What Do We Want? More HTTPS! Why Do We Want It? Well, Here's Why We Might...
BY Nancy Scola | Wednesday, November 10 2010
At this point in the evolution of our relationship with the World Wide Web, it's probably safe to say that a critical mass of us have been trained to keep an eye out for that tiny little lock in the corner of our web browser that lets us know that, say, our online banking session at BankofAmerica.com is locked-down and secure. That little lock lets us know that our bank or credit card company's website is chugging along using the security protocol called HTTPS.
That's all well and good. But, of course, with so much of our lives being lived online, the valuable information we send across the Internet day in and day out doesn't begin and end with our bank account number. Facebook, for example, gets used to plan political rallies, and Twitter's now a key part of how the communications landscape, including when it comes to governing. Sites like YouTube and Amazon and Wikipedia know a nearly unholy amount about the ideas we explore. We use Yahoo to email our innermost thoughts. Is it crazy of us to let ourselves use sites that don't apply the same level of security and protection to the trafficking of ideas and the organizing of social movements as sites do to our banking?
At least, that's what a group called Access is arguing. Born in the wake of the 2009 Iranian election, Access aims to empower activists around the planet with the tools that make their work possible, and safer. Access has launched an effort they're calling "Demand HTTPS," which calls on the people behind the one hundred most popular websites on the Internet to default to using HTTPS, the same secure protocol that banking and other financial transaction sites nearly uniformly do. "The top sites in the world are not protecting your privacy and security," Access's Executive Director Brett Solomon told me in a call today, "even though they can."
What's the big worry? "If a site isn't encrypted," warns Solomon, "then it means that a government, or your ISP, or, in your on a wireless network, an individual can view your online activity. They can see what you're searching for on Amazon, which flights you've booked on Expedia, which purchases you've made on eBay." In free societies, argues Solomon, that risk might amount to a privacy one for most people. But in more monitored or even oppressed societies, like, say, China or Iran, the lack of secured online browsing can become a risk to someone's own personal security.
And so, comes this call to leaders of some of the biggest-name and most-used sites on the planet, websites like, in addition to some of those named above, craigslist, Wordpress, Blogspot, and the New York Times. What Solomon and Access are asking is for those sites to default to using HTTPS on every page that they serve up, rather than its less-secure HTTP counterpart protocol. (If you're unfamiliar with the particulars, the "S" in HTTPS is a tell letting users know that the site's server is using either Transport Layer Security, a.k.a. TLS. or Secure Sockets Layer, a.k.a. SSL, protocols. What that means, at a technical level, probably falls beyond the bounds of this discussion, but basically it indicates that the computers involved in that bout of online communications have agreed to do so through encrypted channels.)
So, from the perspective of those sites, why not do it? Why not default to HTTPS and move on with things? The argument that you hear is that HTTPS is more taxing for computers. Access, though, points to a trio of Google engineers who, in June, laid out the case for the notion that HTTPS "is not computationally expensive any more." Google's own Gmail system has, in fact, run on HTTPS on an opt-out basis since the company made the switch in June. And just yesterday, Hotmail introduced the option for its users to choose a HTTPS-based browsing session from beginning to end. There's also a cost involved for the purchase of security certificates, but those costs are minimal for the major sites being targeted by this action.
A World Wide Web that involved more big websites more often relying upon HTTPS would seem to have implications for the privacy and security from everyone from hard-core political activists to those of us who merely prefer having a little privacy online. And should HTTPS take root beyond banking and online commerce and on the social platforms and other transactional sites that make up a big part of the web, an added bonus for the activist-minded is that it's a layer of security that becomes tough for even intrusive governments to openly object to. If it becomes just the way that the Internet is, then that's just the way it is. "We want HTTPS to be industry-standard across the board," said Solomon, "so that it's the default, not the exception."
Solomon says that the web is flowing in the direction of HTTPS; the only question is how quickly the big big sites on the web will get there. In the meantime, the Electronic Frontier Foundation offers up HTTPS Everywhere, a Firefox plug-in that pushes your browser towards HTTPS versions of websites wherever they do, in fact, exist.