The internet has never been great for security, a problem which started from it’s fundamental origins and the way it has developed. One of the main reasons the internet has been so successful is it’s ability to allow completely different devices to communicate with each other with a common language – HTTP. This openness though has come at a price, basically our digital privacy.
We kind of take this ability to talk across different platforms for granted nowadays, however in the early days of mass computing – it really could be a difficult task. The complexity of getting a Windows 3.1 computer to download a small text file from a Unix computer before the internet shouldn’t be underestimated. Everything had specific drivers, it was hard for any device to speak to each other despite even if they were running some sort of network protocol. Initially networking started on smaller local area networks where every computer and server shared a common networking language.
However even as far back as the end of the 1960’s there were plans to enable global communication. The US surprised by the success of Sputnik had set up many technological innovations to improve communication between centers of research and not get caught out again. To oversee these an organisation called ARPA was created – Advanced Research Projects Agency, although later this was changed to DARPA (as Defense was added to the title). One of their first problems was to enable proper communication across the hubs of this organisation – UCLA, Stanford, MIT and the University of Utah. In 1969 the solution to this dilemma was turned on. It was called the ARPANET and connected the four hubs using so that they could all communicate across a single network.
The problem was still there though, although the network was established between these known points introducing new nodes with different machines, systems and networks was extremely difficult. The main issue was they all used a different network protocols to communicate and as such couldn’t talk directly with each other. This difficulty was resolved by the invention of the transmission control protocol/Internet protocol (TCP/IP). TCP/IP was designed to allow networks running on different protocols to have an intermediary protocol that would allow them to talk to each other. This was the key development which enabled the internet to expand and enabled access to all these other devices.
The second most important development came in 1990 from the World Wide Web project headed by Tim Berners Lee. Although TCP/IP introduced the ability for different computer systems to speak together it was still very technical and quite complicated to navigate these systems. Berners Lee’s project introduced a way to navigate these resources without needing to type in individual IP addresses – it was called the Hyper Text Transfer Protocol (HTTP) and it formed the basis of the World Wide Web.
Nowadays of course, most of us are completely unaware of whether we’re communicating with a website sitting on a Unix, Windows, Linux or OS X.
Who Needs Encryption ? We All Do!
While the internet was expanding at an exponential rate, security wasn’t really considered an issue. HTTP is effectively a clear text protocol, meaning that anyone could read any of the information. Which meant that doing anything online was potentially quite risky. Initially most people would just browsing text web pages or view graphics so it wasn’t too much of an issue. However as we started to do more and more online including all sorts of financial transactions this became a huge potential problem.
Just like you wouldn’t want someone opening your mail or filming you at the ATM, privacy became really important. Unfortunately HTTP simply wasn’t appropriate for secure transactions and an additional layer was required. This came in the form of HTTPS – the secure form of the original protocol which initially used SSL (Secure socket layer) to add a level of encryption to protect the connection. Later came TLS (Transport Layer Security) which is an updated version which upgrades the encryption algorithms and adds the ability for the secure protocol to use different ports (other than 443) which is the default for HTTPS.
The role of encryption has increased since this time, and it’s definitely more widely used but it’s certainly not perfect. HTTP is a bolt on addition to the protocol and relies on it being properly implemented on the web site. Still the majority of e-commerce and other confidential transactions are at least protected in some way from interception and eavesdroppers. So we all know that if we check and see that little padlock on the side of the address that at least we have some element of privacy.
Fortunately this noodle company has implemented HTTPS on it’s order page complete with TLS version 1.2 – good work guys !
So if Everything is Encrypted Then We’re all Safe ?
If your data is encrypted it means no-one intercepting it can read it, which is great on a huge network like the internet which is built on millions of shared network devices. There are reasons for using encryption every time we use the internet, but it is especially important when using public Wifi access points.
In 2015 it was estimated that just under 30% of all internet traffic was encrypted and that number just keeps rising. The availability of cheap and even free certificate services has meant that many sites are switching to use SSL even if they don’t have E-commerce components. Also search engines like Google are said to include HTTPS as a ranking factor which means that you’ll possibly get more traffic if you encrypt your data.
The current expectation is that by 2020 more than 75% of internet traffic will be encrypted by some method. However although this sounds like good news, and obviously negates the question of who needs encryption if we all have it ! However the security that HTTPS provides is certainly not complete and relies heavily on it’s implementation. There’s no doubt that it’s better than using nothing but it certainly is not foolproof especially when you communicate through devices which are poorly setup.
