Which Encryption Mechanism Should You Use? - Built In

Which Encryption Mechanism Should You Use? - Built In
Symmetric vs Asymmetric Encryption: A Guide for Non-Techies - hackernoon.com
Chrome browser has a New Year’s resolution: HTTPS by default - Naked Security

Posted: 05 Jan 2021 07:35 AM PST

In the last few years encryption, and cryptography in general, has firmly become a part of the mainstream, largely due to privacy conversations centered around technology giants, the meteoric rise in popularity of Bitcoin, and even the success of movies like The Imitation Game. Even most laymen today understand the word encryption to refer to the technique of transforming data so it can be hidden in plain sight — and they understand its importance.

Encryption has, however, been a firmly rooted component of all enterprise software design for many years. Historically, these capabilities were provided by underlying infrastructure and libraries used by IT and developer teams, who merely had to centrally turn on flags in their builds, enable configurations in their servers, and ensure the use of transport layer security (TLS) in their networking infrastructure.

But with the move to microservices-based architecture and infrastructure-as-code paradigms, individual teams are now responsible for the security of their application and infrastructure stack, and it has become important for them to understand how to properly leverage encryption for all the services they develop.

To properly secure data, it needs to be protected at rest, in transit, and in use. Below are various common encryption terms and frameworks, and what developers can do to leverage them properly.

Encryption of Data at Rest

Data at rest refers to how data is stored in persistent storage. An attacker with access to the physical storage infrastructure or your device can gain unauthorized access to the data stored on it unless it is encrypted. Encryption of data at rest can be achieved in multiple ways.

Disk- or File System-Level Encryption

With disk- or file system-level encryption, the encryption is performed by the implementation of the virtual storage layer. This is completely transparent to all application software and can be deployed with any underlying storage layer, regardless of its encryption capabilities.

Responsibility: Today, all cloud vendors provide this capability, and this is not something developers have to worry about — they just need to enable it.

Threats It Protects Against: Stolen disks or other storage media.

Server-Side Encryption

Server-side encryption is responsible for encrypting and decrypting data, transparently from its clients. The cryptographic keys used for encryption are known only to the server. In the cloud native world, the server can either be a cloud service with keys typically controlled by the cloud provider or a service built by the developers with keys managed by developers. From the perspective of the clients, encryption is transparent.

Responsibility: Many individual cloud services provide this capability, developers will need to enable the feature if it does exist. For an added layer, developers can build and manage their own server-side encryption mechanisms that can even be combined with a cloud service-based server-side encryption.

Threats It Protects Against: Stolen disks or other storage media, file system-level attacks, and cloud provider internal threats if built by the developers.

Client-Side Encryption

Here the client is responsible for encrypting data before sending it to the server for storage. Similarly, during retrieval, the client needs to decrypt the data. This makes the design of application software more difficult. An advantage of client-side encryption is that not every bit of stored data needs to be encrypted, only the sensitive parts can be protected. This is often beneficial when the cost of computation is a concern.

Responsibility: This is solely on the developers to design and make the process as seamless as possible for the client and end user.

Threats It Protects Against: Man-in-the-middle and storage provider internal threats.

What Are the Limits of Encryption of Data at Rest?

Encryption of data at rest is now considered best practice, but is not without its limitations and challenges.

The most critical aspect is how and where the encryption keys are stored, who can gain access to them, and so on. While good solutions are available to secure key storage, it is essential to set them up correctly. Weaknesses in key management are, unfortunately, far too common, and are much likelier to lead to confidentiality breaches, than someone breaking a modern encryption algorithm. Everyone likely knows at least one person who lost access to their data on their smart device because they couldn't remember their back-up key.

Advice to Developers: If at all possible, utilize the resources of your cloud provider for key management. Many of the services have simple configuration toggles to enable encryption at rest and will handle key management transparently. For the most security, you should choose a customer-managed key where possible.

Suggested Tools: Key management services from major cloud providers including Amazon Web Services (AWS) Key Management Service (KMS), Microsoft Azure Key Vault, and Google Cloud Platform (GCP) Cloud Key Management.

Another challenge with encryption of data at rest is that key rotation (the recommended practice of periodically changing secret keys) can be extremely disruptive and costly since large volumes of data may need to be decrypted and then re-encrypted. This poses a challenge when an employee with access to the key leaves the organization or the key is otherwise considered as compromised.

