Is It Time To Abandon HTTP?

August 03, 2013

In the wake of the long and continuing set of revelations about the NSA and FBI recording everything we say and do online, I wonder if it is time to give up on insecure web traffic entirely?

Facebook and Wikipedia are just the latest web companies to move to HTTPS all the time. Of course we assume that this makes things more secure from prying eyes - what we don't know about the capabilities of the spy agencies might be more than has been reported.

There is also the assumption that the companies themselves haven't been forced to provide some kind of data center device that gives them access to information on the outside of the HTTPS tunnel which might make it rather moot. If you assume that securing the traffic is sufficient to block recording, at least for today, then maybe it makes sense to do it.

Of course HTTPS has its own problems, everyone will need the appropriate certificates and be able to deliver all traffic from their servers without too much more expense. I haven't been involved in server hardware for a while now; it used to be a performance hog so people didn't want to do it, maybe it's not as big an issue today.

Another problem with everyone moving to HTTPS is that it might force the agencies to go harder after monitoring from inside people's data centers to keep up the flow of information. Apparently the FBI has been heavily involved in trying to force ISPs to allow devices to be installed to capture port traffic. I imagine the same happens at the source companies which would be required to capture the data before encryption / after decryption.

The agencies of the US (and I am sure other countries as well) might also be inclined to forced people to turn off HTTPS if it became an issue. This might be politically difficult but so far Congress and the DOJ seem disinterested in worrying about that.

I also wonder if the certificate system has been compromised so that the NSA and FBI could use man-in-the-middle to decrypt SSL traffic but I don't know enough about it to do more than speculate. If they could read HTTPS then they wouldn't care if anyone used it or not. If this were true the internet commerce industry would be dead. Once someone compromises the security of the internet then no one will use it again since that knowledge would most certainly leak out or be reverse-engineered in some way. Maybe it requires nation-level force like an NSL to do but there are plenty of countries willing to go that route as well. The U.S. has the benefit of holding most of the world's internet infrastructure.

So we can only hope that encrypting all traffic on the internet will at least create a window of privacy and security but I don't doubt that with the hunger of the spy agencies for any and all information will force them to respond, assuming they aren't way ahead of the industry.

That this is a topic at all is depressing.