We saw 2017 tip the scales for HTTPS. In 2018, web encryption continues to improve. EFF has begun to shift its focus towards email security, and the security community is shifting its focus towards further hardening TLS, the protocol that drives encryption on the Internet.
By default, all Internet traffic is unencrypted and subject to tampering, including HTTP. A technology called TLS (Transport Layer Security) can provide authenticated encryption and message integrity so no one can mess with or listen in on your Internet traffic. Since 2010, EFF has been actively campaigning to encrypt the entire web—that is, for websites to adopt HTTPS, which is TLS added to HTTP. Due to the success we’ve seen on web, EFF is zooming out and tracking encryption of the entire Internet, starting with email.
Let’s take a closer look at what has happened this year in encrypting not just the web, but the entire Internet!
Continuing the Trend in Encrypting the Web
It has been a landmark year in encrypting the web. As of writing, 77% of pageloads across the world in Firefox are over HTTPS, and that number looks even higher on Chrome.
On the browser side, HTTPS Everywhere continues to see improvements in both user experience and security. With over a million daily active users and over five million downloads just this year, the extension is in a great position to provide more security features to users as HTTPS support continues to rise. The extension provides a more complete and up-to-date dataset of websites that support HTTPS, which can help navigate more severe security errors and help push insecure sites to make the move to HTTPS through user advocacy. We hope in the next year to provide a platform for users to encourage even more sites to support HTTPS.
Thanks to Let’s Encrypt and Certbot, it’s easier than ever to turn on HTTPS for your website. In February, we were excited that Let’s Encrypt had issued 50 million active certificates. Today, this number has reached 87 million! Certbot operates at a similar scale, with millions of users using Certbot every month to obtain and renew their certificates. And it’s continuing to improve—at the beginning of the year, a new version of ACME (the protocol that drives Let’s Encrypt and Certbot) was released, allowing website owners to obtain wildcard certificates in an easy and automated way.
And it’s not just EFF. The entire ecosystem is working together to make web more secure. In July, Chrome began marking HTTP sites as “not secure,” leading to a noticeable increase in worldwide HTTPS adoption. Hosting providers like GitHub Pages have started providing Let’s Encrypt certificates too, making “turning on HTTPS” a one-click process for their customers.
And these examples are just a couple small drops in a giant wave of HTTPS. The ecosystem is on board and as excited as we are to make the insecure web a relic of the past.
Onwards, Towards Encrypting the Net
Given the success in encrypting the web, EFF is broadening the scope of its mission to encrypting the entire Internet—starting with email. As of this year, Let’s Encrypt certificates are now trusted by all major root programs, meaning it’s trusted by major operating systems and devices, in addition to browsers. We can safely assume that every modern computing device has the means to authenticate a Let’s Encrypt certificate, so let’s get started!
This year, EFF rebooted STARTTLS Everywhere, an initiative to track the security of the email ecosystem. According to Google’s Transparency Report, approximately 90% of emails sent to or from Gmail are encrypted using STARTTLS. However, not only is STARTTLS vulnerable to a simple downgrade attack, but email has no widely-used TLS certificate authentication mechanism. This means it’s also vulnerable to on-path impersonation attacks. Similar to HTTPS Everywhere’s rulesets and the HSTS preload list on modern browsers, we’re maintaining and distributing a list of mailservers’ TLS information.
Certbot has also released some improvements that make it easier to use with mailserver software.
And just a couple months ago, the Internet Engineering Task Force (IETF) published two RFCs (Request for Comments, typically documents that describe new Internet standards), MTA-STS and TLSRPT, which have been in the works since 2014. MTA-STS provides a way for mailservers to discover other mailservers’ TLS information, and TLSRPT closes an error-reporting feedback loop that may help lower breakages from TLS misconfigurations, thus lowering the risk of deploying new security standards.
In the realm of Encrypting the Net, 2018 has also seen several improvements to TLS itself. The specification for TLS 1.3 has landed, making TLS way faster by shortening the initial handshake drastically, and hardening its security by enabling forward secrecy by default.
To work properly, TLS relies on third parties called Certificate Authorities (CAs) like Let’s Encrypt to behave. Certificate Transparency, a technology to dramatically increase CA accountability and auditability, has gained a lot of traction in 2018. Starting in April, Chrome started requiring Certificate Transparency for all newly issued certificates. Let’s Encrypt also rolled out full support by embedding Certificate Transparency proofs in their issued certificates.
Finally, we saw a number of experiments and continuing work with DNS-over-HTTPS, DNS-over-TLS, and Encrypted SNI, which help protect Internet-browsing metadata from being exposed to network eavesdroppers.
We’ve come a long way, but still have a long way to go. Let’s resolve to close the gap and really get “HTTPS everywhere” next year. Here’s to hoping 2019 will be as fruitful for Internet security as the past couple of years have been for web security.
This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2018.
Like what you're reading? Support digital freedom defense today!