Pinterest Stumbleupon Whatsapp
Ads by Google

The wealth of personal information we share online has grown exponentially since 1994, the inception of the Secure Sockets Layer (SSL) Protocol.

The Internet is awash with passphrases Why Passphrases Are Still Better than Passwords & Fingerprints Why Passphrases Are Still Better than Passwords & Fingerprints Remember when passwords didn't have to be complicated? When PINs were easy to remember? Those days are gone, and cybercrime risks mean fingerprint scanners are next to useless. It's time to start using passcodes... Read More , credit card details, and online banking data 6 Common Sense Reasons Why You Should Bank Online If You Aren't Already [Opinion] 6 Common Sense Reasons Why You Should Bank Online If You Aren't Already [Opinion] How do you usually do your banking? Do you drive to your bank? Do you wait in long lines, just to deposit one check? Do you receive monthly paper statements? Do you file away those... Read More . We have SSL certificates to thank for our security and privacy. But you’ve probably heard of recent flaws that have dented your trust in the cryptographic protocol.

Fortunately, SSL is adapting, being upgraded and replaced to give you better peace of mind. Here’s how.

What is SSL Anyway?

Let’s start with exactly what SSL is What Is an SSL Certificate, and Do You Need One? What Is an SSL Certificate, and Do You Need One? Browsing the Internet can be scary when personal information is involved. Read More .

SSL certificates are digital authorization documents that can be obtained by an organization or individual running a site that deals with sensitive information. It ensures that data can be transported securely between web server and browser, that this information hasn’t been intercepted and its sources are genuine.

Ads by Google

Check out Amazon, for example. Look at the URL, and instead of a typical HyperText Transfer Protocol (HTTP) address, you should be redirected to a HTTPS one What Is HTTPS & How To Enable Secure Connections Per Default What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More — that additional “S” means it’s a secure link HTTPS Everywhere: Use HTTPS Instead of HTTP When Possible HTTPS Everywhere: Use HTTPS Instead of HTTP When Possible Read More , and you’re safe to pay for items via the site. Hotmail, WordPress, and even Tumblr use SSL Tumblr Adds SSL Security Layer, But Asks Users To Switch It On Tumblr Adds SSL Security Layer, But Asks Users To Switch It On Security conscious users on Tumblr finally get the extra SSL Security layer to encrypt their Tumblr sites. For now, you have to do it manually as it is not set by default. Read More certificates.

It’s great for the consumer (who knows their data is being treated responsibly), and for the seller (who not only benefits from buyers’ trust, but also gets ranked higher by Google).

However, nothing’s infallible, and a few SSL flaws exposed within just the last year attest to that. Thankfully, web browsing is becoming more secure again…

TLS Upgrades

You might’v have seen SSL and Transport Layer Security (TLS) used interchangeably, and while the differences are perhaps subtle, they remain noteworthy.

17976028193_ca46369a35_z

Both use the same system of encrypting data, and conferring with the certificate authority (CA) before making that connection. TLS, though, is SSL’s successor, so it stands to reason TLS would be securer. Indeed, its three incarnations — TLS 1.0, 1.1, and 1.2 — iron out some of the vulnerabilities found in the SSL method.

TLS 1.3 has been around since 2008, but as the flaws in the previous versions were considered so miniscule they wouldn’t affect “real-world” situations, it’s taken until very recently for its mass implementation. In fact, back in 2013, it appeared that even the National Security Agency (NSA) wasn’t targeting domains running TLS protocols because so few actually used it. Now, though, a mandate from the PCI Security Council has forced any site that transmits or processes cardholder information into upgrading.

What’s more, all major browsers — Google Chrome, Microsoft Edge, Safari, Firefox, and Opera — support TLS 1.2 by default, so that level of encryption is assured by both parties. Note, however, that the mandate appears to apply solely for payment details, not login information.

Encryption Everywhere

Upgrading certificates is only useful if it’s widely adopted, and that’s not the case. All e-commerce sites need security practices, and the majority really should have SSL or TLS. Many rely on the protection of third-party payment processors, like PayPal (this seems to be a loophole in the PCI Security Council mandate), but if a site accepts private information, it should use a secure layer.

Encryption Everywhere

If your connection isn’t private, data including email address and password when logging in can be acquired by hackers. And because most people tend to use the same passwords The 5 Most Common Tactics Used To Hack Passwords The 5 Most Common Tactics Used To Hack Passwords When you think of a serious security threat, you may think of some clever malicious program that steals your data or takes over computer. In reality, you’re just as (if not more) likely to be... Read More on multiple sites (despite all the warnings 7 Password Mistakes That Will Likely Get You Hacked 7 Password Mistakes That Will Likely Get You Hacked The worst passwords of 2015 have been released, and they're quite worrying. But they show that it's absolutely critical to strengthen your weak passwords, with just a few simple tweaks. Read More ), that could be vital information.