Advice to Developers: Again, if at all possible, utilize the resources of your cloud provider for automatic key rotation as well. Today, all three major providers support automatic master key rotation, and it is a simple config flag when enabling encryption. In these scenarios, a master key will be a reference to the version of the actual encryption key. That is, when a key is rotated, all new data will be encrypted with the rotated key. Manual rotation is possible, but difficult.

Suggested Tools: AWS KMS, Azure Key Vault, and GCP Cloud Key Management.

Encryption of Data in Transit

As developers run their services in the cloud, integrating with other third-party services, encryption of data in transit becomes a must. For years, there was a great deal of pushback due to concerns about latency in applications and as such many applications never implemented transit-level encryption.

However, HTTPS has made huge performance gains over the past decade, and all services today have come to use it — with HTTPS even being used interchangeably with the terms SSL and TLS.

Advice to Developers: Enabling HTTPS for any public endpoints is a necessity today and is extremely simple to do. There will be some minor configuration needed to be done, but if you are using any of the major cloud providers, you can quickly and seamlessly generate and integrate certificates with your services.

Suggested Tools: Each of the cloud providers offer a way to generate public and even private certificates. So there's AWS Certificate Manager, Azure App Service, and GCP Certificate Manager. If you want to use another service, LetsEncrypt is free and has tools for automatic generation and rotation.

Encryption of Data in Use

This is an area of increasing interest, which addresses the risk that data ultimately needs to be available in plain-text form while it is being processed by an application. Even with the strongest encryption techniques applied to data at rest and in transit, it is the application itself that often runs at the very boundary of trust of an organization and becomes the biggest threat to the data being stolen.

Below are two relatively recent techniques to address threats to data privacy while it is in use:

Confidential Computing: This leverages advancements in CPU chipsets, which provide a trusted execution environment within the CPU itself. At a high level, it provides real-time encryption and decryption of data held in the RAM of a computer system even as it is being processed by an application, and ensures the keys are accessible only to authorized application code. With this technique, even someone with administrative access to a VM or its hypervisor cannot maliciously access the sensitive data being processed by an application.
Homomorphic Encryption: This is a class of encryption algorithm that allows certain limited kinds of computations to be performed on the encrypted data itself. These are usually limited to a small set of arithmetic operations. There have been some recent attempts to derive analytics information or insights from homomorphically encrypted data. This includes several companies claiming capabilities like search through regulated or confidential data, and collaboration between analytics teams on highly sensitive data.

A somewhat related technique, popular among companies trying to avoid these problems altogether, is that of tokenization. It involves substituting sensitive data with a non-sensitive equivalent, with no intrinsic business value. The original sensitive data is kept in a highly secure, often offsite or third-party location.

A common example is an online retailer storing credit card tokens instead of credit card numbers themselves. The original credit card number is kept with a third-party service, which only makes it available to an authorized payment processor when needed. While this protects the data and often offloads compliance burden on the business tasked with securing the data, it could be susceptible to token replay attacks and therefore requires that the tokens be protected, effectively just transferring the problem instead of solving it.

Like with all other security techniques, there is no silver bullet or one approach IT and development teams can use to secure their data from prying eyes. The above framework, however, is a good starting point for organizations embracing digital transformation and taking a collaborative approach to security.

Read This NextHow to Protect Your System From Botnets

Symmetric vs Asymmetric Encryption: A Guide for Non-Techies - hackernoon.com

Posted: 05 Jan 2021 03:18 AM PST

@casey-craneCasey Crane

Casey Crane is a tech lover and cybersecurity journalist for Hashed Out and Infosec Insights.

If you find understanding or explaining the differences between asymmetric and symmetric encryption daunting, then take a relaxing breath — we'll break it all down into layman's terms.

Symmetric and asymmetric encryption — what are they and what do they mean in terms of data security? To put it simply, both are ways that individuals, businesses, and other organizations can protect their data. Asymmetric and symmetric encryption involve cryptographic techniques and tools, and both are useful in different types of digital environments.

But these processes aren't all that easy to explain to others. This is why we've put together a non-techies guide. No matter whether you're new or advanced, this article can help you break down symmetric and asymmetric encryption. This way, you can easily explain it to others who may not be as tech-savvy as you. This will definitely come in handy for your upcoming holiday dinner conversations with family and friends.

