{"id":243258,"date":"2018-01-01T13:01:29","date_gmt":"2018-01-01T11:01:29","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=243258"},"modified":"2018-01-01T13:02:08","modified_gmt":"2018-01-01T11:02:08","slug":"tipping-the-scales-on-https","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/internet\/243258-tipping-the-scales-on-https.html","title":{"rendered":"Tipping the scales on HTTPS"},"content":{"rendered":"

By EFF Deeplinks Blog<\/em><\/p>\n

The movement to\u00a0encrypt the web<\/a>\u00a0reached milestone after milestone in 2017. The web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser.<\/p>\n

HTTP has serious problems that make it vulnerable to eavesdropping and content hijacking. By adding Transport Layer Security (or TLS, a prior version of which was known as Secure Sockets Layer or SSL) HTTPS fixes most of these problems. That\u2019s why EFF, and many like-minded supporters, have been pushing for web sites to adopt HTTPS by default.<\/p>\n

In February, the scales tipped. For the first time, approximately\u00a0half of Internet traffic was protected by HTTPS<\/a>. Now, as 2017 comes to a close, an average of\u00a066% of page loads on Firefox and are encrypted<\/a>, and Chrome shows\u00a0even higher numbers<\/a>.<\/p>\n

At the beginning of the year, Let\u2019s Encrypt had issued about 28 million certificates. In June, it\u00a0surpassed 100 million certificates<\/a>. Now, Let\u2019s Encrypt\u2019s total issuance volume has exceeded\u00a0177 million certificates<\/a>. Certificate Authorities (CAs) like Let\u2019s Encrypt issue signed, digital certificates to website owners that help web users and their browsers independently verify the association between a particular HTTPS site and a cryptographic key. Let’s Encrypt stands out because it offers these certificates for free. And, with EFF\u2019s\u00a0Certbot<\/a>, they are easier than ever for web masters and website administrators to get.<\/p>\n

Throughout the entire year, projects like\u00a0Secure the News<\/a>\u00a0and\u00a0Pulse<\/a>\u00a0have been tracking HTTPS adoption among news sites and government sites, respectively.<\/p>\n

Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users \u201cNot secure\u201d warnings\u00a0when HTTP websites asked them to submit password or credit card information. In October, Chrome\u00a0expanded the warning<\/a>\u00a0to cover all input fields, as well as all pages viewed in Incognito mode.\u00a0Chrome has\u00a0eventual plans<\/a>\u00a0to show a \u201cNot secure\u201d warning for\u00a0all<\/em>\u00a0HTTP pages.<\/p>\n

One of the biggest CAs, Symantec, was threatened with removal of trust by Firefox and Chrome. Symantec had long been held up as an example of a CA that was \u201ctoo big to fail.\u201d Removing trust directly would break thousands of important websites overnight. However,\u00a0browsers found many problems<\/a>\u00a0with Symantec\u2019s issuance practices, and the browsers collectively decided to\u00a0make the leap<\/a>, using a staged distrust mechanism that would minimize impact to websites and people using the Internet.<\/p>\n

Symantec subsequently\u00a0sold their CA business to fellow CA DigiCert<\/a>\u00a0for nearly a billion dollars, with the expectation that DigiCert\u2019s infrastructure and processes will issue certificates with fewer problems. Smaller CAs WoSign and StartCom were\u00a0removed<\/a>\u00a0from trust by Chrome and Firefox last year.<\/p>\n

The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD\u00a0announced that all new .gov domains would be set up with HSTS automatically<\/a>.<\/p>\n

A related and more powerful setting,\u00a0HTTP Public Key Pinning<\/a>(HPKP), was\u00a0targeted for removal by Chrome<\/a>. The Chrome developers believe that HPKP is too hard for site owners to use correctly, and too risky when used incorrectly. We believe that HPKP was a powerful, if flawed, part of the HTTPS ecosystem, and would rather see it reformed than removed entirely.<\/p>\n

The Certification Authority Authorization (CAA) standard\u00a0became mandatory for all CAs to implement<\/a>\u00a0this year. CAA allows site owners to specify in DNS which CAs are allowed to issue for their site, and may reduce misissuance events. Let’s Encrypt led the way on this by enforcing CAA from first launch, and EFF is glad to see this protection extended to the broader CAA ecosystem.<\/p>\n

There\u2019s plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome\u00a0plans to require Certificate Transparency<\/a>\u00a0starting next April. As browsers and users alike pressure websites for ubiquitous HTTPS, and as the process of getting a certificate gets easier and more intuitive for web masters, we expect 2018 to be another banner year for HTTPS growth and improvement.<\/p>\n

EFF<\/a><\/p>\n

Now read:\u00a0Awful DRM moments in 2017<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"

The movement to\u00a0encrypt the web\u00a0reached milestone after milestone in 2017.<\/p>\n","protected":false},"author":23,"featured_media":162888,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[35,21905],"class_list":["post-243258","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet","tag-headline","tag-https"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/243258"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=243258"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/243258\/revisions"}],"predecessor-version":[{"id":243260,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/243258\/revisions\/243260"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/162888"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=243258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=243258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=243258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}