The amount of encryption we use on the web is growing at a pretty rapid rate these days. Obviously there’s the likes of WhatsApp and iMessage doing the end-to-end encrypted messaging thing, but we’re also seeing websites themselves adopt HTTPS in record numbers. For example, 20% of the Alexa Top 1 million websites are redirecting insecure requests to secure ones.
Encryption has been gaining traction for many reasons, not least of which has been governments’ increasing desire to look at their citizens’ traffic. There were the Ed Snowden leaks which really got us thinking about these things then subsequently, the the Snoopers’ Charter in the UK and more recently, the US government deciding that broadband privacy rules aren’t actually that important. All of these events have contributed to people’s desire to encrypt their traffic therefor protecting their browsing habits from those who wish to watch them. Because that’s what the green padlock in the address bar means, right? Well, not entirely, and the reason why is important to understand.
When your browser makes a connection to an HTTPS website, there’s a negotiation phase in which the browser and the server converse about how they’re going to do encryption. This communication – complete with which site the user is connecting to – is observable by a man in the middle; you know, the sort of parties we want to keep traffic private from. Once the negotiation phase is complete, all data is properly encrypted and it can’t be observed or modified which is precisely what protects your passwords and your bank statements. But there’s a problem, and it’s one that most people don’t give much thought to. Let me illustrate:
Only a couple of days ago, The Next Web reported that Pornhub had gone HTTPS. Now this is good for all the same reasons that it’s good for any website, but it’s important to understand just how much protection encrypted web traffic actually gives you. In the news story above, TNW talks about how HTTPS helps users “feel secure” whilst satisfying their kinky fetishes. But there’s a really important nuance to understand here: Because of the negotiation I mentioned earlier on, even with the presence of HTTPS a man in the middle still knows when someone is going to Pornhub. That alone could be quite embarrassing, but they also know how frequently those they can observe visit such sites. They know how many requests are being made and how much data is transferred and when you start to consider all that meta data that constitutes, suddenly the privacy aspect of HTTPS don’t look so rosy any more.
As it relates to the fetishes TNW mentions, it’s a double-edged sword. A website using HTTPS protects the actual locations on the site being browsed so in the case of an adult website, someone intercepting the traffic doesn’t know which parts of the site are being accessed. However, whilst the abovementioned site is a pretty generic one in terms of it being adult content that caters to a broad range of desires, consider for a moment the very specific nature of some domains. Now I’m not going to list them here because your imagination is more than capable of conjuring up the sorts of names that would genuinely be embarrassing to most people, so you can see the problem and how people may get the wrong idea about what HTTPS means.
HTTPS is an essential security control for all sorts of very good reasons, in fact it does great things for us beyond security alone too. But let’s not be under any illusions about the extent to which it anonymises traffic. If you really don’t want your ISP seeing which sites you visit, get a VPN… then it’s just your VPN provider that sees your weird fetishes!