Encryption for Everyone

Google have been pushing for encryption across all the web (that is, for everyone to use HTTPS) for some time. Recently they’ve ratcheted things up a notch by adding a feature to the test version of their chrome browser that can alert users to unencrypted network connections. At the moment the feature is off by default, and has to be turned on by the user, but I suspect that will change in due course.

While I’m in favour of encryption in general, I find myself deeply ambivalent about this latest move. Let me explain. There are three main reasons for my dubiousness , even though I am fully in favour of encryption for private and business transactions.

The first problem I have is whether putting yet another icon in the URL bar is helpful. There’s already a change of icon when an encrypted session is in progress, is there really a need for something to show the reverse? In addition will people understand, or will they assume that the icon means the site is dishing out malware and avoid perfectly inoffensive sites?

The second problem I have is that I simply don’t think that everything needs to be encrypted. Take this newsletter. It’s available on my site for anyone who wants to read it, even the NSA – and they can sign up to have it delivered to their mailbox if they find it interesting...

I realize that there is a case for arguing that if everything is encrypted it will make mass surveillance much more difficult, because it won’t be so obvious what to look for. But, frankly, I don’t think that’s a strong enough argument to currently justify encrypting everything.

The third problem, I believe, is the show stopper. In order for you to understand it, I need to explain a little about how you provide encryption to a website. The first thing you need is a certificate. A certificate is a very long unique number that is issued to you by a small number of companies known as Certificate Authorities (CA). Unfortunately, they aren’t issued free of charge. Far from it. Neither are they issued automatically on application.

By issuing you with a certificate, the CA is certifying to the world that you are who you say you are, and giving you a unique encryption key. Given the work that has to be done by the CA to ensure that you are who you say you are, the chances of ever being able to obtain such a certificate free of charge are almost non-existent.

And you don’t even want to know about all the different documents they demand you produce to prove that you are yourself! The current prices could come down, the profits are very ‘healthy’ at the moment, but there isn’t any way they could drop to zero given what’s involved with the current system.

But the problems don’t end once you’ve got the certificate, because you have to install it on your machine, and, to be blunt, you need to be a techie to do that. And even that’s not the end of it – the certificates have a limited life, so you have to buy a new one every one, two or three years when the current one expires. Furthermore, though you only need to be a techie to install the original cert, then you need to be a trained system administrator to re-install a replacement certificate. When we were charging people for playing my game, Federation 2, and needed a certificate, we got the original certificate installed, eventually. We never succeeded in installing the second one, when the original ran out!

Who is going to want to go through all this aggro to get their web site encrypted, when all they want to do is publish a blog, cat pictures, and maybe a few samples of their work for the world (and its cats) to see? And, of course they are not charging.

Let’s face it, people may be annoyed by the NSA, FBI, GCHQ and their ilk, but what they are really worried about, if they think about online security at all, is big companies being hacked, like the recent hack of Anthem – eight million customers’ records compromised.
http://www.cnet.com/news/chrome-becoming-tool-in-googles-push-for-encrypted-web/
http://www.theregister.co.uk/2015/02/05/anthem_hacked/
http://en.wikipedia.org/wiki/Public_key_certificate

Alan Lenton
8 February, 2015