So, what is symmetric encryption and how does it differ from asymmetric encryption? Let's break each type of encryption down and compare them to see what is best in which applications.

What Is Symmetric Encryption?

Symmetric encryption means that your information is encrypted and decrypted using a single key. The data sender (or originator of the data) has one copy of the key, which they use to encrypt the data. (By "encrypt," I mean convert it from plaintext, readable data into unreadable gibberish known as ciphertext.) The data recipient, who has another copy of the same key, can use it to decrypt the data — meaning that they can revert it from ciphertext to plaintext.

This is why symmetric encryption is also known as private key encryption — because both parties have copies of the same mathematically identical key that they don't share with anyone.

The key itself is a string of randomly generated bits. When generated well and with enough entropy (randomness), the strings of bits should be completely unpredictable and, therefore, impractical to guess using modern computers.

Symmetric encryption is what large businesses typically use in internal environments to encrypt their at-rest data. Why? Because symmetric encryption is fast, convenient, and isn't super resource-intensive in terms of bandwidth and processing power.

Let's put it another way: Symmetric encryption = time savings + cost savings + strong security = a win for your business.

But symmetric encryption isn't perfect. In fact, it has a couple of important shortcomings that we have to talk about that mean that it can't stand on its own in public channels. But before we do that, let's first go over what asymmetric encryption is and why it's essential to the security of your data in public online environments.

What Is Asymmetric Encryption?

Now, let's take the concept of symmetric encryption and kick it up a level and you get asymmetric encryption. You see, asymmetric encryption is a cryptographic process that uses two separate keys — a public key and a private key — to encrypt and decrypt data. The keys are related but mathematically unique, unlike symmetric keys.

In asymmetric encryption, the public key encrypts it while the private key decrypts it. The public key is open and available to everyone, whereas the private key is intended to be kept secret. That's why asymmetric encryption is oh-so cleverly known as public key encryption.

Now, while this may sound perfect, asymmetric encryption isn't a one-size-fits-all tool for security. Because it uses two separate and larger keys, it makes it too unwieldly and impractical for large-scale business encryption applications. As such, it's better suited as an authentication mechanism in many cases. This is why many businesses defer to using asymmetric key exchanges for authentication purposes and symmetric encryption to actually secure the data itself during the session.

Don't worry — I'll also help you break down asymmetric key exchanges into layman's terms as well.

The Role of a Public Key Exchange in Website Security

There's a related aspect of asymmetric encryption that comes
into play way symmetric encryption. This is known as an asymmetric key
exchange, or a public key exchange. People often refer to asymmetric key
exchange protocols as encryption algorithms when it's not exactly true. It's
kind of like how your mom told you to call a close family friend "Uncle Don"
when, in fact, he wasn't a blood relative at all. It's not exactly true,
but it's close enough for general conversations.

Similarly, the key exchange process isn't truly a "key exchange," either. It's a bit of a misnomer. Rather, what it is, is a process that involves exchanging certain public variables and incorporating private variables to generate a shared key (i.e., a symmetric key) that only you and your intended recipient can create together.

No, don't worry, I'm not going to get into all of the mathematical specifics of how that process works here. And your friends or family certainly won't need you to dive into all of that business, either. But you can check out this great video to get into more of the specifics on how that all works:

Secret Key Exchange (Diffie-Hellman) - Computerphile

Basically, the takeaway here is that the so-called asymmetric key exchange process makes it possible for you to exchange specific data over an open (and insecure) internet connection to generate a matching key. And this perfect combination of the asymmetric key exchange protocol and symmetric encryption algorithm (and symmetric key) are what make it possible to enjoy secure, encrypted connections.

It's also important to note that this process is integral to the SSL/TLS
handshake in website security. The handshake is a process that allows your client to:

Authenticate the website's server, and
Agree upon certain necessary parameters to that make the secure connection possible (including deciding upon which encryption algorithm to use).

But asymmetric cryptographic process aren't the sole mechanisms used in website security. Symmetric encryption also plays a star role in website data encryption.

Asymmetric and Symmetric Encryption Are Complementary in Website Security

When it comes to website security, symmetric encryption and asymmetric cryptographic techniques go together like rock stars and bad life choices. You use techniques from one (asymmetric key exchange) to help make the other (symmetric encryption) more secure in public channels. In fact, you're actually using both of them right now to read this article.

