47

Lots of sites these days, that don't deal with sensitive data, enable encryption. I think it's mostly to make (paranoid?) users feel safer. In cases where there is a user's account being logged in, their personal data accessed, I see how it can be useful.

But what if I'm just reading a news site? Everyone has access to that, it's all over newspapers even. What's the point of encrypting such easily accessible information?

Many users have public social network profiles with their interests listed in them, political and religious beliefs, or that information can be easily found from their personal blogs and websites. They don't see that as a threat to their personal life, so they choose not to hide it. How can viewing non-encrypted popular public content harm them? And how does encrypting such pages protect their privacy?

Vaughan Hilts
  • 303
  • 1
  • 8
user1306322
  • 916
  • 7
  • 15
  • 5
    I don't think this is a dupe because it's not about the privacy and anonymity generally, but specifically about whether encryption is necessary when no sensitive data is exchanged. – Xander Mar 24 '14 at 13:56
  • 3
    Just reading a news site? What if your employer looks up whether you prefer left or right leaning media outlets. What about the specific news articles that strike your interest being used against you as a statistic? Very little you do online fails to reveal something about you without your consent. – mikebabcock Mar 24 '14 at 15:02
  • Well, I'm not against people finding out my interests anyway. I may have my Facebook profile all filled out and public, list all my personal interests and read the corresponding news sites every day in public. I'm not sure how non-encrypted news page could hurt me in this case. – user1306322 Mar 24 '14 at 15:09
  • 1
    @mikebabcock Even SSL doesn't hide all of that. At minimum it leaks the IP, usually it also sends the domain in plain and using traffic analysis it's sometimes possible to even figure out which pages you're viewing. – CodesInChaos Mar 25 '14 at 11:51
  • @mikebabcock - SSL might not hide anything at all from your employer as they can use a decrypting proxy to intercept all of your SSL traffic, or client side monitoring that hooks into your web browser. – Johnny Mar 26 '14 at 23:54
  • 1
    social engineering ! – Ebenezar John Paul Mar 28 '14 at 06:36
  • See also on [webmasters.se]: [Force Using SSL on Site now?](http://webmasters.stackexchange.com/q/59770/17633) – unor Mar 29 '14 at 20:00

12 Answers12

75

The issue you're dealing with, here, is that if you decide not to encrypt a connection, you're making assumptions regarding the sensitivity of the data that goes over that connection.

Unfortunately, it is impossible to properly make that assumption because:

  • You might not have fully understood all the implication of the data (for instance, if Twitter didn't encrypt data, it could be used by government agencies to spot dissidents and opponents).
  • Data can become sensitive after they are being transmitted (for instance, answering "who was your first grade teacher" in a web chat with old school buddies could lead to a compromise of your iTunes account later on).

In the end, it is the same as dealing with sensitive paper documents: you can decide to shred what's sensitive only but all it takes for that model to crumble is a single mistake. It's much easier to simply destroy ALL documents securely and not worry about sorting.

Given the relatively low cost and of using connection security and the fact that it wards you against all the above problems (mostly), it makes a lot more sense to encrypt everything that to try to cherry-pick the "right" content to be encrypted.

Stephane
  • 18,607
  • 3
  • 62
  • 70
  • 2
    While I agree with your conclusion, I disagree with your twitter example. You state that twitter needs to be encrypted so that government can't use it, however, all data is public and can be queried at will. I am pretty sure the government DOES do this with twitter data. – Humdinger Mar 26 '14 at 18:40
  • You make a very optimistic assumption about Twitter's security/privacy, I think, in light of recent NSA news ^^ – HC_ Mar 26 '14 at 22:13
  • 2
    Perhaps the twitter example isn't the best one. What I meant is that some information can be considered safe and public in one context and needing to be protected in another. It's the snowball effect that causes innocuous data to be turned into dangerous data when aggregated. If you have a better example to suggest, I'll be happy to edit the question. – Stephane Mar 27 '14 at 08:59
  • @Humdinger well not all data is public, there are private accounts and direct messages. If private accounts tweets weren't encrypted during transmission to twitter than people could read everything x user is tweeting despite it not being a public account. – Ryan McDonough Mar 28 '14 at 08:27
58

Encryption is not just about preventing eavesdroppers from reading data, it also prevents them from changing it.

