The Electronic Frontier Foundation (EFF) has recently taken the wraps off of a bold new project, “Let’s Encrypt”, which aims to help administrators move their web servers over to HTTPS as quickly and as easily as possible. What today takes even an accomplished administrator the better part of an hour to configure could soon be reduced to a single automated command, to say nothing of the fact that the EFF intends to provide the encryption certificates for free.
But the technology is only half the battle; even when the logistical hurdles for deploying HTTPS have been removed, the industry and public need to understand the importance of blanket Internet encryption. HTTPS can’t simply be reserved for email and login forms, as even seemingly innocuous data transmitted in clear text can be disastrous from a security and privacy standpoint.
Clear Text Risk
HTTP was designed for a much simpler, and safer, Internet; everything the user’s browser sends and receives when viewing an HTTP website is sent in the clear. It’s trivial to capture, analyze, and even manipulate this data to all sorts of nefarious ends. While a user may think he is safe because his email or banking website is using SSL encryption, there is just as large a risk from the myriad of sites, services, and apps that are still communicating to the outside world in the clear.
Pwnie Express demonstrated this fact to staggering effect over the summer with the role they played in NPR’s “Project Eavesdrop”, where technology correspondent Steve Henn willingly allowed a Pwn Plug to be installed on his own network for the express purposes of monitoring his un-encrypted communication with the outside world. His emails and phone calls safe from monitoring, the goal of the experiment was to simulate just what kind of information could be collected with the type of passive monitoring the NSA performs.
The experiment clearly showed just how much information can be gleaned by simply watching a victim’s online activity. While it would certainly be faster to find out what a person is doing by directly reading their emails, it can often be just as effective to examine the lower hanging fruit that isn’t generally secured. By capturing and correlating search terms, file transfers, URLs, and all the other ephemera that make up a person’s day to day Internet usage, an attacker can piece together a very accurate image of what their target is up to, online and off.
The possibilities of active data manipulation are even more troubling. A sufficiently powerful device can modify the source code of the web pages that victims connect to in real-time. The content of web pages can be changed on the fly, allowing for censorship and spreading misinformation that would be essentially undetectable for the average user. Malicious code and scripts could also be invisibly inserted, leveraging browser vulnerabilities and turning what the user assumed to be a reliable website into an attack vector.
With so many clear problems with using HTTP on the modern Internet, why are the majority of sites still running without encryption? As with many other problems in IT, it boils down to complexity and cost.
Properly deploying SSL on a web server currently involves an intimidating number of steps and arcane commands, many of which likely won’t be fully understood by the operator. This is a recipe for mistakes, and leads to misconfigured sites and frustration just as likely as it does to success.
If the complexity of the setup didn’t put them off, the cost surely will. Purchasing an SSL certificate from a known Certificate Authority (CA) can cost upwards of $100 for just a single site, putting it outside the means of many individuals or small IT departments.
It’s easy to see then how administrators of sites which aren’t traditionally encrypted (i.e. any site that doesn’t have user accounts) could see setting up SSL as a waste of time and money. Rather than suffer through the current process of encrypting their web server, many administrators will simply decide it isn’t worth their time unless they are forced to.
The EFF’s “Let’s Encrypt” aims to fix both of these problems simultaneously.
A client side tool, letsencrypt.py, automates the entire setup; the user simply needs to run the command and select the site they wish to encrypt from the menu. The tool can also be run without the user interface, for more advanced or bulk operations.
While the automated tool is nice, the big news here is that the EFF will be helping to issue these certificates to anyone who wants one, for free. These certificates will be provided by a new non-profit organization called the Internet Security Research Group, which the EFF has formed with the likes of Mozilla, Cisco, Akamai, and Identrust.
However, the project isn’t without its detractors. Some claim that leaving the complex process of properly configuring SSL up to an automated wizard is just as damaging as having users copy and paste commands from an online tutorial; in both cases, the user doesn’t really understand the process. With the source code for their software currently available on GitHub, and 6 to 8 months before launch, there is ample time for the industry to weigh in on the EFF’s software and method.
If it turns out as the EFF promises, “Lets Encrypt” could be the first step towards moving to the more secure Internet that the litany of recent security and privacy revelations have shown that we desperately need.