You see, when you connect to a website, any data that you send to that site is sent via an insecure protocol by default. This insecure connection is known as the hypertext transport protocol, or HTTP. This is the same insecure "http" that you'll sometimes see when you click on website URLs that display this type of warning message:

Tisk, tisk, Apache.org. You know better than to leave your site insecure like this!

When you transmit data using HTTP, it means that it's sent via plaintext. And considering that when you connect to a website, because of how HTTPS works, you're actually punted between multiple touchpoints along the way. And this means that your data also passes through all of those touchpoints as well.

So, all of the types of data that you don't want falling into cybercriminals' hands — such as your name, address, credit card information, or other sensitive details — are vulnerable to being intercepted by bad guys.

When bad guys intercept your data in this way, it's known as a man-in-the-middle attack (MitM attack) because they're essentially inserting themselves into the middle of your communication. As a result, messages from you to another party will pass through them first, which gives them an opportunity to read or even modify your message before passing it along.

Needless to say, it's not only insecure, but it's also bad news for you and the person (or website) you're communicating with. So, to make this process more secure, website admins will instead opt to use the secure HTTPS protocol (which stands for "hypertext transport protocol secure") to transmit data between users and their web servers. They do this by installing an SSL/TLS (secure sockets layer/transport layer security) certificate — or what's otherwise known as a website security certificate.

This type of digital certificate ensures that you connect via HTTPS instead of the insecure HTTP protocol. It makes your web address bar in Google Chrome display a friendly secure padlock icon like this (instead of the "not secure" warning like earlier):

Image caption: As my grandfather loved to say, "this is more better." Every website should be using an SSL/TLS certificate to allow its users to securely
transmit data.

As a result, instead of sending plaintext data across the internet, you're sending gibberish ciphertext that no one can decipher without the requisite private key. That's a win for you and a loss for the cybercriminals who want to mess you over.

Asymmetric Key Exchange + Symmetric Encryption = Secure Connections

Remember how earlier I said that symmetric encryption had a few shortcomings? Well, the biggest one relates to key distribution. That's because there's only one key that could be known by a bunch of individuals. So, if you keep handing out that key to a bunch of different people, it gets harder to keep track of and can result in the key becoming compromised.

You see, with symmetric encryption, you have to distribute the key in a secure way and make sure that only those authorized have a copy. Otherwise, if some authorized individual intercepts it, then they can simply decrypt your messages all they want.

This means that either the keys must be exchanged in person or via a secure key exchange method. But if you're communicating with someone over the internet who's located across the world, that isn't really possible. This is where symmetric encryption comes into play. According to the National Institute of Standards and Technology (NIST), one of the leading authorities for cybersecurity standards, both types of encryption have their uses and work well together:

"Since asymmetric-key (i.e., public-key) cryptography requires fewer keys overall, and symmetric-key cryptography is significantly faster, a hybrid approach is often used whereby asymmetric-key algorithms are used for the generation and verification of digital signatures and for initial key establishment, while symmetric-key algorithms are used for all other purposes (e.g., encryption), especially those involving the protection of large amounts of data and for key distribution when entities share an already established symmetric key (e.g., established using manual distribution methods or asymmetric key establishment methods). For example, an asymmetric-key system can be used to establish a symmetric key via a key-agreement or key-transport process (see Sections 5.3.3 and 5.3.4, respectively), after which the symmetric key is used to encrypt files or messages or to distribute other keys."

Basically, this massive run-on statement is a fancy way of saying that you should use both asymmetric key exchange/agreement and symmetric encryption processes together to securely distribute the shared key and create an encrypted connection. This is perfect for those otherwise open (and insecure) public, multi-user environments.

Symmetric vs Asymmetric Encryption: Breaking Down the Differences

As you likely know, there are many ways that symmetric and asymmetric encryption differ in terms of how they work, the algorithms and keys they use, as well as when and where you should implement them. Let's go over a few of them.

Symmetric vs Asymmetric Encryption Use Different Algorithms and Key Sizes

Two of the biggest differences between symmetric and asymmetric encryption are:

The types of algorithms that they use, and
The sizes (lengths) of their respective keys.

Symmetric encryption algorithms are significantly faster and use smaller keys than their asymmetric counterparts. They can be used to encrypt and decrypt either blocks or streams of data. The keys tend to be smaller in terms of the number of random bits that they contain.

