From Computer Tyme Support Wiki
Why HTTPS everywhere is a really really bad idea
HTTPS Everywhere sounds like a good idea, but as they say, the devil is in the details. The idea, supported primarily by the Electronic Frontier Foundation (https://eff.org) is to get all traffic on the internet to be encrypted. If everything is encrypted, as promoted, then no one can tap in and spy on your communication. This includes NSA spying and other government spying that is both illegal and immoral where third parties and government track you to create a digital profile of who you are that can be used against you, profile you, steal your passwords, invade your privacy, blackmail you, and round you up to put you and your freinds and family in concentration camps. Imaging if you will what would have happened if Adolf Hitler had today's technology. There would be no Jews left hiding in attics!
And as we know from the revelation of Edward Snowden, my second favorite person in the world after Elon Musk, we know the government is actually doing a lot of the things that the EFF is paranoid about. Snowden confirmed what all paranoid schizophrenics new was true all along, the government(s) is spying on them. The nightmare, as it turns out, is actually real.
So on it's face it would seem as if making it harder for these problems to occur would be a great idea. And - quite frankly, if it were done right it would be a great idea that I would support. However, the way it is being implemented through "Let's Encrypt" (https://letsencrypt.org) and Google strong arming the public to force everyone into it. By doing it wrong EFF's good intentions are actually making the problem worse. Forcing encryption on everyone, as it is being implemented, creates more problems than it solves and will inhibit freedom and privacy, not enhance it. Rather than making it harder for the NSA to track you, it makes it easier. Rather than enhancing free speech, it inhibits free speech, and rather that making the internet safer from criminals, it actually reduces internet security making it easier for the bad guys to take advantage of you.
As someone who used to work for EFF as their first full time system administrator you would think I would be on EFF's side on this. And over the years there have been a number of issues EFF has got wrong. But this is a very serious issue that will negatively affect the entire internet and have a huge negative impact on EFF if they are successful in what they are trying to do. EFF sometimes has a habit of latching onto an idea like a bulldog without carefully thinking things through and is sometimes cult like in their opinion in spite of evidence that their position fails to make objective sense. I still support EFF as no organization is perfect and they get it right most of the time. But this time is not one of them.
Encryption / Authentication - Understanding the Basics
HTTPS has 2 separate function, not one, that are artificially bound together into the HTTPS standards. These 2 functions are:
- Encryption - making the data unreadable to 3rd parties
- Authentication - making sure that the website you connect to is actually the real web site.
And it is because of the binding together of there to unrelated functions that cause the problem. If these two protocols were unbundled, where you could have encryption without authentication, then my objections to encrypting everything goes away. The encrypting side is the easy part, the authenticating side is the part that is hard and expensive and causes all the problems. All this could be easily solved by allowing encryption without authentication. But modern browsers do not allow self signed certificates without dire warnings that would scare the average person to back away immediately. If they changed that it would solve the issues that I'm about to describe.
How Encryption Works
The actual process is long and complicated so I'm going to limit my explanation to the simple stuff you need to know. Encryption relies on a pair of keys, both keys are very large numbers. If you encrypt a message with one key you can only decrypt it with the other key. It doesn't matter which key you encrypt with as long as you use the other one to decrypt.
One of the keys is know as the public key, and the other is know as the private key. As the names imply, one key you make public, the other key you keep private. When someone wants to establish a secure connection with you they download your public key which is furnished by opening a connection. When you get the public key you can then encrypt a message that can only be read by the server which is usually a set of new keys to establish a secure connection. Because only the other end can read it you then have the keys to establish a secure connection that no person in the middle can break into.
The encryption used in HTTPS is pretty good. It isn't easily broken. One of the main vulnerabilities is what's called a "man in the middle" attack. The attack isn't generally easy to do and usually requires hardware access to be in the middle of that connection which very few people have. However, when I used to fly more often I used to provide a free wifi access point using my cell phone to allow other travelers around me to access the internet without paying high fees. But if a were nefarious and evil I could create a fake certificate pretending to be their bank and steal their passwords. And I would need a fake cert for every domain I wanted to steal. Someone smarter than me could accomplish this.
To make sure this doesn't happen we use authentication so that only the real certificate works. the real certificate is varified by the certificate authority issuing the certificate as real so if you are connecting to your bank, you can be (somewhat) confident there's no one in the middle stealing your information.
