A sense of false security
Mar 2nd 2011, 15:10 by G.F. | SEATTLE
HTTPS is the secured or encrypted form of HTTP (Hypertext Transfer Protocol), a communications language that directs the way in which web browsers and web servers interact to request and retrieve pages, images and other files. HTTPS layers encryption on top of plain HTTP using SSL/TLS (Secure Sockets Layer/Transport Layer Security). These are the old and current names for web-page securing technology that dates back to the world wide web's juvenile days, not long after Netscape alerted the masses to its existence.
Websites that offer SSL/TLS security allow connections via a URL that starts with "https" in the location field or link. First, the browser silently requests security credentials that the server provides. Next, it validates this information independently using either its own built-in data or those included in the operating system. If it passes muster, the browser and server exchange an encryption key, unique to each session, which is then used to guard the data that passes between them. Any whiff of interception or rerouting is enough to alert the user. Because of the way browsers and operating systems validate SSL/TLS certificates, an interloping party (the so-called "man in the middle") cannot pretend to be a secured server (to a browser) or a secured browser (to a server) without provoking such warnings.
Flaws in earlier versions of SSL/TLS were patched up years ago and it is generally regarded as foolproof—and vital. The risk of not using it was readily demonstrated in the early stages of Tunisia's recent upheaval. The government allegedly intercepted connections between citizens and the unencrypted version of Facebook's local site, as Alexis Madrigal explained on January 24th in the Atlantic. The government could then intercept traffic by pretending to be Facebook; users, unaware, would blithely bung in their credentials, handing over access to their account and their entire social network. (To its credit, Facebook decided to flip on SSL/TLS for all of Tunisia and, later, made it available as an account preference worldwide. The internet company has offered HTTPS for some time but users outside Tunisia still have to opt in.)
Mr Schumer's statement, and a letter he has sent to large web site operators, comes a decade after free software appeared that made it trivial for the mildly knowledgeable to intercept any data over an open Wi-Fi network, like nearly all of those in cafés or at airports. (Office and home networks protected with some form of password are a different matter.) While corporations typically require employees to use encrypted connections known as a VPN (virtual private network), ordinary users have, by and large, remained oblivious. This lack of concern may stem from the near-univeral use of HTTPS by banking, investment and e-commerce sites to protect logins, transactions and credit-card data. The lock icon which pops up in browsers for such sites may have lulled less tech-savvy types into complacency. But the massive growth in the use of web apps for email and social-networking sites exposed information identity thieves and other scammers relish.
source
0 comments:
Post a Comment