On behalf of everyone working in technology and information security, I want to apologize. The world changed very quickly and some of our old, canned advice didn’t apply any more, and we as communicators did a poor job getting the word out. I want to take this opportunity to set the record straight and correct some misconceptions that have propagated into a era where they are both unhelpful and potentially harmful.
SSL is a suite of encryption protocols which help mask, obfuscate, and secure internet traffic. A good analogy for the internet is the US postal system, if everything you did and everything you typed was written on a postcard. The service will do everything in its power to make sure it gets to the destination intact, but anyone with the inclination and access can see what information is being sent. Whether this data is as innocuous as “I want to refresh my Facebook feed” or as potentially damaging as bank login credentials, unencrypted traffic is open for potentially all to see.
When I check my email, my computer has to send my password to the server so it can verify that I have permission to read the messages. Instead of sending my email password in “plain text” (i.e. unencrypted), my computer may send a seemingly random string like VTUjKDlZl8UabQeZhzllvW0aXTHfec to authenticate me. The server and my computer have agreed on a method of encryption which is unique to our connection; nobody else would be able to reverse-engineer my password from that string of seemingly random characters, but the server itself can. Similarly, nobody else would be able to send that same string and get access to my email—it’s keyed specifically for my computer’s connection.
Common wisdom used to be—and here’s where reality starts to diverge from history—that if a website was SSL encrypted, you could trust that the website was both legitimate and secure. Browsers would show small lock icons next to the URL so you knew you were safe. Back then, even just a few years ago, the process for setting up SSL encryption was cumbersome, long, and expensive. Major banks and other key websites had the resources to do this, but scammy or shady websites likely didn’t. The go-to advice from IT professionals was to only type in passwords, credit cards, or other sensitive information if you saw that little lock icon.
In the age of Big Data, where computers analyze almost every action every user takes online, in the effort to track, advertize, and ultimately profit off of everyone’s web habits, as well as the proliferation of network-sniffing tools into the general public, a large and growing movement has emerged to encrypt as much as possible online, to keep your activities and information away from prying eyes. Before I go any further, I should mention that I personally wholly support the idea of encrypting as much web traffic as possible—I don’t want companies and third-parties keeping tabs on my online activities, or having access to any more of my information than is already available.
The fantastic folks at the Electronic Frontier Foundation, who fight for online equality and privacy, created an initiative they called Let’s Encrypt. Their idea was simple in concept, though it took a lot of smart people and a lot of money to make it happen. They wanted to protect online users from governmental, corporate, and private overreach by making SSL not only the standard for banks and name-brand entities, but for every website. Without going into their full history, they’ve essentially made getting an SSL certificate for a website or online application free and easy. Their efforts have been so successful that even the major web browser vendors (Microsoft, Google, and Mozilla), now all display a warning if you visit a website that isn’t secured by SSL.
While this proliferation of encryption has been a major win for privacy advocates, it also lead to a unique situation where now even the “bad guys” can have websites that show the lock icon—in but a few minutes they can spin up a fraudulent website to trick people into entering their credentials, and have it show all the hallmarks of encryption and security that the original site does.
Instead of an SSL certificate/encryption being the hallmark of a trusted site, it became the de facto standard across the web. Sure, people other than those with whom you were communicating would be unable to decipher your messages, but that security was no longer a reasonable method of judging whether or not the website itself was trustworthy.
Last year I was invited to give an internet security presentation to a group of area business owners, investors, and financial professionals. One key section of my talk covered this very topic—the realistic strengths and weaknesses of relying on SSL encryption. The big takeaway from my talk was that while encryption makes sure nobody else is seeing your information, it doesn’t say anything about those with whom you directly communicate.
I often use the idea of home security as a metaphor when talking about computer security. Largely it doesn’t matter how much money or time you have spent on the latest and greatest security system—if you hold the door open for bad actors, they have full access to do as they please. Modern web browsers do a passing job at warning users if they’re visiting dodgy websites trying to emulate genuine online resources, but they can’t update quickly enough to catch them all; the best defense you have is your own cognition.
It may be easy to correctly type a website address you want to visit, but when clicking links—especially in email—malicious actors have become very tricky in hiding their true origins. If you wanted to visit the fictional sausage company “Velocity Bacon,” would you realistically notice a difference between velocitybacon.com and ve1ocityЬacon.com when scanning over a link in your email? For those who caught the letter switch, would it surprise you to learn that I replaced two characters in the second example? Being vigilant online is a difficult task, even for seasoned professionals.
This post isn’t about solving the idea of online trust, or even exploring the conflict between privacy and open access to information. These topics are far larger than I could write about, and I am hardly an expert in the myriad of related and associated philosophical and technological issues which surround them.
If nothing else, what I hoped to convey with this entry was the knowledge that old advice doesn’t always translate well to a modern and changing technological landscape. Please heed the warnings given by your web browser when it says a website you’re visiting is unsecure, but also realize that the stated “security” does almost nothing to verify the identity of those running the website in question.
The best defense against online threats is skepticism; a healthy understanding that not everything you see is as it appears, and that there are many more moving parts under the surface than are shown. Hopefully this post won’t cause a panic when it comes to your online habits, but rather helps inform more secure, privacy-oriented browsing.
Header image from the 1997 film “I Dream of Mimi,” and I use the term ‘film’ very loosely. From what I’ve heard it’s not something anyone should watch, even if this particular visual was interesting for use as a blog cover image.