Moving the web to HTTPS (and other global 
geo-political crises)

Transcript

1. Moving the web to HTTPS (and other global 
 geo-political

   crises) Daniel Appelquist (@torgo) Open Web Advocate, Telefónica (@tefdigital) Co-Chair, W3C TAG (@w3ctag)

2. Joint IETF / W3C “STRINT” Workshop

3. “Pervasive Monitoring 
 is an Attack” • Pervasive monitoring is

   “surveillance at widespread observation points, without any particular target in mind at time of surveillance, and without any modification or injection of of network traffic.” - Trammell, et al. • “The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible.” - Farrell & Tschofenig https://www.w3.org/2014/strint/

4. TLS All of the Things!

5. New work in W3C TAG: a “Moving the web to

   HTTPS” finding: 
 https://w3ctag.github.io/web-https/

6. Some commonly 
 raised objections 
 (and why they’re wrong)

   Credit to Yan Zhu (newly elected to the TAG) https://zyan.scripts.mit.edu/blog/tls-everything/

7. 1. HTTPS is expensive and hard to set up •

   This is getting better • Many hosting providers already offer point-and-click wizards for setting up TLS • EFF “LetsEncrypt” initiative in the near future • New certificate authority • Free certificates • New cert management protocol: ACME • Entire process < 30 seconds • Wide industry support https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web

8. 2. here is no value in using HTTPS for public

   data (e.g. news articles) • Misses the point that aggregating browser data can reveal a lot • What’s public and non-controversial in one country may be subversive in another • What article you visit on the Guardian • What symptom you search for on NHS choices • This is a cousin of the “it’s just metadata” argument

9. Metadata is Data “It’s only metadata” is nuspeak

10. 3. TLS is slow • Mostly not • Modern versions

    optimize away most of the performance issues • c.f. https://istlsfastyet.com (spoiler: it is) • HTTP/2 also offers performance gains
 (see https://blog.httpwatch.com/2015/01/16/a-simple- performance-comparison-of-https-spdy-and-http2/ - “HTTP/2 is likely to provide significant performance advantages compared to raw HTTPS and even SPDY.”

11. 4. HTTPS breaks feature X • Usually having to do

    with mixed content • Yes, there is more work to do than just switching to https • Modern developer tools can help you debug these issues • “https everywhere” tool also can help to debug issues

12. 5. HTTPS offers a false sense of security • …compared

    to what? • Yes, there are holes in the current CA system, these are being addressed • It’s better than the alternative which is no encryption • It mitigates against pervasive monitoring • Data minimization

13. Powerful Features are going to require secure origins • service

    worker • access to sensors • sensitive data • requesting permissions http://www.w3.org/TR/powerful-features/

14. https is not the only answer

15. The User Experience 
 of Privacy Needs Work • Many

    users think a lock icon in the page is more important than a lock icon in the browser chrome • Mobile ui indication of “secure” is bad to nonexistent (how do you know your bank’s app is secure?) • Certificates are impenetrable to mainstream users • How many people understand what a certificate-based secure connection is (encrypted, identified) anyway? • Stanford research shows users think the way internet ads really work should be “illegal.”

16. You Still Need to Trust 
 the Server • No

    transport-layer encryption can protect you against active attacks on the server (e.g. heartbleed) • …or complicit behavior of the service you are using (e.g. PRISM)

17. By the way, your ISP still knows what sites you

    are visiting If you care about this, use TOR or I2P

18. Sidebar: http/2? • http/2 is in IETF “last call,” it’s

    implemented in Firefox and Chrome and you’re already using it if you use any Google services • It offers great performance gains over ubiquitously deployed http/1.1 (especially for mobile) • Google, Mozilla and Microsoft are on record saying they will only implement http/2 for https • If you’re not already experimenting with it, you should be (cf BBC’s streaming trial: http://www.bbc.co.uk/rd/blog/2014/12/ adaptive-media-streaming-over-http-2-trial) • See https://http2.github.io

19. Why Should You Care?

20. Because Snowden!!1!

21. Secure Internet = 
 Freedom of Expression • Freedom to

    communicate securely and privately is important in democracies and stuff • Secure, anonymous communications enablers confidential sources, whistler blowers and the like, vital for a free press • Anonymous participation especially important for marginalized or oppressed groups • Blanket surveillance (pervasive monitoring, warehousing of “metadata”) is overreach and should be challenged

22. I am not making this shit up

23. Know Your Article 19 “Everyone has the right to freedom

    of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” http://www.un.org/en/documents/udhr/index.shtml#a19

24. Action? • Comment on our draft TAG finding: 
 https://w3ctag.github.io/web-https/

    • Policy: technical community could do better to explain internet encryption and pervasive-monitoring-related issues to policy makers and the public (c.f. the Open Rights Group’s answer to David Cameron’s recent statements: https:// www.openrightsgroup.org/blog/2015/what-does-david-cameron- want) • Contribute to the global discussion as a stakeholder of the Internet and of the Web: W3C, IETF, open source, etc… • Move your web site to https and encourage others to do so as well • … and about that “s”…

25. Thanks! @torgo @tefdigital @w3ctag