Asymmetric encryption algorithms, on the other hand, use more complex encryption algorithms and significantly larger keys. This makes them great for encrypting and decrypting data in public channels in small batches, but not so great for use at scale.

Okay, let's take a moment to compare their key lengths. I'll also break down some of the different encryption algorithms and key exchange agreements that fall under the umbrellas of symmetric and asymmetric encryption.

Asymmetric Vs. Symmetric Key Lengths:

If this is as clear as mud to you, let's have a quick comparison of what the difference looks like in terms of key lengths (using the random key generator at cryptotools.net):

Yeah, just a wee bit of a difference in terms of key lengths, am I right? Now you can see why we say that using symmetric encryption is significantly faster than asymmetric encryption when you're encrypting and decrypting data at scale.

So, what types of encryption algorithms are considered symmetric and which ones are asymmetric?

Asymmetric Vs. Symmetric Encryption (and Key Exchange) Algorithms:

The go-to standard for symmetric encryption is AES, or what stands for the advanced encryption standard. AES was announced as the replacement for the data encryption standard (DES) in October 2000.

For asymmetric encryption, RSA (which stands for its creators' surnames — Rivest, Shamir, and Adleman — is the encryption algorithm that's most commonly used. As far as key exchanges go, though, RSA is still in use in TLS version 1.2 but is being deprecated in lieu of Diffie-Hellman in TLS 1.3.

Each Type of Encryption Has Different Uses

Okay, let's quickly go over some of the different uses for both types of encryption. For example, symmetric encryption is best used for:

Quickly processing (encrypting/decrypting) large batches of data in non-public environments,
Website security (once the asymmetric key
exchange process takes place), and
Banking and payment card-related data security.

Asymmetric encryption processes, on the other hand, are best
used for:

Secure key agreements/exchanges to facilitate symmetric encryption,
Digital signature verification,
Hash generation and verification, and
Encrypting small batches of data.

Final Thoughts on Symmetric and Asymmetric Encryption

When it comes to website and general internet security, it's easy to see how both of these types of encryption have important roles that help make it possible.

Symmetric encryption is faster and best suited for encrypting data at rest and in combination with asymmetric key distribution methods in website security. And asymmetric encryption is great for smaller batches of data and for making symmetric encryption possible in public channels.

I hope this article has provided you with a little clarity about the differences between symmetric and asymmetric encryption, what each process is on its own, and how each applies to different situations and use cases.

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.

Chrome browser has a New Year’s resolution: HTTPS by default - Naked Security

Posted: 05 Jan 2021 06:56 AM PST

by Paul Ducklin

HTTPS, as you probably know, stands for secure HTTP, and it's a cryptographic process – a cybersecurity dance, if you like – that your browser performs with a web server when it connects, improving privacy and security by agreeing to encrypt the data that goes back and forth.

Encrypting HTTP traffic end-to-end between your browser and the server means that:

The content of your web request and the reply that comes back can't easily be monitored by other people on the network. This makes it much harder (nearly, if not absolutely, impossible) for attackers to eavesdrop on secrets such as passwords, credit card numbers, documents, private photos and other personal files that show up in your network traffic.
The content of the traffic can't easily be modified on the way out or back. HTTPS traffic isn't just encrypted, it's also subjected to an integrity test. This stops attackers sneakily altering or corrupting data in transit, such as replacing bank account numbers, changing payment amounts or modifying contract details.

Without HTTPS, there are many places along the way between your browser and the other end where not-so-innocent third parties could easily eavesdrop on (and falsify) your web browsing.

Those eavesdroppers could be nosy neighbours who have figured out your Wi-Fi password, other users in the coffee shop you're visiting, curious colleagues on your work LAN, your ISP, cybercriminals, or even your government.

This raises the question: if snooping and falsifying web traffic is so easy when plain old HTTP is used, why do we still have HTTP at all?

