Group items tagged

This was a great year for adoption of HTTPS encryption for secure connections to websites. HTTPS is an essential technology for security and privacy on the Web, and we've long been asking sites to turn it on to protect their users from spying (and from censorship and tampering with site content). This year, lots of factors came together to make it happen, including ongoing news about surveillance, advances in Web server capacity, nudges from industry, government, and Web browsers, and the Let's Encrypt certificate authority. By some measures, more than half of page loads in Firefox and in Chrome are now secured with HTTPS—the first time this has ever happened in the Web's history. That's right: for the first time ever, most pages viewed on the Web were encrypted! (As another year-in-review post will discuss, browsers are also experimenting with and rolling out stronger encryption technologies to better protect those connections.)

Sites large and small took turned on HTTPS in 2016, often using certificates from the Let's Encrypt certificate authority (sometimes with EFF's Certbot software, or a range of other options). In just a single year of broad public availability, Let's Encrypt has now helped enable secure connections for over 21 million websites, most of which never had certificates before.

A sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others. Sites they host, and visitors to those sites, can get a boost in security without having to do anything. (And we're getting ongoing benefits from providers like CloudFlare who made the switch in previous years.) A single hosting provider's decision can result in enabling encryption for hundreds of thousands or millions of customers; we hope others will take the plunge too! U.S. government sites also made significant progress adopting HTTPS this year, responding to the administration's guidance in support of HTTPS—a clear and practical explanation of why secure connections should be the default. A caveat: data from Google shows that use of HTTPS varies significantly from country to country, remaining especially uncommon in Japan. We've also heard that it's still uncommon across much of East and Southeast Asia. Next year, we'll have to find ways to bridge those gaps.

Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default.With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.

The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires. We’re all familiar with the warnings and error messages produced by misconfigured certificates. These warnings are a hint that HTTPS (and other uses of TLS/SSL) is dependent on a horrifyingly complex and often structurally dysfunctional bureaucracy for authentication.

The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In our tests, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds. You can help test and hack on the developer preview of our Let's Encrypt agent software or watch a video of it in action here:

2014 in Review Series Net Neutrality Takes a Wild Ride 8 Stellar Surveillance Scoops Web Encryption Gets Stronger and More Widespread Big Patent Reform Wins in Court, Defeat (For Now) in Congress International Copyright Law More Time in the Spotlight for NSLs The State of Free Expression Online What We Learned About NSA Spying in 2014—And What We're Fighting to Expose in 2015 "Fair Use Is Working!" Email Encryption Grew Tremendously, but Still Needs Work Spies Vs. Spied, Worldwide The Fight in Congress to End the NSA's Mass Spying Open Access Movement Broadens, Moves Forward Stingrays Go Mainstream Three Vulnerabilities That Rocked the Online Security World Mobile Privacy and Security Takes Two Steps Forward, One Step Back It Was a Pivotal Year in TPP Activism but the Biggest Fight Is Still to Come The Government Spent a Lot of Time in Court Defending NSA Spying Last Year Let's Encrypt (the Entire Web)

Does the NSA really operate a vast database that allows its analysts to sift through millions of records showing nearly everything a user does on the Internet, as was recently reported? Yes, and people should stop worrying and learn to love it, according former NSA chief Gen. Michael Hayden. Last week, the Guardian published a series of leaked documents revealing new details about an NSA surveillance program called XKEYSCORE. The newspaper said that the program enabled the agency to “search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals,” and secret slides dated 2008 showed how people could be deemed a target for searching the Web for “suspicious stuff” or by using encryption. Following the disclosures, Hayden appeared on CNN to discuss the agency’s surveillance programs. The general, who directed the NSA from 1999 through 2005, was remarkably candid in his responses to Erin Burnett’s questions about the Guardian’s XKEYSCORE report. Was there any truth to claims that the NSA is sifting through millions of browsing histories and able to collect virtually everything users do on the Internet? “Yeah,” Hayden said. “And it's really good news.”

Not only that, Hayden went further. He revealed that the XKEYSCORE was “a tool that's been developed over the years, and lord knows we were trying to develop similar tools when I was at the National Security Agency.” The XKEYSCORE system, Hayden said, allows analysts to enter a “straight-forward question” into a computer and sift through the “oceans of data” that have been collected as part of foreign intelligence gathering efforts. How this process works was illustrated in the Guardian’s report. Analysts can enter search terms to sift through data and select from a drop-down menu a target’s “foreignness factor,” which is intended to minimize the warrantless surveillance of Americans. However, operating a vast electronic dragnet such as this is far from an exact science, and the NSA’s system of sifting data from the backbone of international Internet networks likely sometimes involves gobbling up information on Americans’ communications and online activity—whether it is done wittingly or not. Indeed, the NSA reportedly only needs to have 51 percent certainty that it is targeting a foreigner. And as leaked secret rules for the surveillance have shown, even if the NSA does “inadvertently” gather Americans’ communications, it can hold on to them if they are deemed valuable for vague “foreign intelligence” purposes or if the communications show evidence of a crime that has occurred or may occur in the future.

In the CNN interview, Hayden described XKEYSCORE as “really quite an achievement” and said that it enabled NSA spies to find the needle in the haystack. But his ardent defense of the system is unlikely to reassure civil liberties advocates. Having Hayden’s support is a rather dubious stamp of approval, particularly because he was responsible for leading the NSA’s illegal warrantless wiretapping program, which was initiated post-9/11 and exposed by the New York Times in 2005. Hayden later went on to lead the CIA from 2006 through 2009, where he oversaw the use of the waterboarding torture technique and the operation of a controversial black-site prison program that was eventually dismantled by President Obama. The former NSA chief retired in 2009, but he has since become a regular media commentator, using a recent column at CNN to blast Snowden for leaking the secret NSA documents and implying that he’d like to see the Guardian journalist Glenn Greenwald prosecuted as a “co-conspirator” for his role reporting the surveillance scoops.