How private is HTTPS?

There is a big push for news organizations to adopt HTTPS, because it will make it harder for snoopers to observe what people are reading. In countries where information is seriously censored, this protection could save people from unpleasant consequences. Just how much privacy does HTTPS give us, though?

It gives us nothing if the government demands a site’s private SSL key, installs equipment to intercept communication, and orders the site not to tell anyone that it’s happened. After that, spies can get everything, including passwords and credit card numbers. This, of course, only happens in authoritarian countries like … well, the United States. That’s what the authorities tried to do to Lavabit. There are probably many more sites where the Feds have made similar demands and we haven’t heard.

Even when it hasn’t been compromised, TLS encryption doesn’t hide all information. (TLS is the correct name, and the name SSL properly belongs only to old versions, but everyone still talks about SSL.) Your IP address and the domain you’re trying to reach are still visible to anyone grabbing data long the way. That’s why using a proxy helps; only the proxy domain or IP address and not the one you’re visiting will be visible in cleartext.

Old versions of SSL (including all the ones that really are SSL) have security weaknesses. Their hashing algorithms aren’t strong enough to stand up to serious computing power. Not many sites depend on those versions any more, but a man-in-the-middle attack can trick a site into downgrading the version it uses. The POODLE attack uses this trick, taking advantage of backward compatibility.

Another danger is the installation of spyware on the client machine, causing it to treat bogus, unsigned SSL certificates as valid. Lenovo pulled this trick in 2014, shipping millions computers with “Superfish” spyware to its customers. People with infected computers saw Google search results modified and ads inserted into pages, even if they were using an allegedly secure connection. Superfish also opened a huge security hole that others could easily exploit. I have no idea why Lenovo is still in business after betraying its customers that way. I’d certainly never buy a computer from them.

This isn’t to say that HTTPS connections are worthless. Far from it. But if you’re seriously concerned about your privacy, they aren’t a guarantee by themselves.

Published by

Gary McGath

I am a freelance writer, author of the books _Files that Last_ and _Tomorrow's Songs Today_, with a strong background in software development, file formats, and digital preservation.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s