A case for opportunistic encryption on the web
Ivan Ristic, director of engineering, Qualys
When, in 2010, I scanned about 90 million web sites (all .com, .net, and .org domain names that existed at that time) in order to determine their support for encrypted communication, I was dismayed to discover that only about 0.5 percent had means to protect their data in transit. The vast majority made no attempt to encrypt anything. Looking at only the top one million websites, the situation is better, but—with only about 10 percent of those sites supporting encryption—not significantly better.
Websites fall roughly into three groups. In the first group are those who care about security and have the knowledge and the means to pursue it. The second group consists of those who might be aware of the importance of security and encryption, but have and spend only limited time on them. Finally, in the third group are those who do not care about security or are not aware of the security issues; as a result, they use no encryption whatsoever.
Given that our security technologies are still rapidly evolving, most of the effort is still being spent on helping the people in the first two groups. And we're getting better at it, too. After nearly 20 years since the first public version of SSL—the protocol that secures most of the internet—we are finally getting close to getting the encryption right.
But, important as that work is, no progress is made on helping the third and the largest group, those who do not use encryption at all. Given that those web sites do not spend any effort to secure themselves, what can we do to help them?
There are two main types of attack against communication: active attacks and passive attacks. Active, or man-in-the-middle (MITM), attacks typically require a lot of effort and specialised tools. They are demanding because breaking or bypassing encryption is difficult. Against properly secured sites, MITM attacks are very difficult to carry out, and they are impossible to execute at scale without anyone noticing. Equally, defending against MITM attacks is difficult; it requires awareness, skill, and resources. Most sites don't have all three, which explains our current situation.
In view of this, it seems that there isn't a magic bullet that would enable us to defeat active attacks across the board. But, as it turns out, active attacks are not necessarily what we should be worried about most. Because active attacks require a lot of effort to execute, they are hard to justify, can be used only against a small number of targets, and, as a result, don't happen that often when you look at the world as a whole. Passive attacks are where the fun is.
“Passive attacks” is just another name for recording unencrypted data and keeping it for a very long time, until it is needed. Such attacks are very easy to carry out and only require access to the underlying communication channel. Being on the same Wi-Fi network as the victim is sufficient, but most attacks are far more ambitious. We now know that passive attacks are carried out on a massive scale, whereby all internet traffic is recorded at key data exchange points, and stored in a form that enables automated analysis and correlation.
Fortunately for us, what makes passive attacks easy to execute also makes them easy to defeat: we just need to encrypt the communication. The concept is known as opportunistic encryption, and is rather simple: the idea is that any encryption is always better than no encryption. This approach is not sophisticated enough to defeat a determined targeted attacker, but it is good enough to defeat passive attacks. After all, most communications are not being actively intercepted, which means that opportunistic encryption provides sufficient protection.
The best aspect of opportunistic encryption is in the fact that it can be built into our infrastructure and deployed transparently for everyone. Those who need higher guarantees would continue to need to make the effort to secure their systems, but everyone else gets to be protected from passive attacks with no work at all.
We already have all the required technologies to start deploying opportunistic encryption tomorrow. What remains is that final step where the web browser and server vendors agree to use it. If we manage to do this, then after a few short years of waiting for the new technology to spread, we will have arrived at a much safer web, and one that is robustly safe from mass surveillance.