Flipping images on webpages upside down is an amusing prank to play on housemates but a malicious person could inject ads, or harmful code (Java, Javascript, Flash etc.) into your webpages without you realizing it.

http://www.ex-parrot.com/pete/upside-down-ternet.html

user2675345
  • 1,651
  • 9
  • 10
  • 1
    This is a very interesting point. How susceptible to changes are non-encrypted pages? Could you give a graphic example? – user1306322 Mar 24 '14 at 15:11
  • 3
    I don't understand what you mean by a graphic example but I'll try to elaborate. When web pages are not encrypted, a man in the middle can modify them as he wills, for example by changing the text of the page. The upside-down thing is an old example hacked together with Perl scripts. These days there are tools dedicated to doing this kind of thing. http://mitmproxy.org/ – user2675345 Mar 24 '14 at 15:19
  • 16
    Encryption on its own does nothing to prove that data in transit has not been modified. For that, you need authentication which is normally provided through digital signatures. This is also a component of SSL, but the two should not be confused. – Iszi Mar 24 '14 at 17:40
  • @user2675345 Actually, it's not that obvious. Not at all. Until someone tells you, anyway, then it's the most obvious thing in the world. – user253751 Mar 25 '14 at 09:28
  • 2
    @user1306322 For example an attacker could replace any executable you download over http with malware. – CodesInChaos Mar 25 '14 at 11:52
  • As I just noted to Eric's post, it may prevent changing in transit, but won't prevent changing it by means of XSS or SQLI. Thru those type of vulnerabilities, attacker can spoof content at the source (SQLI) or at least make it appear to come validly from the source (XSS). That said, it does give a level of confidence on authenticity of data, albeit no guarantees. – LB2 Mar 26 '14 at 21:26
  • 4
    @user1306322 - ISP's have been known to inject data in to pages. Consider this [H&R commercial on an apple site](http://zmhenkel.blogspot.ca/2013/03/isp-advertisement-injection-cma.html), or [Rogers Internet in Canada](http://arstechnica.com/uncategorized/2007/12/canadian-isp-tests-injecting-content-into-web-pages/) – rolfl Mar 27 '14 at 01:24
34

In addition to the other good answers I would add that HTTPS ensures that when I think I'm reading bbc.com, I really am reading the content provided by bbc.com, not a hostile third-party who wants to fool me.

Some news sites still present facts. People make decisions based on those facts -- decisions that have real-world consequences.

Ellie Kesselman
  • 488
  • 4
  • 20
Eric Lippert
  • 4,396
  • 2
  • 17
  • 12
  • 1
    In practice, 'changing content' will usually mean not changing any visible information to fool the reader, but inserting malware/exploits - so that those then can be used to capture the sensitive information from the same computer. – Peteris Mar 24 '14 at 19:05
  • this is a good point, but at the same time HTTPS doesn't necessarily protect from man in the middle attacks. While one might think that they are indeed viewing data from a reputable news site, it is entirely possible for someone to spoof the endpoint you are communicating with. – Robert Petz Mar 24 '14 at 21:57
  • @RobertPetz Only if you can obtain a private key to a certificate for that domain name. – Navin Mar 24 '14 at 23:02
  • @RobertPetz: "Entirely possible" overstates a bit. That's what SSL certificates are for. You'd never get a certificate for `bbc.com` signed by a reputable CA, and the disreputable ones won't get you any better acceptance than self-signing (which will flag the site in every browser i know of). And the signatures aren't exactly trivial to forge. – cHao Mar 24 '14 at 23:02
  • @cHao - yes, I agree that it is difficult and highly unlikely - but dismissing MITM entirely is not necessarily a good idea either. I do agree that my usage of the words 'entirely possible' should be supplemented with 'though highly unlikely' haha – Robert Petz Mar 24 '14 at 23:16
  • 4
    It's not all that unusual for someone to get hold of an SSL certificate that they shouldn't have, and that the major browsers will trust. What is unusual is for it to last very long (before the browser vendors block it or the CA revokes it), or to be for a site that I personally happen to use. So SSL provides a lot more confidence of identity in practice that it does in theory. – Steve Jessop Mar 25 '14 at 00:34
  • 1
    To spoof end-point means one has to provide their own cert signed by trusted CA and user not notice that cert is for a different site, or possibly install own root cert on user's machine. However, HTTPS does not guarantee the content came from real site if site has XSS or SQLI type vulnerabilities, meaning the content may appear to come from the site, but the content was injected/spoofed, and yet came from the target server. This is by no means to say that HTTPS is not useful for the purpose that Eric Lippert states. It is; it gives a good level of confidence, but doesn't guarantee origin. – LB2 Mar 26 '14 at 21:19
  • 2
    @LB2: Excellent point regarding XSS. – Eric Lippert Mar 26 '14 at 21:25
11