LISTEN NOW: UNDERSTANDING HTTPS/SSL/TLS

Click-and-drag above to skip to any point in the podcast. You can also <a href="https://soundcloud.com/sophossecurity/sophos-techknow-understanding">listen directly on Soundcloud</a>. (Note that we recorded this podcast back in July 2012. Since then, the number of Certificate Authorities trusted in most browsers has been energetically and deliberately reduced from about 650 to about 150; and Internet Explorer has been replaced by Edge.) <aside id="sophos_ad-3" class="widget sophos-inline-ad sophos_widget_ad"> </aside><h2>Remember Firesheep?</h2> It's now more than 10 years since a Firefox plugin called Firesheep hit the news – if you were interested in cybersecurity back in 2010, you will almost certainly <a href="https://nakedsecurity.sophos.com/2010/11/07/firesheep-potshot-at-free-speech/">remember that name</a>. Back then, many websites where security and privacy were important – examples include social networks, car rental firms, online support forums and even banks – paid only lip service to HTTPS. They would use encrypted connections when it would very clearly have been dangerous to do otherwise, such as on the login page where you entered your actual password, or on the payment page where you put in your credit card details. But they would drop back to HTTP for everything else because it was a bit faster and easier – you didn't need to spend extra time and CPU power at each end encrypting and decrypting every data packet that you sent and received. <h2>Ignore the encryption and focus on the rest</h2> What Firesheep did was to turn the Firefox browser into an easy-to-use network sniffer – that's the jargon term for a network surveillance tool – that just about anyone could use, regardless of their technical skill. Firesheep would automatically sniff out other people's social networking connections, wait until after the secure login part that couldn't be eavesdropped because of HTTPS encryption, and then target the insecure HTTP traffic that followed. Firesheep would read in the headers from those unencrypted HTTP web requests, extract the session cookies or authentication tokens that denoted the user's identity, use the stolen authentication data to impersonate the unfortunate user, and hijack their account. All of this was done automatically, right inside a browser where an attacker could point-and-click to exploit any hacked accounts at once. In theory, anyone in the coffee shop around you could have been running Firesheep, digging around in your Facebook account or posting on your Twitter feed, and you wouldn't have realised until it was too late. <h2>HTTP considered harmful</h2> Firesheep certainly put the cryptographic cat amongst the pigeons, if you will pardon the mixed faunal metaphor. Indeed, the Firesheep story was an important catalyst in persuading most of the major players in search, social media and online services to bite the bullet and use HTTPS all the time. Facebook, for example, made "HTTPS always" an option in 2011, turned it on for everyone in North America in 2012, and by 2013 had pretty much <a href="https://nakedsecurity.sophos.com/2013/08/02/facebook-users-worldwide-minus-some-mobile-phones-now-getting-secure-web-browsing-by-default/">abandoned HTTP altogether</a>. Apple's App Store <a href="https://nakedsecurity.sophos.com/2013/03/09/apple-finally-adopts-https-for-the-app-store-here-is-why-it-matters/">moved over to HTTPS</a> in 2013; Microsoft pledged to <a href="https://nakedsecurity.sophos.com/2013/12/09/microsofts-anti-nsa-encryption-pledge-raises-questions/">encrypt almost everything</a> back in 2013; and Google made Gmail <a href="https://nakedsecurity.sophos.com/2014/03/21/google-switches-gmail-to-https-only/">HTTPS-only</a> in 2014. By 2015, Google's search ranking algorithms were downvoting sites that didn't offer HTTPS versions; in 2017, the search giant started publicly shaming login and credit card pages that still used HTTP by labelling them "not secure"; and by 2018, Google was <a href="https://nakedsecurity.sophos.com/2018/02/12/you-have-five-months-to-switch-your-website-to-https/">applying that label</a> to any website that hadn't upgraded to HTTPS. HTTP, in other words, has been inexorably waning for the past decade. <h2>Why aren't we there yet?</h2> Well, it's 2021, and the vast majority of websites now support HTTPS. Think of how long it's been since you found a mainstream website – indeed, any website – that didn't offer HTTPS if you insisted… …and you will arrive back at the question we posed above: why do we still have HTTP at all? More importantly, why is HTTP still the default choice of your browser if you type an URL into the address bar and don't explicitly put <code>https://</code> at the start? Why don't browsers these days assume we mean HTTPS unless we go out of our way to type in <code>http://</code> instead? The simple answer is that there are still enough non-HTTPS websites left out there that switching to HTTPS by default would cause sufficiently many transitory technical hassles to be disruptive. Sadly, inadvertent disruptions caused by well-meaning efforts to improve cybersecurity often have the undesirable and paradoxical consequence of luring less