There are other ways you're vulnerable. You could have someone looking over your shoulder when typing your username and password. You could have spyware on your computer that is logging your keystrokes and grabbing the display text on your web pages. Or the site you are logging into has been hacked. Remember Equifax? It was an encrypted site. And while your data was being stolen it was sent to the hackers over an encrypted connection.
How Authentication Works
Authentication is the other leg of the HTTPS security protocol. Authentication helps ensure that when you connect to a site using HTTPS that it is really the site you are connected to. Using certificates and certificate chains your web browser (is supposed to) verify that you are actually connected to the web site you think you are connecting to. This makes it much harder for someone to impersonate your bank to steal your passwords. A detailed explanation of this process is complicated so I will try to make the important concepts as easy as possible.
When you connect through HTTPS it established an encrypted connection. It sends the sites certificate which was generated in unison with your certificate authority who validates your certificate. The web server not only sends your certificate, but also the chain of certificates leading back to the root certificates which are highly trusted certs that came with your browser. Using these certificates one can verify that the cert is authentic and can be trusted. You then see the green padlock and all is good.
The down side of Authentication
There is one step however that exposes your privacy. In order to fully verify the cert the web browser has to check to see if your certificate has been revoked. To check if the cert was revoked your browser has to ask the certificate authority through a "revocation request" if the cert is still valid. The reason for this is, if I'm running a web site and my private keys make it into the wild, hacker or government can decrypt your connection and steal your data. So if I'm a bank and I fire the head admin, I might want to change my keys by revoking my cert and getting a new one.
Sounds simple but the process slows down browser performance a lot. Many commercial sites include content, usually advertising content, from many other websites. So when you go to localnewspaper.com, for example, you might see content from Walgreens, Safeway, Amazon, Verizon, etc. All these sites require a separate encrypted and separate verification and revocation request. Thus your visit might involve 50 separate connections to display the web page. Ever notice all those slow ads popping up, that's why.
The problem is, as everyone goes to HTTPS then all websites are slow. Some browsers therefore cheat on the rules and they skip the revocation check in the interest of speed and the expense of security. Gibson Research has set up a test page to identify browsers who cheat. Click on https://revoked.grc.com to test your browser. If you see the page, your browser is insecure.
The problem with skipping revocation checking is that, for example, if if I'm a bank and the keys were stolen and someone is impersonating my bank, if you are running Google's Chrome browser, you would never know you were on the fake site. So in order to get performance in your Chrome browser experience, security has been eliminated.
Certificates are expensive and difficult to maintain. Installing certs is a hassle and certificates expire and have to be replaced on a regular basis. Unlike HTTP which you can set up knowing 20 years later everything is going to just keep working, HTTPS requires both effort and money to keep going. If you get it set up it will die on it's own if you don't maintain it.
But - EFF and other like minded organizations have created an organization called "Let's Encrypt" to make HTTPS easier. But is it a solution or just to get you addicted and draw you in?
Privacy Exposure of Authentication
Another problem with certificates is the privacy exposure of checking certificate revocation. If your certificate is verified, for example, by Let's Encrypt, then every revocation request goes to one server that responds to revocation requests. If someone like the NSA were to intercept these requests, which are not encrypted, then the NSA could track the activity of every site verified through Let's Encrypt. That means the NSA doesn't have to wiretap 100 million sites. All the have to do it tap Let's Encrypt and it's one stop shopping for the NSA. They just made the job of the NSA millions of times easier.
Granted that the NSA doesn't see the content, but if you go to some site like free-child-porn.online the NSA has a pretty good idea what you're doing there.
Let's Encrypt - making HTTPS free and easy
Let's Encrypt is a non-profit org created by EFF and friends to help solve the problems of making certificates easy and free. The supply not only free certs but provides scripts to install and configure certs easily. Certificates however are only good for 90 days and have to be replaced before the 90 days runs out. But the renewal scripts are also automated so, in theroy you should be able to set it up and forget about it, making it almost as easy as HTTP. Let's Encrypt claim is to have issued over 100 million certificates.
Making it free and easy is a critical argument in EFF's and Google's war to force the internet to encrypt everything. Google, for example is downgrading your search visibility if you refuse to convert. But they say that converting is easy and that takes the sting out of it. But is that really true?