One reason in general I would like to add to the above answers is that even though you might not be doing something highly illegal in a western country, you should not assume that the government is not interested in what you read. Reading the following might put you on a list:

  • Classified, documents leaked by whistle-blowers that are technically illegal
  • A news site or magazine in a Muslim country (if you live in the United States)
  • A news site or magazine, etc. based in the United States if you live in China or a Muslim Country

In general, we know that many governments build profiles of people who visit certain sites and you might wish to keep your political interests private. For your example of any news source, even just considering China alone and none of the reasons above is reason enough.

Edit: Steve below reminded me, in this situation the page you visit is private, but not the website. So you need to be aware of that.

user40513
  • 133
  • 5
  • 6
    Good point, though SSL wouldn't protect the government from knowing you read a given site, only *which page* on that site you were reading. – Steve Armstrong Mar 25 '14 at 05:00
  • @SteveArmstrong that is a very important point. Thanks. – user40513 Mar 25 '14 at 14:48
  • Given the recent relevations regarding the healtbleed bug (OpenSSL exploit), you need to do more to protect your anonymity online. I would recommend Tor and an encrypted VPN. – Mark Micallef Apr 10 '14 at 03:26
10

As a general rule, it's good policy to strongly encrypt all data travelling across public networks.

The reason is that if only "sensitive" data is encrypted, it's very easy for eavesdroppers to target potentially useful data simply by looking for anything that's encrypted.

However, if everything is encrypted by default then they have no idea what information is useful until they've already decrypted it.

Given that decryption (without the key) is relatively expensive in terms of processing power while encryption is quite cheap, and that no system of encryption is entirely secure, the best way to ensure that your data remains secure is if absolutely everything is encrypted with strong encryption, even information which is trivial or already in the public domain.

Mark Micallef
  • 239
  • 1
  • 8
9

I think that really depends on the extent of definition of "sensitive data." Passwords and credit card numbers is certainly one, but perhaps looking up on WebMD info about a rash, while a generally public info, may be something that you're sensitive about, and don't want employer or your ISP to know (employers' rights and use of work equipment arguments notwithstanding). Or perhaps following the news and elections, and not necessarily wanting to disclose your affiliation. Election news is public, yet which ones you read may not be something you wish to disclose. So in general, the information itself may be in public domain. Who accesses what information and what can be profiled about one does not necessarily have to be. This is where encryption may be useful (and of course other technologies making such information available again notwithstanding - just giving an argument strictly with respect to encryption).

LB2
  • 420
  • 2
  • 8
3

Lots of news sites/newspaper sites provide accounts for additional functionality, subscriptions, etc. Forcing all web traffic through SSL reduces risk by making sure no one can ever log in on an unencrypted connection.

Generally it's better to be safe than sorry. Nowadays HTTPS isn't as much as an overhead as it used to be, so why not encrypt all connections to be sure?

Tim Lamballais
  • 282
  • 1
  • 4
3

Some background before I get to my answer:

I find telephones fascinating and one of the most interesting phones I came across was the STU or Secure Telephony Unit which basically consisted of an a/d-d/a some audio codecs a digital encryption module and a modem and a bypass circuit all stuffed inside a telephone and was for the most part connected to ordinary telephone lines and the public telephone network. They were very popular during the cold war. The basic way they were used is pickup the handset, verify dial tone, place the call, verify that you reached the right number, agree to initiate secure mode, both parities would turn the key to initiate secure mode, wait for the crypto to sync, have secure conversation, agree to end secure mode, turn key to insecure, end call.

In my research into STUs I came across an account of some Russian Spies discussing intercepting calls between STUs. Although these field agents were unable to learn the contents of the encrypted conversation, they made a special effort to listen to all calls on a line that had a STU connected to it in addition to recording the encrypted conversation for analysis, They said that they learned all sorts of interesting and valuable things from the unencrypted portion of the calls, quite a bit beyond the identities of the parties to the call.

