Liveblogged at HOPE X.

Yan Zhu, EFF
Parker Higgins, EFF

Why is HTTP bad? HTTP touches everything we do. Agencies such as the NSA can use this to see everything we do online.

Even if you support HTTPS, not using it all the time exposes you to vulnerabilities. The NSA’s QUANTUM intercepts requests to services like Yahoo and redirects them to NSA-operated FOXACID servers to infect them with malware, before a secure connection is established. The NSA also uses unencrypted cookies to determine who to target.

Upgrading from HTTP to HTTPS can also be used to prevent censorship. The Great Firewall of China, for instance, looks at URL paths, but HTTPS only exposes the host name. There are ways around that using unique identifiers like file size, etc. but it makes the attack much more sophisticated. Censorship has to occur on a site-wide level. For instance, this prevented China from blocking parts of GitHub. But if a government decides it’s worth it to block an entire site, using HTTPS could result in more censorship rather than less.

Since the Snowden revelations, many companies have been switching to HTTPS by default. Email can use an opportunistic TLS encryption, but it falls back to unencrypted traffic if encryption is not available. Since Snowden, encrypted traffic has more than doubled, but it’s still a minority of web traffic.

When you first request a website, an attacker can use a technique called sslstrip to prevent the connection from being encrypted. Newer browsers are beginning to support sending a header called HSTS to require an encrypted connection.

What’s new in SSL? A new proposal called Certificate Transparency logs all certificates issued by an authority, to prevent an attacker from forcing an authority to issue a fake certificate.
STARRTTLS Everywhere from the EFF protects an attacker from downgrading your TLS connection to unencrypted.