The down side of Let's Encrypt
There's a major problem with Let's Encrypt in that it's not a real business with real employees and a staff with tech support. All their verification is done using algorithms and scripts and they will give certificates away to anyone, and all for free. For example, if I get the domain name wellsfarg0.com, which looks like I'm Wells Fargo Bank, Let's encrypt will issue me a certificate for it and users who go to the fraudulent site will get a green light in their chrome browser. And even if someone points it out that this is a fraud site, they can revoke the cert, but if you used the Chrome browser you will never know because it doesn't use revocation checks.
There is a down side to being free. Because it used to have cost criminals wouldn't bother to get certificates. But now that it's free every criminal site now has a valid cert and the browser give it the green light and users trust it because the browser is giving it the seal of approval. Because of this the original function of certificates has been compromised and the security of the internet has been diminished.
Will Let's Encrypt always be there and be free?
So, let's say I convert all my web sites to HTTPS and I'm using their scripts to maintain my web sites and one day I get an email saying the changes have been made. Perhaps people stop donating and they can't afford to operate? Perhaps they fail security standard and are decertified. Perhaps they get hacked and all their information is stolen. What do all these 100 million web sites do then?
There's explicitly no guarantee that this service will give you free certificates forever. And once you go HTTPS, there's no easy path back to HTTP. In order to even redirect back to your old setup you need a valid certificate to redirect. All these people who thought they were going to get free certs forever are totally screwed and will have to start buying certs and might not have the nice scripts that maintain it automatically.
Call me paranoid but when some organization offers me free service forever I don't tend to rely on that. I can't be in a position where keeping my web sites online depends on a shell organization that might not be there tomorrow.
Let's Encrypt is a Fake Organization
Normally a certificate authority is a real business that has round the clock staff, a support line, employees, and a phone number. If you got to their web site's contact page there's no phone number. There's no support email. There's no employee list. All there is is a community support page where EFF staff answer question in a discussion forum. Let's Encrypt is just a front organization for EFF and a small group of like minded hackers who are employed elsewhere and do it on the side. My opinion is that the rest of the certificate community will likely pull their certification at some date and all those millions of web are going to have to go buy millions of certificates from a real certificate authority and that's going to be expensive and a lot of good free speech web sites are going to come down due to the cost and maintenance burden.
NSA and Government Tracking
The intent behind HTTPS everywhere is in part to thwart NSA spying. And let's not kid ourselves, NSA tracking is unconstitutional, illegal, and immoral. EFF has played a major role in protecting our online liberties in this matter. Sometimes when I see Snowden I notice that the back of his lap top has an EFF sticker.
But - although well intentioned - does HTTPS solve the problem? No - it makes it worse.
Although HTTPS makes it harder to read the content of your communication, it doesn't mask what web sites you are going to. So if you're married and trying to hook up on AsleyMadison.com the NSA doesn't know what woman you are hooking up with, but they do know you're cheating on your wife. And - using revocation requests tracking EFF has actually make it much easier for them to track your connections.
Now you need more permissions to stay on the web
With HTTP all you need to do is register a domain name to have your own site online. ICANN is an international organization and has been very good at staying out of the clutches of government controls. However, with HTTPS you need to get a certificate authority to issue you a cert. That makes 2 orgs that have to give you permission instead of one and now your domain activity it trackable through revocation requests. If Congress were to pass laws regulating who can get certificates or requiring extensive personal information they can prevent you from getting online the way you can now with just HTTP. Every step you are forced into doing creates another chokepoint to free speech and free expression.
Freedom of Choice
One thing I really object to is being forced and strong armed into doing things I choose not to do. I'm perfectly happy with my HTTP servers and I really resent EFF and Google trying to force me to participate in their cult like paranoia. My servers work fine. I've been online for 22 years now. I was online 3 years before Google. I choose not to encrypt and that my choice.
EFF is supposed to be about freedom. They are supposed to be protecting me from people who would force me to change against my will, They believe it's for a higher cause, but it really isn't. If it were I might go along with it but HTTP has advantages over HTTPS that I like and want to stick with. many of my sites are static and informational. If the NSA can read the traffic - so what. Everything is on the site in plain text anyhow so where's the secret? If the traffic were encrypted the NSA would still know who is connecting and would assume what they are reading is what's on the site to be read by anyone. And HTTP doesn't make NSA tracking easier like HPPS does by generating revocation request.
The bottom like is it's MY CHOICE! And EFF and Google doesn't have the right to take my choice away from me.
Do you need encryption?