The moral of the story: Even if you don't think the information is valuable, the enemy might. (regardless of who we think the enemy is)

hildred
  • 449
  • 1
  • 4
  • 9
  • 1
    +1 for "Even if you don't think the information is valuable, the enemy might" – Ebenezar John Paul Mar 28 '14 at 06:34
  • I dunno. Sounds like important war and politics stuff. Also, top secret spy encryption methods sure aren't the same as open source internet encryption algorithms. Could you provide some modern times situations where a normal person could be harmed in a similar way? – user1306322 Mar 29 '14 at 16:02
3

Because you don't really know what can be infered from the data you emit. Since the whole NSA fuss surfaced in the news, lot of people think : "yeah, right, the NSA knows about the emails I send to my little cousin and my buying habits ? So what ?".

Unfortunately we've entered the age of BigData and machine learning. This isn't just about crunching huge databases to get models and predictions. Personnally, I think machine learning represents a huge step forward for sciences in general. It represents a shift from analytical to what I'd call meta-analytical methods. "Back in the days", you'd start with data coming from some domain (say, demographics), analyze it with some analytical framework that matches the domain, and get a result in this domain's terms (e.g. a model to predict the growth of some given population).

Machine learning works on the level above : it has its own set of analytical tools and methods, but it is used to build "electronic brains" that will perform the actual analysis. The direct consequence of this being that it is easier to bind domains and perform cross-inferences between them. For instance, it is possible to predict where you'll be 24 hours from now on the basis of some of your Facebook data.

Or tell whether a woman is pregnant by looking at what she buys.

Target Predicts Pregnancy with Big Data.

After shopping at Target, the girl began receiving mail at her father’s house advertising baby items: diapers, clothing, cribs and other baby-specific products. Her father was incensed at the company’s attempts to “encourage” pregnancy in teens and complained to the management. A few days later, a shamefaced Dad called the manager to apologize; it appeared his daughter actually was pregnant. This is not an unusual occurrence with today’s computer-assisted data collections on the part of retail stores. Target assigns customers a Guest ID number that is tied to their name, credit card, email address and every other piece of information the store can collect. Using the information on past purchases, Target is able to create a startlingly accurate profile to use in customer-specific advertising.

Of course, I am overstating the power of machine learning (and understating the importance of domain-specific knowledge/experts). Yet, the prospects are freightening : identifying gay people or political opponents from some apparently unrelated activity could be achieved by ill-intentioned governments or organizations sounds plausible. They could even repress revolutions before people even get the chance to protest on the streets. Etc...

I think this is a very important issue for our modern societies, even more so since it hasn't been identified as one of the great ethical challenges of this century, unlike human genetical engineering.

Bernhardt
  • 31
  • 1
  • So, basically, what you're saying is that information on political, religious beliefs, sex, gender and racial profile can be created easily and potentially cause trouble for people. I think they're well aware of that if they chose not to hide that data on their facebook page or speak their mind on those topics publicly. But it's not a problem caused by unencrypted internet access. – user1306322 Mar 29 '14 at 15:57
  • You make a valid point. Obviously, Facebook will have your data if you use their services. But if you encrypt your data you *might* get over large-scale man-in-the-middle schemes run by governments. Also I'm not sure you understand my point (pardon me if I'm wrong) : the problem is not that people brag about sensible data on their Facebook profile. What matters here is that you can infer sensible, encrypted,data from innocuous looking data. If you don't encrypt the latter, some organization might be able to infer the former. The NSA claims it is only reading metadata : it might be well enough. – Bernhardt Mar 29 '14 at 23:39
2

One point that often gets missed in this discussion is the fact that SSL also encrypts the page URL that you use when accessing a website.

If someone were eavesdropping on your connection, (NSA?) and you were visiting a site that wasn't provided over SSL, someone could see which pages you access and build a profile around you based on your browsing habits.

If you visit sites with SSL enabled, it is not just the page content that is encrypted but the actual page URL (the path on the server) that gets encrypted too.

