Senator Schumer Says Websites Should Default To HTTPS
from the security dept
There are plenty of websites where it absolutely makes sense for the default to be https, rather than http as the protocol (if you don't know -- and you should -- https encrypts the traffic, while http does not). Most banks and such already use https, but plenty of sites that don't involve financial institutions do not. Even sites like Google's Gmail only recently switched over to defaulting to https. Still, it's a bit of a surprise to see Senator Chuck Schumer announcing that major websites should switch to https, and it makes me wonder if he's preparing legislation on that. I'm not so sure that we want a law mandating https.Separately, he seems to indicate that the lack of encryption with http is a "security flaw" that only really got attention in 2007. That's not quite true. I mean it's been well known that http isn't encrypted for much, much longer than that. And it's not so much a "flaw" as the basic way that http was designed. And, of course, whether or not websites use https, you can protect yourself with VPN encryption software or services, but it doesn't seem like Schumer wants to mandate that...
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: chuck schumer, https, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
HTTPS also costs more to implement.
[ link to this | view in thread ]
Of course it would seem good at first, for the protection of the public; but one of the clauses will likely happen to be that self-signed certificates are nixed.
And I ask how many web sites out there now don't use HTTPS or use insecure HTTPS because they can't afford a cert. :/
[ link to this | view in thread ]
https://schumer.senate.gov/
"schumer.senate.gov uses an invalid security certificate."
[ link to this | view in thread ]
I think a better way is informing the public and making then shun websites that don't use encryption end to end on everything.
Heck HTTP is prone to:
- Ad insertion by anyone along the way.
- Snooping by anyone(i.e. law enforcement, the government, ad agencies, criminals, your neighbor)
[ link to this | view in thread ]
Re:
Why can't websites have their own "self signed" keys and have a search engine, like Google, search various websites for the keys and store them. When I want to connect to a website via a wireless connection, my laptop (which can securely connect to Google) verifies the website's authenticity with Google and, maybe, Yahoo to ensure that the keys that Google/Yahoo give me match with each other and that they match with the keys of the website that I am connecting to. Then, Google connects to the site and verifies the keys for me.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: https://schumer.senate.gov/
[ link to this | view in thread ]
Re:
Exactly. IIRC, the rule of thumb was that a web site could handle 100 HTTP requests for every 10 HTTPS requests.
Is the good senator going to pay for all of the infrastructure upgrades he's mandating?
[ link to this | view in thread ]
Re:
Oh, look. We've just re-invented the Certificate Authority.
The solution is to update HTTPS to have "Private HTTP", which still uses Diffie-Hellman for key exchange and privacy, but doesn't attempt to verify authenticity to prevent against a man-in-the-middle attack. This would protect all sessions from passive snooping (I'm looking at you, NSA; I'm looking at you, FireSheep) while not needing a central CA.
[ link to this | view in thread ]
It should NEVER be a surprise to see Schumer standing in front of a camera.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Why not just educate people?
[ link to this | view in thread ]
[ link to this | view in thread ]
Don't know if this is related...
[ link to this | view in thread ]
Re: Don't know if this is related...
I read both of these sites so much they start to blur together. Of course that story was run here on Techdirt. :(
[ link to this | view in thread ]
Yet another...
If he has a problem with HTTP, then he should take it up with the Creator directly - I'm sure Al Gore will explain why he created the internet with HTTP instead of just HTTPS...
/sarcasm off
[ link to this | view in thread ]
[ link to this | view in thread ]
While you're right that encryption was left out of HTTP by design (for the caching benefits) it was relatively recently (even later than 2007) that it become obvious that HTTPS was more than just a best practice for any web application where users log in.
Before tools like firesheep [1] came on the scene it was generally assumed that simply encrypting the login exchange was sufficient. I'm pretty sure I remember you mentioning firesheep in a story so you ought to be aware of this but it sounds like you may have missed the wider implications.
RE: vpn, as pointed out by the first Coward, your statement is not quite true. It _will_ however help you in a proximity-based attack (e.g. coffee shop wifi + firesheep).
[1] http://codebutler.com/firesheep
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
That's what I said. I know Google's/yahoo's public keys ahead of time because it's pre-built into my browser that I downloaded ahead of time (from a secure channel, presumably).
I go on open wifi.
I go on site with Https
I check the key.
I securely connect to Google and ask it what the key is
Google goes to site
Google checks key
google securely tells me what the key is
I see if what I'm getting from the site matches what Google is telling me.
(the software does this automatically of course, transparent to the user).
If they don't match, my browser alerts me with popups.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
If he actually proposes the law and it builds traction he will probably be shot from a book depository.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
https
[ link to this | view in thread ]
https
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Already present
In fact, as long as you have some other means to verify the certificate like a finger print distributed via signed email or a physical name card, you are relatively safe against the man in the middle attack.
Further, most browsers will provide options to accept the certificate permanently. If you do that, you'll only need to do the verification/authentication manually only the first time and it should be smooth going the next time while providing about as much protection as using a CA. (no cert revoking but you can remove the particular cert from your trusted list if you know to no longer trust it)
Hmm... Perhaps a social networking/crowd-source web of trust... hee hee
[ link to this | view in thread ]