Posted January 26, 2015
If last year felt like a wild ride in terms of security, you were not alone. Good news though: by encrypting traffic from your organization’s websites, you’ll go a long way in making your users safer with little cost.
Ivan is a not just an expert in online security but a leader in making the web a safer place, as you’ll find in this conversation between Ivan and Cyveillance Chief Scientist Caleb Queern.
Imagine that a boardmember of a large enterprise gives you one shot to explain how making all his company’s sites HTTPS by default makes good business sense. Go!
I hope we can assume that board members of large enterprises understand by now — without any doubt — that everyone is out to get them. We’ve seen in recent years that the Internet is a battleground on which numerous factions fight for supremacy, and that there are no rules. It’s helpful to imagine large businesses as Zion (the last human city) in the Matrix films: the board members are in the city, defending themselves from sentinels that are at all perimeters trying to find ways in.
In this light, business assets without encryption are effectively left vulnerable for the predators to devour. And they will do exactly that, being very creative about making use of what is given to them. Not to mention that even the least important assets often “work” very well as stepping stones for attackers to gain a deeper foothold.
There is really little justification for not using encryption throughout. First, it’s generally straightforward to use and cheap by itself; essentially free for all new assets. What I mean by cheap and essentially free is that certificates cost very little money (and this year we are probably getting the first free certificate authority) and the encryption itself doesn’t require much resources in terms of CPU or other hardware. Once you define your operational procedures to provide encryption by default, everything just works with little effort. Second, using encryption consistently everywhere actually helps saves resources by allowing business to focus their collective mental energy to deal with really difficult problems.
2014 was a roller coaster of stories about encrypting information online. What were the most impactful stories from your point of view?
Yes, the 2014 was a roller coaster, but did we really learn anything new? I don’t think so. It’s the same old story over and over again. Perhaps I am finding 2013 difficult to beat, because that was the year in which the documents leaked by Edward Snowden helped a critical mass of people see the Internet (and, to a large extent, the world) in a completely different light.
I don’t find security breaches very interesting at all. I’d rather hear about improvements that are going to make security better for all of us. For example, a really good story would have been if HTTP/2 were to require encryption to run. But, sadly, that doesn’t seem to be happening. We have few chances to really improve things, and that’s usually when designing new platforms and standards. HTTP/2 could be a huge disappointment in that sense.
What is SSL Labs and why should people care?
SSL Labs is my attempt to help improve security, even by a little bit. It’s a combination of tools, documentation, and research primarily designed for those who want to help themselves and effectively cross encryption from their list of worries. Its most important feature is the server test, which performs comprehensive analysis of SSL/TLS serves and tells you what needs fixing. Everything on SSL Labs is free; my employer, Qualys, is paying for me to work on it.
Over the years SSL Labs has become pretty popular, and now it’s become a game of sorts. The field of SSL/TLS and PKI is pretty dynamic, which means that people have to invest constant effort to keep up. It’s a bit like going the wrong way on a moving sidewalk — you have to walk just to stay in the same place.
Although I designed SSL Labs for people to use to test themselves, it still allows testing of any public web site. As a result, people are now using it to look at the SSL/TLS configuration of the web sites and companies they interact with. As it turns out, a lot of people are now fed up with having to deal with security through no fault of their own. It’s become a burden, but it’s really frustrating in some cases because your security doesn’t depend only on your actions, but on the actions of the company who have access to your data.
The main problem is that it’s not possible to determine which sites are good at security and which aren’t. Without that, it seems that people have started to use SSL/TLS configuration as a proxy to assess a company’s overall security posture. If they take effort to deploy SSL/TLS correctly, perhaps they’ll do other things well? It’s not a guarantee, but it’s a useful signal.
You run a monthly scan across the world wide web of HTTPS adoption called SSL Pulse. What are the general trends you’re seeing in terms of HTTPS support across the web?
SSL Pulse is very useful to help us understand where we are (in terms of SSL/TLS and PKI security) at any given moment. You can see if sites support new security features and if they’re dealing with vulnerabilities. When it comes to the trends, it’s quite boring to look at the changes from month to month actually. Whenever something relevant happens we can see a big change on the graphs next month, but usually virtually no change in the month after that. This tells us that there’s a small group of companies that take security seriously and actively respond to new events. The great majority simply tags along. For them, improvements largely happen because they’re coming from the underlying operating system or other software components.
Are you optimistic that 2015 will bring better news for us in terms of data confidentiality and integrity online than we saw in 2014?
Yes, I think 2015 will be better, and then 2016 will be even better after that. But I don’t think the changes are going to be substantial because that requires much longer. As with HTTP/2, we have few opportunities to make true improvements.
What are the quickest HTTPS improvements our readers can implement to reduce the most risk fastest?
Deploying HTTP Strict Transport Security has, by far, the best return on investment of all possible improvements. It makes a web site 100% encryption only, and forbids browsers from showing click-through certificate warnings when your visitors are under active network attack.
Other than that, I think everyone should be focused on enabling forward secrecy, which prevents retro-active decryption after the server private key is compromised.
Thanks for joining us. Any last thoughts, Ivan?
Getting SSL/TLS and PKI right is easier than people might think. In many cases it’s sufficient to scan yourself using the SSL Labs test and follow the recommendations.
Other than that, good default policies can ensure that everything is properly done from the moment it’s created. Generally speaking, that’s the most efficient approach. If you can do only one thing today, ensure that new projects are secure by default.