I'm not a big fan of conspiracy theories. Yes, sometimes there are conspiracies, but the Internet seems to magnify discordant cynicism on an unbelievable scale. I begin with this disclaimer because the conspiracy theorists have come out to explain why Google would do something completely absurd. I don't have an explanation for it, other than that I think they are reacting to the Edward Snowden scandal (which has supposedly hurt their business prospects outside the US).
In a nutshell, Google wants all Websites to publish their content via HTTPS protocol. This is the "secure layer" that encrypts the data packets sent between browsers and Web servers. We use it to "protect" user data on ecommerce Websites. In their blog post (announcing that Websites will receive a slight ranking boost in Google's search results if they publish via HTTPS) Google states "we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web."
This is one of the most ludicrous statements to come out of Google (and they have said some pretty stupid things through the years, like claiming that personalized versions of their PageRank algorithm are not vulnerable to manipulation - marketers have done a pretty good job of manipulating personalized and general Web search in recent years).
Everyone wants to encrypt the Web to defend it against the prying eyes of the NSA and other western spy agencies. I can understand people wanting to encrypt email but then many of the security experts who call for better encryption use Google's GMail service, and Google says its users have no reasonable expectation of privacy. When it comes to privacy and security, Google's track record is not very good.
One of the false promises that Google and others have made about HTTPS is that it will defend your site against Man in the Middle attacks - where rogue Websites pretend to be legitimate destinations. And yet in August 2014 Google itself fell prey to a Man in the Middle attack despite the fact its service is using the HTTPS protocol. In an era where security certificate companies can be hacked and regional networks are controlled by autocratic governments, it's naive to believe that HTTPS is going to protect a site from being replaced by another site.
Network engineers can set up routers at any location on the globe to steal traffic from legitimate routers, sending all packets directly to rogue servers. I don't know if this technique is being used in real government-on-government surveillance but it has been used by cyber-criminals to steal user credentials. And, trust me, once your browser has begun negotiating with a rogue site over HTTPS, your security protocol won't do you a bit of good.
Google is not the only company to advocate the use of HTTPS to protect Websites. Back in June WordPress proudly announced that it was going to defend its users' subdomains (not their login credentials, but their published pages and posts) from NSA spying by switching the entire WordPress.Com service to use HTTPS.
You know, anyone with a normal Web browser at the NSA will be able to get past that security without breaking a sweat. I feel safer already.
HTTPS encrypts data packets. That cannot be said enough because, apparently, that is all that can be said for it. These encrypted data packets are unencrypted once they reach their destination. Any cheap, freely available, open-source malware that can be embedded on the surfer's computer or smartphone, or on the Web server itself, can just grab the information after it has been unencrypted. Web servers, if "properly configured", will re-encrypt your password (but not your username) and add 1-2 random characters as "salt", making it harder to crack the encryption.
Any laptop with an Intel Core i3 processor can be used to crack an 8-character password in a matter of minutes, if not seconds, regardless of what encryption technique is being used. The cracker need only assume a certain length for the password (and this he can learn from most Websites by creating a few accounts and testing the limitations on passwords). Any warnings about invalid characters in passwords will be helpful to the cracker.
Long passwords are harder to crack. However, most Websites (and software vendors like Automattic, the folks who run WordPress.com and oversee development of the WordPress software) advise you to do really dumb things with passwords like mix up the case and add special characters. Of course, they don't bother to tell you that it takes longer to crack a password like "abcdefghijkl" than to crack "8bR#$a17q".
It's not the cracking of the password that is the hard part for the hacker. It's using the password to get into the server. They have to play a numbers game and this is the genius behind Brute Force Dictionary Attacks. They just start up a program to try every reasonable iteration of common passwords (which have been published on the Web by security experts intent on defending people's privacy) against a small number of common user account names.
Web server security, fortunately, does not have to depend solely on passwords and hard-to-guess user names with system administrator privileges. There are other ways to defend servers, more effectively, and hopefully at least some of the companies out there who are under constant attack use these other methods. Signing up with a cloud service-based Content Delivery Network (CDN) is not one of the better ways of handling Web server security.
Meanwhile, back at Propaganda Labs, people are lining up in droves to change their Websites over to HTTPS because they want to make the Web a safer place. I'm not sure what it will be safer from, as the NSA and their friends will have no trouble scraping all these HTTPS Websites for content and if they really want to get into the server they can resort to social engineering and other espionage trickery that doesn't have any problem ignoring HTTPS.
It costs money to properly install HTTPS on a Website. Someone has to pay for a "trusted" third-party provided security certificate. Web servers have the ability to generate their own certificates but Web browsers have been hard-coded to throw up warning windows when they see self-hosted security certificates. This is one of the many problems with HTTPS. Security certificate warnings are very common occurrences because people misconfigure their certificates, don't realize they have to pay for "trusted" certificates, or the browser cannot reach the servers at the certificate authority.
Even certificate authorities have been hacked, and impersonated. So if the guardians of the secure Web cannot ensure proper security for themselves, how can they ensure proper security for everyone else?
Meanwhile, back at Propaganda Labs, people are learning the hard way that if they put their Websites on shared hosting plans they cannot get "trusted" security certificates because you have to have a unique, dedicated IP address for each (root) domain you protect with HTTPS. So if Google has their way shared hosting providers will lose a lot of customers as people figure this out and start to panic.
But then they will run into the lack of IPv4 addresses. The last IPv4s were allocated last year. They haven't yet all been used but Microsoft is now reportedly assigning Brazilian IP addresses to some of its US hosting clients because it ran out of US IP addresses. And IPv6 doesn't look like it's going to replace IPv4 as public-facing numeric addressing system any time soon. Most if not all hosting companies have now adopted IPv6 addressing -- you're just not seeing it.
GeoLocation tools (such as local business directories similar to those run by Bing and Google) may find it more difficult to identify some servers' actual locations as pools of IP addresses are moved across regional boundaries. The potential cost in wasted money and man-hours that moving the entire Web to HTTPS (if that were even technically feasible) would entail has not been calculated.
Since you have to renew the certificates every year I would guess that this nonsense will cost everyone a few hundred million dollars over the next ten years. But maybe it will lead to other problems that we haven't yet figured out. The potential cost of unnecessarily securing the packets flowing between browser and Web server could run into billions of dollars because sooner or later someone is going to see an opportunity to make a fortune out of facilitating this mess, and new services will be born, and new industries will rise up, and people will just go right on spending money needlessly because someone out there reminds them that Google says we should all be doing this.
Someone in China must have cursed the Internet because we are trapped in interesting times.
Google Wants You to Spend Money on a Useless Security Feature
Related articles
- Internet Cafes And Public Networks
- How To Choose A Secure Password.
- Technological Naïvete: Shut Off Internet Encryption And You Might As Well Shut Off The Internet
- D-Link Doubles Security For Its Home Networking Routers To Help Prevent Against Increasing Attacks
- What You Need To Know When Using Public Wi-Fi Networks
Comments