So if someone is eavesdropping they only know which domains you visit. They can't tell what pages you access.

user42684
  • 21
  • 1
  • So using SSL on 4chan is a guaranteed way to completely confuse NSA? – user1306322 Mar 25 '14 at 13:44
  • @user1306322 Like I said they can still see the domain. They couldn't say without a doubt that you were doing anything wrong on 4chan. The only proof they have is that you visited. Would you rather they know every single post you read? Or every Google search you do? Or every product you have ever dreamed about buying? – user42684 Mar 25 '14 at 15:29
  • IMO nothing puts you on *the list* more than employing methods designed to make that harder. – user1306322 Mar 25 '14 at 15:39
  • 1
    @user1306322 The point that I am making is that it makes it harder to justify a _list_ in the first place if everyone were to enable SSL on their sites. Imagine searching Google for 'how to make a bomb' (out of curiosity because you saw something on TV) and then 'densely populated areas in US' (for your research project). That would likely get you on _the list_ if Google wasn't using SSL. Since they are, the NSA can only see that you visited something on Google.com twice. – user42684 Mar 25 '14 at 19:03
  • Just wanted to point out that the domain name is part of the encrypted payload, so an eavesdropper technically _can't_ see what domain you're connecting to. That said, SNI isn't common so it's usually trivial to do a reverse DNS lookup – aidan Mar 26 '14 at 04:06
  • 1
    This is all assuming that the NSA cant get access to your google cookies. – Humdinger Mar 26 '14 at 18:41
1

All the main points have been covered but I thought it's worth covering this particular scenario:

It was/is popular to encrypt a login page, then allow the authenticated user to continue browsing the site on an unencrypted connection (to save CPU cycles on the server). This seemingly efficient and parsimonious use of encryption is actually next to useless.

It allows a mitm to capture your session cookies and then fully impersonate you on the site in question. Possibly allowing them to change you login credentials or even retrieve your plain text password.

aidan
  • 111
  • 1
1

THE THREAD-STARTER WROTE: But what if I'm just reading a news site? Everyone has access to that, it's all over newspapers even. What's the point of encrypting such easily accessible information?

MY RESPONSE: Yes, everything on the news site is public; but would you feel comfortable with someone standing over your shoulder while your with your computer at a coffee shop, using its WI-FI, for example seeing which articles you choose to read? And what if the news site nevertheless has a login so that readers may customize the feed? Doesn't that part of what you do there need to be encrypted? Between the two things, it's easier for the site owner to just encrypt everything.

THE THREAD-STARTER WROTE: Many users have public social network profiles with their interests listed in them, political and religious beliefs, or that information can be easily found from their personal blogs and websites. They don't see that as a threat to their personal life, so they choose not to hide it. How can viewing non-encrypted popular public content harm them? And how does encrypting such pages protect their privacy?

MY RESPONSE: Some of them don't care about their privacy. They have, as psychologist Sherry Turkle put it, an "I share, therefore I am" sort of mentality. In any case, as with the previous example, even they who so freely share must login to said pages to change things, no? And their so doing must be encrypted, no? Additionally, those who read their informationn may not want others in the coffee shop where they're using their laptop to know that they're looking at so-and-so's social networking page.

Learn about what's called "sidejacking," wherein someone sitting at another table with his/her laptop, in a coffee shop where you're also using your laptop, with both of you on the same WI-FI LAN, can be using a simple Mozilla Firefox extension called "Firesheep" to "see" on his/her screen, everything you're doing on your computer at your table on the other side of the room. Or s/he can be using his/her android phone, and a little thing called "DroidSheep" to accomplish much the same thing. And there are other similiarly-nefarious tools.

Would their doing that to you be okay with you? Right about when you figure out that they are, wouldn't it be nice if the website you're using just happened to have SSL turned-on, and your access to said site were via https:// instead of mere http://?

That's why Firefox and Chrome extensions like "HTTPS Everywhere" exist: to automatically switch thousands of sites from insecure "http" to secure "https", thereby protecting you from many forms of surveillance and account hijacking/sidejacking; and in countries less free than the US, even some forms of censorship.

All websites, anymore, should be utilizing SSL for all content. Period. It should be as normative as that we must put on chothing before we leave the house.

Hope that helps!

  • 2
    This isn't a thread, it's a question. We're on a Q&A site. – user1306322 Mar 30 '14 at 01:09
  • `>would you feel comfortable with someone standing over your shoulder` −Even if I'm not doing anything, that person is acting inconsiderately, unless I know them and it's okay, they can read whatever I'm reading. `>Doesn't that part of what you do there need to be encrypted?` −No, I'm fine with ppl knowing I like tech news and I'm not interested in sports. Don't know about those apps you're talking about, though it seems that cookies and login credentials not being encrypted is a security hole left by developers of social networks. Though I see how this can be used to hijack someone's account. – user1306322 Mar 30 '14 at 01:17