Making Web Ecosystem Safer – Certificates, Browsers, Web

| Lukasz Olejnik

Unsecured ways of web browsing are fading away at an accelerating pace. At a technical level, this is thanks to the increased deployment of Transport Layer Security (TLS)-enhanced HTTP on the web (visible in the URL bar of your web browser as HTTPS). Recent data as reported by LetsEncrypt, citing Firefox metrics, indicates that over 70% of websites are now accessed via this secured protocol, and those numbers are quickly increasing. We have reached an important milestone in information security.

This has not happened over night. Getting here involved years of security research, engineering, awareness and incentive building. Public pressure played a significant part as well. Higher standards of information security means improved user trust in the services offered on websites, and stronger opportunities for users to understand who they are trusting to, and with, what information. But to fully appreciate the road from there to here, I will focus on the technical foundations of web browsers. Three game-changing factors are particularly worth mentioning:

  1. The rise in availability of affordable HTTPS certificates thanks to providers such as LetsEncrypt;
  2. flagging of connections to websites as “Not Secure” by major web browsers (Chrome 68 made it the default as of July 2018);
  3. the evolution of the web, driven by standardisation of browser mechanisms.

In simple terms, TLS-enhanced HTTP guarantees three important things:

  1. The web user trusts the identity of a website;
  2. ata integrity, namely that the transmitted data continues to be that same data, is protected from being altered, tampering during the user-server connection;
  3. data confidentiality, meaning any transmitted data is accessible only to the parties of the user-server connection, is guaranteed.

Certificates

LetsEncrypt (LetsEncrypt.org) is a service launched by Internet Security Research Group (ISRG), a consortium “sponsored by a diverse group of organizations, from non-profits to Fortune 100 companies.”LetsEncrypt offers cryptographic certificates for HTTPS free of charge. At the time of its launch, it was a game changer. Not only did LetsEncrypt remedy an earlier problem of the expensive cryptographic certificates necessary for HTTPS, but it also provided a simple, technical way for managing certificate renewals. Additionally, any cryptographic certificate worth its name is only valid for a limited period of time, after which the certificate holder needs to reassert continued interest.Certificate renewals ensure that the certificate is up to date even considering new security threats, that the holder still exists.

One historical obstacle facing a broad adoption of encrypted traffic was the relative computation overhead introduced by cryptographic operations needed in the use of TLS. Fortunately, modern equipment such as servers are powerful enough and this concern is no longer valid.

Aside from making it easy for any system owner to act on the altruistic desire of making web browsing safer for users, the rising numbers of secure web connections are motivated by other factors, too.

‘Not Secure’ flags

Web browser vendors started marking websites accessed via HTTP that is not TLS-enhanced with a “Not Secure” flag next to the URL bar. This may negatively impact user trust towards a website. In particular, it serves as a motivation for decision makers (owners, managers, etc.), and developers. Sticking to HTTP is increasingly looking unsustainable from a trust perspective.

But while browser flags are among the crucial strategic motivators for better information security on the web that are relatively well known, there are other important components of the web ecosystem that contribute to the increased interest in secure connections. Namely, standardisation.

Modern Web features require HTTPS

Modern web features make browsers powerful. Some examples are:

  • Mechanisms such as the ability of using low-level hardware (e.g. sensors).
  • Ability to make connections outside of the Internet, even with Bluetooth or USB.

The web browser can make these features accessible from the level of the website the user is visiting. These browsersare powerful and sensitive; and they are made—by design—available only via secured channels. From a technical perspective, this is achieved by permitting browser features to function only when accessed within “Secure Contexts” (https://www.w3.org/TR/secure-contexts/). Among the elements required to be classified as a secure context is having an HTTPS connection.

Consequently, to make a modern web application, HTTPS is becoming the norm. HTTPS is now additionally an initial element of the setup, rather than the last element. The adoption of HTTPS will be further accelerated by modern web design patterns, because information security can no longer be an afterthought. Developers themselves will help in making this happen.

With a broad adoption of secure connections via HTTPS, many security issues of the past will be resolved. This process will take some time, but not too long. This aspect of security and privacy will be in good shape soon; and we will all benefit from it.


Lukasz Olejnik is a security and privacy researcher and advisor. He specializes in web security and privacy, privacy engineering, privacy reviews, privacy impact assessments. He has industry, research and technology policy experience, including cybersecurity and privacy policy. He contributes to privacy reviews of web standards as a W3C Invited Expert. He has completed his Ph.D. at INRIA (Grenoble, France), where he was a member of the Privatics Team. He was a Research Associate at the University College London. Lukasz is an affiliate at the Princeton’s Center for Information Technology Policy. He is also currently a scientific advisor at an international organisation.