Encrypting the Web
The web is in the middle of a massive change from non-secure HTTP to the more secure HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser. HTTP has serious problems that make it vulnerable to eavesdropping and content hijacking. HTTPS fixes most of these problems. That's why EFF, and many like-minded supporters, have been pushing for web sites to adopt HTTPS by default. As of 2016, about half of all web page visits use HTTPS. This is a big improvement over the past, but we still have work to do.
We're calling on all web site owners to implement HTTPS by default, and we're providing the tools to do it.
For many years, web site owners chose to only implement HTTPS for a small number of pages, like those that accepted passwords or credit card numbers. However, in recent years, the Internet security community has come to realize that all web pages need protection. Pages served over HTTP are vulnerable to eavesdropping, content injection, and cookie stealing, which can be used to take over your online accounts.
Content injection is when someone adds data or code to your communications with an HTTP web page. For example, it's how GCHQ and NSA took over a Belgian ISP's computers. Content injection is also how China took down GitHub with a massive DDoS attack, dubbed "The Great Cannon". Content injection is also becoming popular with ISPs. Verizon injected tracking headers into every request made by their customers. And Comcast injects pop-ups into sites where they don't belong. All of these attacks can be stopped by HTTPS, provided it is implemented and made default on enough sites.
What you can do as an individual
Unfortunately, you can only use HTTPS on websites that support it, and there are still lots of sites that don't. However, a lot of sites partially support HTTPS— they make HTTPS available but don't send visitors to the HTTPS version by default.
EFF created and maintains a browser extension, HTTPS Everywhere, that has a list of many such sites, and will take you to their HTTPS version automatically. We recommend installing it in all your browsers to make you safer from eavesdropping and content injection on the sites it lists.
You can also check your favorite sites. When you visit them, does the URL bar at the top of your browser show "https://"? If not, you should contact the people who run those sites and demand HTTPS support. Feel free to link them here for a description of why it's important.
What you can do as a web site owner
We're encouraging everyone who runs a web site to offer HTTPS and redirect visitors to HTTPS by default. Offering HTTPS has gotten a lot cheaper in the last 10 years, and today it won't slow down your site or make it use more server CPU. In fact, offering HTTPS makes it possible for sites to implement the modern HTTP/2 standard, which can dramatically speed up web browsing relative to HTTP.
Offering HTTPS requires getting a certificate from a certificate authority. It used to be expensive and complicated to get a certificate, but a new certificate authority, Let's Encrypt, offers free certificates to the public using an API that enables easy automation. Let's Encrypt is a joint project of EFF, Mozilla, and many other sponsors.
If you manage your web site entirely through a web interface, the easiest approach is for your hosting provider to integrate Let's Encrypt support as a setting you can turn on. Many hosting providers already support Let's Encrypt, and many more add support all the time.
If you have shell access on your hosting provider, you can use Certbot, a tool developed by EFF. Certbot can get you a free certificate from Let's Encrypt. It can also automatically configure your Apache or Nginx server to correctly use that certificate.
What you can do as a hosting provider
We encourage all hosting providers and CDNs to offer HTTPS by default for their customers, at no additional cost versus their HTTP services. Many already have, like Cloudflare, OVH, WordPress.com, and SquareSpace. The Let's Encrypt integration guide has additional details on how to best implement HTTPS by default. We look forward to seeing free, automatic HTTPS become the industry standard for web hosting.
EFF Related Content: Encrypting the Web
- "There has been a crazy chicken-and-egg problem holding up the deployment of secure encryption on the web," said Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation and co-founder of the Let's Encrypt project. "Browsers tried to protect users by blocking insecure parts of secure HTTPS pages, but that...
- After more than 15 years as a web developer and environmental and human rights activist, Bill Budington kept noticing the same problems. Whether it was unpatched hosts or outdated and expired software, many of the non-profits he worked with were highly vulnerable to cyber attacks. Making matters worse, Bill noticed...
- Last weekend EFF took part in the Eleventh Hackers On Planet Earth (HOPE) conference in New York City and got to meet so many of our wonderful supporters. We've collected the HOPE talks given by EFF staff below, with the official program abstract, video, and where applicable, the original slides...
- Google also recently announced an optional end-to-end encrypted mode in its new messaging app, Allo — but the move drew fire from some privacy advocates, who typically cheer advances in commercial encryption. “Hey @google, what the shit? You support encryption? Turn it on by default, or don't bother playing,” tweeted...
- “It meant that there was one person in Washington who had a clue about [encryption], which previously it looked like there were zero people in Washington who had a clue about this,” John Gilmore, the founder of the Electronic Frontier Foundation and one of the leaders of the Cypherpunks group,...