Nonetheless, many sites don’t adopt SSL protocols because it can be costly, and it can be complicated. That’s where Symantec’s Encryption Everywhere program comes in.

The American security firm is offering a freemium service, whereby the certificate is obtained completely free of charge, with upgrades (like malware scans) available at a cost. Partnerships with hosting companies take the complexities out of the hands of site admins, while automated updates streamline the process of addressing any further vulnerabilities.

This is in a bid to get 100% security layer use by 2018, so we expect it to be adopted by the majority of sites very soon.

Let’s Encrypt

But wait! Symantec isn’t the only one striving for web-wide SSL/TLS encryption.

Lets Encrypt

Let’s Encrypt seems to be riding the wave of more recent flaws; launched to the public in December 2015, the project already has numerous major international sponsors including Google Chrome, Mozilla, Facebook, Shopify, YunPian, and Akamai. Run by the Internet Security Research Group (ISRG), Let’s Encrypt has, of this month, issued more than 5 million certificates and are projecting 50% HTTPS page loads by the end of this year.

Why’s Let’s Encrypt proving popular? Simply as it’s free and automated, meaning it’s incredibly easy for sites to get certificates and upgrades.

The initiative starts with a new private key pair, and proof of the domain owner to the CA; once this is verified using the Automated Certificate Management Environment (ACME) protocol, the site software can sign certificate management messages with the key in order to renew and revoke certificates, or create new ones for the same domain.

Let’s Encrypt is arguably the best known project to offer free certificates, and between these major programs, it certainly appears to be a trustworthy cause.

Convergence

You might be disillusioned with SSL certificates, however.

Their reputation has been damaged in recent years: most have at least heard of Heartbleed Heartbleed – What Can You Do To Stay Safe? Heartbleed – What Can You Do To Stay Safe? Read More , a vulnerability in the open-source cryptography library, OpenSSL, which allows hackers to read unencrypted information. Heartbleed affected a lot of services Digging Through The Hype: Has Heartbleed Actually Harmed Anyone? Digging Through The Hype: Has Heartbleed Actually Harmed Anyone? Read More , but that was two years ago Five Breaches To Your Privacy in 2014 That You Might Have Missed Five Breaches To Your Privacy in 2014 That You Might Have Missed Numerous publications revelled in the private lives of celebrities in 2014, a year in whcih the spotlight also shone on the general public. Can we learn anything from these breaches? Read More and a fix is available. But then last year, there was Superfish Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Chinese computer manufacturer Lenovo has admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled. Read More , malware that rendered HTTPS moot; this, too, has been patched Superfish Hasn't Been Caught Yet: SSL Hijacking Explained Superfish Hasn't Been Caught Yet: SSL Hijacking Explained Lenovo's Superfish malware caused a stir, but the story's not over. Even if you removed the adware from your computer, the same vulnerabilty exists in other online applications. Read More .

15944989872_b958dc5552_z

And it’s not confined to your PC either: your smartphone apps are affected 1,000 iOS Apps Have Crippling SSL Bug: How to Check if You're Affected 1,000 iOS Apps Have Crippling SSL Bug: How to Check if You're Affected The AFNetworking bug is giving iPhone and iPad users problems, with 1000s of apps carrying a vulnerability resulting in SSL certificates from being correctly authenticated, potentially facilitating identity theft through man-in-the-middle attacks. Read More by SSL flaws too.

Convergence, then, is a browser add-on that many confuse with a system that replaces SSL certificates; more than anything, though, it’s the next stage for CAs. Essentially, instead of trusting one CA vouching for a site’s authenticity, Convergence turns to notary services to attest to the site’s security.

You visit a HTTPS address. There are three main outcomes: all notaries agree it’s safe, in which case, you use the site; not all concur, but you can go with the majority or reject the site because you don’t trust the notaries that do vouch for it; or in extreme cases, most or all of the notaries agree it’s not to be trusted. That way, there’s no single point of failure.

Think of it this way: it’s a convergence of opinions on whether a user can trust the HTTPS.

How Is the Internet Becoming Securer?

In a nut shell: the SSL certificates that authenticate sites are being upgraded to TLS, most importantly on domains like PayPal that deal with payment information. These are being rolled out en masse, with the aim of 100% HTTPS usage in the next few years. The CAs, too, are being reassessed and the Convergence add-on appears a solid stage in verifying how trustworthy a site is by relying on notaries to agree.

Do these measures give you faith in SSL again? Do you feel safe inputting payment details online? What further security protocols would you like to see widely-implemented?

Image credits: HTTPS (WeTransfer) by Christiaan Colen; and https by Sean MacEntee.

  1. Read and Share
    June 30, 2016 at 12:40 am

    I get very confused when I read about all these advances in browser safety... and then articles about how malware can take control of my computer just by virtue of my visiting one bad webpage!?!

Leave a Reply

Your email address will not be published. Required fields are marked *