Are you finding that more and more of the sites you visit on the World Wide Web are flagged with a warning that they are insecure? Whether it’s a message that fills the page of your browser or a more subtle indicator, such as the padlock next to the web address at the top of the screen, fewer sites are getting a clean bill of health.
The reason is largely down to a campaign driven by internet companies to “encrypt everywhere”. Data interception by malicious hackers is inevitable, they argue, so best practice is not to send anything over the internet that hasn’t been encrypted first. That means, even if someone does look at what you’re sending, they can’t read it.
You can tell a site supports encryption in two ways. The first is that the URL starts with “HTTPS”, not the more common “HTTP”, and the second is that (in Google’s Chrome browser, for example) there’s a green padlock at the start of the web address (the padlock will be red and broken if it doesn’t support encryption).
Up until now, only sites that asked for sensitive details, such as passwords or bank account numbers, would trigger a more stringent warning in your browser. Now, any site that has any form fields at all which isn’t protected by encryption will be marked with an alert.
The hope is that the more sites start losing visitors because of these warnings, the more they will adopt best practice and encrypt everywhere.
The history of encryption
Ever since humans began to communicate, we’ve been working out new ways of passing messages among one another that others can’t intercept or interpret. From the Tower of Babel to Cold War spies, communication has been as much about whom we don’t want to talk to as it has been about whom we do.
Encryption even drove the development of modern computers. The very first programmable digital computer, Colossus, was created specifically to decrypt secret messages sent to German troops in World War II.
Up until that point, turning text messages into a cipher generally involved using either simple techniques or mechanical devices to scramble letters into a code. With computers, however, complicated mathematical algorithms can be used to create virtually unbreakable ciphers.
Today’s online encryption relies on a clever technology called “Public Key Infrastructure”, or PKI for short. PKI tackles the fundamental problem of encryption: how can you send an encrypted message without first sending the details of how you’re going to decrypt it?
PKI makes use of two “keys”, or secret phrases. One is used to encrypt a message, but only the second key can decode it. These are known as the “public” and “private” key respectively. When your browser visits a webserver protected by HTTPS, it requests the public key for that site. Your browser then uses this public key to create a message that only the server will be able to read, using its private key to decrypt it.
This message contains yet another key, which is now known only to the webserver and your browser, to encrypt all future traffic in that session.
It doesn’t matter if any of the messages are intercepted; unless an attacker has both that first message and the webserver’s private key, your bank details, passwords and other personal information are safe while they are being uploaded.
When a server sends your web browser its public key, it includes a digital certificate with details of a tertiary service that can verify this key is genuine and belongs to the server in question. These “certificate authorities” are incredibly important for guaranteeing the safety of the internet. Some certificates contain even more information about the website in question, to help you to decide if it’s genuine or not. Click on the padlock by the address bar in your browser to see this.
Non-encrypted HTTP traffic is easy to intercept by criminals, especially if they’re logged into the same WiFi hotspot as you.