HTTPS certificates issued by LetsEncrypt in the bank’s name.
One way to counter this trend is for sites to get special certificates that indicate that the entity behind the site has been verified to be legitimate. When sites use these Extended Validation certificates (EV certificates) their registered name appears in the browser address bar. While this process can also be manipulated and is not foolproof, currently it adds a layer of reassurance. For example, State Bank of India uses EV certificates and its name appears next to the web address.
One common misperception is that security certificates, even EV certificates, are expensive. That may have been true in the past, but now they are relatively and absolutely quite inexpensive. An EV certificate can be purchased for under Rs 30,000, which is well within the means of any entity that wants to set up a website.
The trend towards total HTTPS usage has picked up considerably in the past year. There are multiple reasons for this, including a push by many stakeholders, such as the Electronic Frontier Foundation (EFF), browser creators such as Mozilla and Google, the US government and security experts. EFF launched LetsEncrypt in late 2015 and by May 2017, LetsEncrypt had issued over 35 million certificates. Starting in 2017, the Chrome browser prominently displays “Not secure” whenever a webpage is not using HTTPS. In 2015 the US government issued “A Policy to Require Secure Connections Across Federal Websites and Web Services,” which gives a prominent boost to the movement. Even the labour cost is quite low. While it depends on the complexity of the website, most sites can be HTTPS enabled in a few hours.
However, numbers don’t tell the whole story. By one measure, about 55% of the data on the web was encrypted at the beginning of May, while a February scan of the top one million visited websites found that only 20% of them supported HTTPS. The confusion arises because of differences in measurement (some reports rely on browsers like Chrome and Firefox sending data to their parent organisations), and differences in interpretation (some sites send data both encrypted and unencrypted, so they could be counted either as using HTTPS or not). What is clear is that the amount of encryption is increasing, and that is encouraging. Like the eradication of polio and smallpox, with enough concerted effort, the usage of HTTPS can easily be brought up to 100%.
In India, the rate of adoption of HTTPS lags the US, but leads countries like Germany, Brazil and Japan, according to statistics from Google. In April, this author conducted a systematic scan of the Alexa top 500 sites in India. It showed that about 60% of them support HTTPS in some form. A smaller percentage of sites, about 40%, transfer a request for an unencrypted page to the HTTPS version, which is the recommended policy. There is also a difference in their responses depending on whether a person uses “www” in front of the domain name, which should not be the case. The results are summarised below.
Since many of the top sites in India are sites originating outside the country, such as Google.com or Wikipedia.org, it is also worth looking at HTTPS adoption by country of the site. This is not readily available information, but one way to approximate it is to look at where the traffic for the site originates. If a site’s top source of traffic is India, it is likely an Indian origin site.
By and large this appears to hold true. Broken down this way, HTTPS adoption among presumed Indian sites is far lower than the US. Out of 351 presumed Indian sites, 155 (44%) do not respond with HTTPS, compared to 16 of the 124 presumed US sites (13%). In other words, Indian website operators are providing a far lesser level of online security than those from the US.
For the protection and benefit of all Indians, Indian website operators need to implement HTTPS. The cost of acquiring certificates is low and the effort per website is minimal. The Indian government should make it a goal to implement HTTPS across all its servers by the year’s end. Companies and organisations should also turn on HTTPS and those that already have should verify that they are using the latest secure methods. With a little effort India could match or beat the US to take the top spot in terms of web encryption.
Sushil Kambampati is the founder of YouRTI.in, where anyone can suggest an RTI query simply and anonymously. He writes about online security and privacy, and tweets @SKisContent.