Whether or not you need encryption depends on who you are and what you are doing. If you are a bank clearly the answer is yes. However, if you have a static web site with no forms, do you need encryption? No - you don't.
Let's say you have a static web site that tells people how to bake cookies. All the information is there for anyone to see. So if your connection is encrypted then anyone tracking knows you connected to the site and can infer you are reading about baking cookies. Even if there is a form on the site for you to subscribe to their newsletter and some 3rd party hacker captured your email address, so what? If you're accessing your bank then, yes definitely encrypt. But for an unimportant site, encryption make is slower and makes maintenance on the server side a hassle, a big hassle. Especially if the free cert goes away.
Is HTTPS secure? - Is HTTP insecure?
One myth I want to bust is that HTTPS has increased security. In fact HTTPS has reduced overall security. HTTPS adds encryption you sites that don't heed encryption and that doesn't increase security. Let's look at the facts.
There are 3 places where your information is vulnerable to attack, the server, your computer, and the connection between your computer and the server. HTTPS only provides encryption between your device and the web site but does nothing for either your device or the web server you are connected to. The connection is actually the hardest part to intercept even without encryption. Generally you have to have access to the internet infrastructure to tap communications even if it's not encrypted. But all you need is spyware to tap the communication on a device. And the spyware works if you are encrypted or not.
But the best place to steal your data if if a hacker steals your information directly from the server side where your data is stored. Remember Equifax, the company that stores all your credit data? Encrypted didn't help them. In fact the people who hacked them did it over an HTTPS connection.
Let's Encrypt Actually Reduces Security
You would think that the internet is more secure because of Let's Encrypt, and you would be wrong. Surprisingly Let's Encrypt makes the net less secure.
Before Let's Encrypt certificate were expensive and required work to maintain. Now it free and somewhat easy. And - I do want to thank Let's Encrypt for making it easier part. But in making it free the make it easy for phishing sites to go HTTPS and the consumer, who doesn't know much about how the web works, gets the green padlock and assumes all is good. The then type their username and password into wellsfarg0.com and 5 minutes later all their money is gone. All thanks to Let's Encrypt.
EFF and Google, who is the major funder of Let's Encrypt, have been very successful claiming millions of web sites, have slowed the internet down because HTTPS is slower and more complex than HTTP. In order to compensate for the slowness browsers like Google Chrome no longer to certificate revocation to make sure the cert is still valid. So because of Let's Encrypt you can't really trust that the green padlock on the site can be relied on. So if Wells Fargo bank revokes their cert due to a security breach you would never know it using the Google Chrome browser. In fact if that ever happened Google would be partially liable for damages giving a green light to a revoked certificate.
So a green indicator in your browser no longer means you are on a safe site. It really means nothing at all. Between Google and EFF they are making security that has worked in the past useless.
And although HTTPS creates the illusion that the government can't spy on the data on the internet, through certificate revocation request it makes it far easier, not harder, to track what sites you are going to, which is the exact opposite of what you think you are getting. HTTPS reduces privacy.
The Culture of Paranoia
In many ways the EFF/hacker community is similar to the National Rifle Association (NRA) in the one component is a culture of paranoia. Not that a lot of that paranoia if fully justified because the government is actually trying to spy on you.
The NRA envisions a world where the government is going to take your guns and then turn Nazi and people won't be ably to overthrow the government to take America back for freedom. And it creates an inflated sense of importance to carry a gun. (Is that a gun in your pocket, Big Boy, or are you just glad to see me? It's a gun in my pocket.) Why shouldn't a law abiding citizen be able to buy a nuke to protect themselves? It's cultural where like minded people get their us vs. them experience.
EFF is much closer to reality than the NRA. They do a lot of things that actually do protect our freedom from real government treats that are actually occurring. They were 7 years ahead of Snowden suing the NSA over spying. So I'm not going to beat up on them too badly here.
There are 3 areas where EFF/the hacker culture is totally clueless.
1. They have absolutely no concept the intellectual property has any value.
2. The concept that law enforcement has a role on the internet is mostly ignored. That crime is the price you pay for freedom. Their TOR project is the backbone for the ransomeware industry as well as an incredible amount of serious online crime, but the value of privacy is more important to the extent that they don't care about criminal issues at all.
3. Sometimes EFF doesn't think things through. The get fixated on a solution with almost a cult like attachment without fully exploring the consequences. In this case they have a very strong mental block on this. I remember discussing this with them back when I worked there and it was a bad idea then as it is now. I never expected them to be successful with it. But unfortunately, the have.