well-informed users into deliberately reducing the security they already have, as a "workaround" to bypass the "problem". Nevertheless, it really does look as though HTTP finally is on the way out, based on the evidence of a code change that was added to the Chromium browser project on the very last day of 2020. Chromium, of course, is the Google open source project that forms the core of many modern browsers, including Chrome, Edge, Vivaldi, Brave, Opera and many others (the only mainstream browsers not based on Chromium are Firefox and Safari). The change is <a href="https://chromium-review.googlesource.com/c/chromium/src/+/2568448" rel="nofollow">documented as follows</a>: <img alt="" class="aligncenter size-full wp-image-544400" height="369" loading="lazy" sizes="(max-width: 640px) 100vw, 640px" src="https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2021/01/code-change-640.png" srcset="https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2021/01/code-change-640.png 640w, https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2021/01/code-change-640.png?resize=300,173 300w, https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2021/01/code-change-640.png?resize=100,58 100w" width="640"/> <pre> Default typed omnibox navigations to HTTPS: Initial implementation Presently, when a user types a domain name in the omnibox such as "example.com", Chrome navigations to the HTTP version of the site (http://example.com). However, the web is increasingly moving towards HTTPS, and we now want to optimize omnibox navigations and first-load performance for HTTPS, rather than HTTP. This CL [change list] implements an initial version of defaulting typed omnibox navigations to HTTPS. [...] </pre> (What Google calls the omnibox is just a fancy name for what most of us still call the address bar – "omni" because you can use it for searching as well as navigating.) Unfortunately, we're still a long way off this being a default, because the above change notification also points out: <pre>This is a minimal implementation and is not ready for general usage. Future CLs are going to observe upgraded HTTPS navigations for several seconds instead and cancel the load when necessary, instead of indefinitely waiting for HTTPS loads to succeed. This CL also lacks many quality of life improvements such as remembering which URLs fell back to HTTP. These will also be added in future CLs. </pre> In plain English, this means that the final goal is not going to be quite as dramatic as banning HTTP altogether. The Chromium developers currently seem to be aiming for a system where HTTPS will be preferred by default, but that the system will not only fall back automatically and quickly back to HTTP if needed, but also remember which sites "prefer" HTTP, thus helping to keep HTTP alive that little bit longer. <h2>What do you think?</h2> Intriguingly, changes of this sort often end up becoming curiously controversial, as you can see from the range of Naked Security comments on the articles we've linked to above. A small but vocal minority seems convinced that Google, Microsoft, Firefox, Apple and others are promoting HTTPS simply to inconvenience small businesses and community websites, even though HTTPS certificates can now be <a href="https://nakedsecurity.sophos.com/2020/03/02/lets-encrypt-issues-one-billionth-free-certificate/">acquired for free</a> and kept up-to-date easily. But we think that railing against HTTPS is a bit like refusing to wear a seatbelt when you are in a car, and telling your friends that you won't give them lifts any more if they inisist on wearing theirs… …with the likely outcome that your friends will quietly stop going anywhere with you at all. So, if you still haven't upgraded your website to support HTTPS, we suggest that you make it your own New Year's Resolution for 2021! <div> HOW TO ENABLE HTTPS-ONLY IF YOU'RE A FIREFOX USER Interestingly, Mozilla started out on the road to banishing HTTP in a slightly different way. If you're a Firefox user, you already have access to "HTTP-Only" mode on the Settings > Preferences > Privacy & Security page: <img alt="" class="aligncenter size-full wp-image-544401" height="223" loading="lazy" sizes="(max-width: 759px) 100vw, 759px" src="https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2021/01/ff-setting-760.png" srcset="https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2021/01/ff-setting-760.png 759w, https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2021/01/ff-setting-760.png?resize=300,88 300w, https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2021/01/ff-setting-760.png?resize=100,29 100w" width="759"/> <pre> HTTPS provides a secure, encrypted connection between Firefox and the web sites you visit. Most websites support HTTPS, and if HTTPS-Only Mode is enabled, then Firefox will upgrade all connections to HTTPS. </pre> Note that this option is much stricter than what Chromium is proposing, which is why it's not on by default: if you enable HTTPS-only in Firefox, you won't be able to use HTTP even if you want to. </div> <hr/>

Search This Blog

Android Full Encryption

Which Encryption Mechanism Should You Use? - Built In

Which Encryption Mechanism Should You Use? - Built In