February 1, 2016

705 words 4 mins read

Please Google, Don’t shame HTTP (yet)

Lock-icon Last week there was a big hubub around the revelation that “Google Will Soon Shame All Websites That Are Unencrypted“. People were freaking out and cats and dogs were running loose in the streets. Sheer pandemonium. The reality was that Google didn’t announce it, but someone talking at a conference had the feature flag turned on in Chrome. Google did explain that they wanted to do this eventually for “security” reasons, which makes sense when you dive into the topic. At first as a security conscious person I thought this was a great idea, after all HTTP is inherently not secure. However engineers need to step back and think about this from a user perspective. There is one truly key problem with a red-lock for all HTTP: Alarm Fatigue.

When the World Wide Web was invented, there was no security. There was no need for security. Times have changed, of course, and now almost every critical functional in life can be accomplished via the web. For all those sites encryption, or TLS (formerly SSL), has become de rigueur. Important data = Encryption. Seems easy enough. So why does the Average Joe want TLS (HTTPS) on everything including this very blog? Because people have gotten really good at hijacking browser connections.

Screen Shot 2016-01-30 at 7.52.02 PM If you’re browsing normally on a non-encrypted website at a coffee shop it’s almost trivial for a malicious actor to take over your web browsing session. Between dns hijacking and script injection someone could infect your computer with a virus just because you were surfing the unencrypted web, using your favorite Snowulf blog as its proxy. For those thinking “Well I never use open wifi, so I’m safe”, you aren’t (safe). Sometimes the malicious actor might be your own internet provider, such as the case of Comcast a few years ago.

encrypt So there is good reason to go encrypted for everything. We all agree on that. Now there are projects like LetsEncrypt, Cloudflare, and AWS ACM where you can get TLS certificates for absolutely free. So the barrier to entry is coming down rapidly. Every personal site and funny little side project can afford to use encryption. However just because everyone can and should use encryption, doesn’t mean we should screw it up for sites where we MUST encrypt (such as your bank).

What do you do when your alarm goes off in the morning and you don’t want to get up? You mute it. What do you do when your cell phone keeps beeping about something? You mute it. What do you do when something keeps beeping and annoying you? You start to ignore it. It’s a very simple concept known as “Alarm Fatigue“. Humans are really good at learning to ignore things that happen all the time, like false alarms that constantly happen. What do you think will happen when one day 50% of the websites your average user visits, show a redlock icon in Chrome? They’ll freak at first and then learn that it’s a “false alarm” and stop caring. Now that the users don’t care, malicious attackers can go ahead and start to attack your browsing of properly encrypted websites (Read: Your Bank) all they want. You don’t mind sharing your bank information with the hackers, right?

Google is insecure?!?! Scary red!

Google is insecure?!?! Scary red!

Alarm fatigue must be avoided at all costs. If you want a good story about this, take a few minutes to read “

Should Hospitals Be More Like Airplanes?“. The author goes on to explain the different levels of alarms and notifications that happen in a commercial airliner’s cockpit. For example the color red is not used ANYWHERE unless something terribly wrong is happening. More importantly there are only a small handful of things that can trigger the highest level of warnings and those are issues that are an immediate danger to the aircraft. Keep in mind, this list of warnings does NOT include the engine catching fire. Yes, that’s right, it’s not a red alert to lose an engine (because there are two).

So please, lets find a way to convince the world to get on board with an encrypted web that does not require us teaching 99% of the world to stop giving a damn about encryption.