Hacker Culture Values
To some extent I can identify with that culture. The spying that Snowden revealed is a prelude to to a modern day dictatorship where the government knows everything you say and everything you do. A world where AI figures put who you are and if it decides you are too free thinking that it executes you by activating a death chip in your brain. What Snowden revealed actually makes that plausible.
I have personally been kidnapped by law enforcement 3 times. Not arrested - kidnapped. But there are good cops and bad cops and although law enforcement is far less than perfect they keep us safe. The police are not our enemy. The hacker community is excessively against law enforcement and sees aiding criminals as a measure of expanding personal freedom. TOR, for example, is 99% criminal traffic with a small amount of protecting the good guys from government persecution. There are steps TOR could do to reduce crime without compromising the freedom mission, like shutting down ransomware sites. But they are oblivious to that. TOR doesn't care about crime at all, and that's wrong.
In the case of HTTPS the hacker community has a shared fantasy that they are getting even with the NSA for what Snowden revealed. They imagine that the NSA can't track what you're doing if everyone uses HTTPS. In actuality, they are making it easier for the NSA to track you using revocation requests but that's a reality they choose to somewhat ignore. Except that browsers are now trending to skip the certificate revocation checks to increase browser response and to plug this obvious privacy hole, but at the expense of good verification that the web site's keys haven't been stolen. In the hacker world security and safety of the public mean nothing, where fighting NSA spying mean everything.
Google as Internet Bully
Google has traditionally been the good guy. But now Google is the internet bully. EFF and Google are trying to force the end of HTTP protocol and force everyone into encryption through force and bullying. If you don't do what EFF and Google says Google will degrade the search results for your web site. And they are going to start falsely labeling web sites insecure which use HTTP in order to scare people away from going to your web site. What Google and EFF are doing is illegal and I'm contemplating suing them over this to get an injunction to stop them.
Traditionally the Internet Engineering Task Force (IETF) sets the internet protocol specification to create communication standards for the world so that everyone can use those standards to be compatible. But Google and EFF have usurped the powers of the IETF and are trying to force a new standard to conform to their delusional view of reality.
EFF exceeding the scope of their mandate
EFF is really going down the wrong rabbit hole on trying to force the world to follow their paranoid fantasy by partnering with Google and push HTTP off the web. EFF is supposed to be about freedom and free speech but in this case EFF is putting a technological burden of freedom and free expression. EFF believes that through Let's Encrypt that they have eliminated that burden, but that's just dead wrong. And if you believe it then you also have to believe that Let's Encrypt will be around forever and that it will always give away free certificates and make it easy. Believing that takes a lot of faith and I'm not a man of faith.
This problem can be easily solved
There actually is an incredibly easy solution to all of this that will make all these problems go away. All they have to do is uncouple encryption from authentication. If these weren't tied together then you would be able to generate a self signed certificate and you would have your encryption but without the hard part of verifying that your site is real. While phishers are likely to spoof Bank of America, they aren't likely to spoof CuteKittensAndBunnies.com. Most sites aren't emportant enough to spoof. So you can have your encryption fantasy experience without and burden.
And - if they added some easy tricks like a DNS hash for verification or perhaps a block chain they might get some reasonable authentication. But people who really do need good authentication can go get the real thing and provide secure services to the world without their security being downgraded by people who don't really need it.
What would we need to do to make self signed certificates happen? Just a change in browser policy. The self signed site would get the green light like an authorized site, it would be black like an HTTP site with maybe an encrypted listing. And there would be no revocation check for the NSA to track. Self signed certs used to work just fine but browser policy changed to reject them. However a DNS fingerprint check could prevent spoofing so that a self signed fake site can't impersonate a real site with a signed cert.
This solution is easy, it accomplishes the EFF's goals, and it doesn't ruin the internet and get EFF in trouble for creating a fake certificate authority.
Google and EFF are creating a real mess on the internet. This is a serious disaster and is likely to get both organization sued for forcing the structure of the internet to change over their shared paranoid fantasy. Let's Encrypt is going to eventually get decertified the first time they screw up and the world finding out they don't really have a staff and can't handle the real responsibilities of a certificate authority.
There is an easy solution which is to allow self signed certificates by changing browser policy to allow them but not give them the same green light status and a real certificate. That would allow those with a paranoid delusion to have encryption and privacy without the NSA tracking side effect.