The risks for example are much higher when you are mobile, using that local coffee shop WiFi or the free access point in the airport. Some are super secure and safe, others are entirely the opposite but unfortunately for the average internet user there’s no way to be sure.
Here’s a screenshot from a program which is widely used on the internet and available completely free of charge – it’s called Fiddler.
The software is defined as a free web debugging proxy, basically a tool that you can install and run from any browser to debug web traffic. However as you can see from the screenshot it also offers the facility to to intercept and decrypt HTTPS traffic easily. It’s not the only one either, even if you only look at free tools there’s quite a choice – check out Charles and Burp proxies if you’re interested.
HTTPS Traffic is not Always Secure
Fiddler is actually fairly easy to set up but there are some caveats to it’s use. It’s a client/server application so the server component needs to be installed somewhere where it can intercept the traffic. However this is easily done if you have access to the local infrastructure, which sounds complicated but isn’t really. You can easily route all the traffic through a laptop if you have access to the modem or router in your local coffee shop for example, it takes minutes to set up.
Just think of this for a moment, and remember this stuff is not actually that complicated. Here’s a simple example of how we all could be at risk –
- Cyber criminal gains access to WiFi Access Point at local coffee shop.
- Routes all traffic initially through IP address of their laptop
- Install Fiddler server component on laptop
- Install and configure Fiddler Client in browser
- Automatically intercept and decrypt all HTTPS traffic
- They monitor traffic for usernames, emails, passwords for important sites – e.g Banks, eBay, Paypal etc.
- Rush off and commit Identity theft or sell details online.
You don’t need to be some sort of technological genius to set this up and it literally takes a few minutes if you have somewhere to install it. In fact loads of access points are very simple to access with default usernames and passwords. I’ve seen many on post it notes with all the details you need behind counters if you look out for them!
So basically you could be sitting in your favorite coffee shop simply reading your emails, buying from eBay or checking your online banking while someone quietly harvests all your usernames and passwords. It wouldn’t matter that all these sites were encrypting your connection as it would be intercepted and could be decrypted at source.
All is Not Lost – We Can Stay Safe !
Now the previous section illustrated a rather worrying scenario, which is entirely realistic and more common than you can imagine. However there are some caveats, firstly there are some countermeasures to protect your data from this situation which is known as a man in the middle attack. If you implement HTTPS or a VPN (Virtual Private Network) securely then it should detect this attack and break the connection before data is compromised. However both the attacks and defense mechanisms are constantly changing, so nothing is ever guaranteed.
Also as mentioned previously you are pretty reliant on others for much of the security that HTTPS offers. Don’t always assume that the big companies get these things right 100% either, for many security is not always as high up their priority list as it should be (until something goes wrong of course!) That padlock is nice to see but it’s certainly not a guarantee your data is safe.
Needless to say, an online bank should have a safer implementation of HTTP security than your local takeaway does.
You can however takes steps to add an extra layer of security you your connection yourself and control the types of encryption you can use. The easiest way to do this is to use a VPN to encrypt all the data that leaves your computer or device, not just your web requests.
A VPN stands for Virtual Private Network and is essentially a secure, encrypted tunnel which your data is protected by. So this extends beyond HTTPS which will only encrypt web transactions and extends it to an encryption system which covers email, messaging and any application used to transmit data from your computer. Basically if you’re doing any sort of secure transaction over public Wifi, then nowadays it’s essential to use a VPN to add that extra layer of guaranteed encryption to your connection.
Not only will a VPN protect all your data by encrypting it while it’s transmitted, it will also give you anonymity online too. For instance instead of your ISP having a log of everything you do online for months on end, all of your internet activity will be hidden. The websites you visit won’t appear on the log and the data sent and received will be hidden (encrypted) too. Additionally your IP address will be hidden too from the websites you visit, which means that you can surf perfectly securely and privately.
As well as the core features of security and privacy, a VPN service offers other potential uses. One of the most useful features is the ability to hide your true location. As your real IP address is hidden from the web sites you visit, you can effectively bypass the many geo-restrictions that exist online. For example millions of people use a VPN to watch the BBC iPlayer from all over the world. Normally it’s restricted to people in the UK only, but if you use a VPN server based in the UK then it will work anywhere.
So who needs encryption ? Well pretty much anyone who values their online data should consider the question – why do businesses use encryption. It’s simply because they want to keep their data safe and secure.
Here’s our recommendation for a highly secure VPN service, which you can use to secure all your data online plus watch all sorts of TV across the world including the BBC.