Locking down the Internet

Klint Finley at Wired has a provocative idea: “It’s time to encrypt the entire Internet.”  This would begin with more widespread use of the Secure Socket Layer protocol – which, at the moment, is not entirely secure, due to the Heartbleed security flaw.  Updates to resolve that vulnerability are being circulated now, and there are some other problems with SSL waiting to be resolved, but Finley’s critique holds that not enough Web sites use any form of encryption at the moment.  The bulk of them are wide open, meaning connections can be spoofed or spied upon.  The widespread use of insecure wi-fi connections makes the situation even worse.

You can get an idea of how under-utilized secure connections are by watching your browser when you surf the Web.  There is generally an obvious visual indication when you connect to a secure website, such as color coding in the address bar.  The Internet addresses of such websites begin with “https” instead of just “http.”  Pay attention to these cues after a day of surfing, and you’ll see that the vast majority of sites you visit are not secure at all – or they’re only partially secure, flipping to an SSL connection just to verify passwords or display highly sensitive financial data.

As Finley explains, one of the lurking dangers of insecure websites is that the source and destination computers aren’t making any real effort to validate their identity.  This allows hackers to hijack connections to phony websites, or pump malicious software into a user’s system.  

The big obstacle to using secure connections for all Web traffic is cost, accompanied by rapidly diminishing concerns about slower online performance.  The increasing power of both individual systems and the Internet is alleviating performance concerns, but there is still a substantial annual cost associated with maintaining a secure connection.  And, as mentioned, there are still some software improvements to be made, even after the hideous Heartbleed vulnerability (which can allow hackers to raid secure systems for passwords) is resolved.

The Wired article discusses the somewhat disturbing possibility that Google might use its immense power to begin forcing wider use of SSL connections, which is troubling even for some who support the goal.  Basically, Google would give search result priority to secure sites, causing those who don’t encrypt their transmissions to drop off the public’s radar screen.  Search for anything, and you’d have to scroll past all the sites that made the investment in SSL before you saw any of the sites that didn’t.  This ability to prioritize search results, which is already used for other purposes, gives Google an awful lot of clout.  Apparently there are voices within the company reluctant to use that clout for coercive purposes, so the idea of muscling the Internet into going all-SSL is still in the discussion stage.

It might not be something the Web has to get prodded into, if users become more aware of the difference between secure and non-secure connections, and express a preference for the former.  Ironically, Heartbleed – a flaw accidentally introduced by one of the many programmers contributing to open-source encryption software – might end up making the public more aware of the virtues of SSL, if the bug continues to generate news, and consumers grow more aware of what happens when they connect to a site that doesn’t use encryption.