Update August 27, 2013:
Here’s a link to the discussion about this post at reddit.com/r/netsec.
Recently I had a conversation with my uncle about his lack of computer use. He told me he doesn’t get online much, doesn’t “have a Facebook”, and has only sent a dozen or so emails. Ever.
I was impressed. By avoiding online activity, he’s managed to escape a lot of the high-tech threats many of us face on a daily basis. Except, as he explained, he still needs to buy things online. And it turns out his credit card number has been swiped multiple times. It’s impossible to say exactly how it was stolen, but sending it over an unencrypted web connection is one real possibility.
Shall we play a game?
It’s been said that protecting yourself online is like War Games; the only way to win is not to play. To disconnect. Or in my uncle’s case, to never connect much to begin with. The problem is, if you fully disconnect, you’re sacrificing a huge number of of modern conveniences. Online shopping is a big one.
So I asked him if he knew about HTTPS. He said he didn’t, then took out his notebook and wrote it down while I tried to hide my astonishment.
Having successfully evaded the horrors of Facebook and lolcats, my uncle is clearly in the minority in the U.S.. But should I be surprised that anyone who doesn’t do this stuff for a living doesn’t really know what HTTPS is or why it’s so important? Probably not.
Still, it makes me uneasy, and I think something ought to be done about it. I want to be clear, though. I don’t think the problem is really just that people don’t know what HTTPS is. The real problem is that many people don’t understand when they’re easily susceptible to eavesdropping and when they’re not, and it’s a direct consequence of the following fact:
Web-based communication is unencrypted by default.
Green address bars and lock icons help, but they’re implemented inconsistently across different browsers. Worse, they’re only passive indicators, so they have a high probability of being ignored after a while. Even by experts.
If the entire web were encrypted, we wouldn’t have this problem. Every site you visit would offer confidential communication between your browser and it, and we’d all be better off. I think it’s a worthy goal, and a lot of people agree that we should be moving in that direction, but there’s good reason to believe that we’ll be dealing with a hybrid web for many years to come.
Since the web isn’t going to be fully encrypted anytime soon, we need to find ways to improve people’s awareness of when their communication is and is not encrypted. More conspicuous and consistently implemented visual cues would be an improvement, but those are still just passive indicators. I think something more active is needed. I call it encrypted-only mode.
Encrypted-only mode would give users better awareness and control.
Here’s how it would work:
- Before logging into your bank’s website, you tell your browser you don’t want to allow any unencrypted communication, so you click a button to enter encrypted-only mode.
- You login and conduct your transaction, secure in the knowledge that none of the information your browser transmitted during the session was sent in the clear. Any attempts to communicate with non-https URLs are forcibly blocked by your browser while in this mode.
- When finished, you log out of your bank’s website and switch off encrypted-only mode.
The idea is that entering this mode would provide an additional layer of protection by temporarily disabling all unencrypted traffic. It would also be a conscious decision, and therefore difficult to ignore.
Introducing HTTP Nowhere.
HTTP Nowhere is a Firefox browser extension I recently wrote to implement this idea. You can install it from the Firefox Add-Ons site, and check out the source at github. Beyond what is discussed above, it allows you to see which unencrypted requests were made while in this mode, and lets you add specific URLs or URL patterns to a whitelist.
This is just an initial Firefox-only implementation of the concept. I can imagine a future where the conscious action could be inserting and removing a hardware usb key to get your browser to go into this mode. This could work in concert with existing solutions that store client certificates on hardware devices.
Feedback and Patches Welcome.
If HTTP Nowhere sounds interesting to you, please try it out and let me know what you think in the comments below, or by writing a review on the Firefox Add-On page. If you have ideas for improvements or want to contribute some code, get in touch here or via github.
Also, if you haven’t heard of it yet, I’d urge you to check out HTTPS Everywhere, which is available for Firefox and Chrome, and is supported by the Electronic Frontier Foundation (EFF). It doesn’t implement a strict HTTPS-only policy (yet), but it’s a great way to discover and automatically jump to more secure versions of sites you might visit regularly.