How secure or vulnerable is the average internet user today compared to 10 years ago? Read the
headline news, you might think things are getting worse, but actually I wasn’t so sure. Of course, I didn’t “fix” the security, but I feel like it’s far off the list.
To confirm this, Chester Wisniewski analyzes the progress we’ve made to see if it makes a difference.
Chester Wisnievsky (pictured) is a senior scientist at Sophos, one of the leading next-gen security companies.
The World Wide Web today is very different from what Sir Tim Berners-Lee thought in 1990. In the beginning, the Web was free and open, but a little too open. There was no privacy or encryption to protect the information that passed between the many servers and routers that connect the world.
Netscape addressed this problem by introducing Secure Sockets Layer (SSL) encryption. It was then updated to the official specification, Transport Layer Security (TLS). Back then, TLS was designed to protect shopping carts, credit card information, and possibly login credentials and passwords.
Oddly enough, this incident continued until 2013, when NSA contractor Edward Snowden set out to let the world know how much information the United States was collecting online. world.
Yet in October 2013, a few months after the Snowden leak, only 27.5% of websites loaded by Mozilla Firefox were using some sort of encryption.
This has sparked the interest and efforts of those in the security industry to improve the security and privacy of Internet users across the world.
The idea is that the only way to fix this is to cost everything in a requirement, not later. This has spurred the adoption of new technologies and standards to ensure things are safe by default and to prevent things from being downgraded to old, dangerous ways.
However, new technologies and standards do not eliminate the risks. If someone can get involved in your network connection, they can just redirect you to scam sites to steal your personal information. This is called a man-in-the-middle (MitM) attack and is caused by providing a bogus Domain Name System (DNS) response, exploiting a malicious dual WiFi access point or by a direct attack from an ISP (Internet service provider). , government, law enforcement, etc. Organizations can also intercept TLS traffic by inspecting protected traffic with medium boxes.
Even if the site you are visiting uses HTTPS, the web browser usually tries HTTP first, so it listens for insecure HyperText Transfer Protocol (HTTP) and makes the user a secure site. You need to redirect.
To require the browser to make the first connection via HTTPS, Google introduced a new HTTP header, HSTS (HTTP Strict Transport Security) in 2012. This HTTP header allows the website administrator to load the website. only over HTTPS, and the browser connects over HTTP over port 80 the first time the browser visits the site before accepting the HSTS header. You can tell them not to try. This is called SSL stripping. This is the type of MitM attack that HSTS is primarily intended to treat.
To resolve this problem, HSTS has been extended to include a “preload” option.
In late 2013, Google warned users when they visited unsafe websites to encourage all websites to use TLS encryption, placing unencrypted websites at the bottom of search results. Advertised to be placed.
Based on Google and guidance from the entire security community, we’ve doubled the number of websites supporting secure connections in just three years. According to Google statistics, websites visited by Chrome users in most countries are 95% encrypted. The latest initiative from browser vendors to force us into an always-encrypted world began in November 2020 when Mozilla introduced the HTTPS-only option in Firefox. When enabled, this feature will attempt to secure all connections over HTTPS and will use a warning if HTTPS is not available. Chrome then added a similar option and enabled it by default in April 2021.
This is a fantastic advancement, but aside from the high encryption rates, are people deploying technologies like HSTS and being used enough to help protect users on untrusted networks?
At the end of the line
The web has never been so secure.
With 95 percent of web pages encrypted and those generally not presenting much risk, this is great news, especially during the busy seasons of online shopping.
Gradually, the security community worked together to improve standards, put pressure on latecomers and reduce the costs of secure communication on the Internet. Given the magnitude of the problems it has faced in the past, the progress made so far is impressive.
But the job is not yet done. Only 31.6% of sites use HSTS, indicating that even free features that greatly improve security are not as prevalent as they should be.
Application layer protection has a significant impact on users and security. There is always a risk that the network provider we use will spy on us, sell to ad networks, or be exposed to cybercriminals.
However, HSTS and TLS allow you to browse and communicate almost freely, even over unreliable WiFi and cellular networks, without ignoring the risk of adverse consequences.
Summary of the news:
- The State of Security on the World Wide Web in 2021
- Check out all the news and articles about the latest security updates.