Why You're More Secure Than You Think

  • Post by Maxime Cote
  • Dec 11, 2019
post-thumb

At this very moment, you are most likely more secure on the internet than in past years. Over the past years, the infrastructure of the internet got a lot more secure. Great let’s just keep going then? Hopefully but the problem is that a lot of those changes were under the radar of most people. And now the next step is to reach mass adoption to keep pushing the industry in the right direction. That’s why I’m shining a light on some of those technologies you might not be aware of.

Let’s rewind back in time to 2013 first. That year saw the now famous Snowden revelations, they shine the lights on the U.S. and other countries capturing massive amount of information. The NSA and others were tapping straight into an internet service provider (ISP) and other big tech giant to gather data on everyone. Those revelations came out like a bombshell on the industry, and the repercussions are still felt today. That point was a big wake-up call that we needed better infrastructure security. Fast forward today we’re more and more getting to that point. One of the things the revelations kicked off in high gears was TLS.

Transport Layer Security aka TLS

The first and most apparent infrastructure change is the adoption of TLS. TLS allows for encrypted communication between your browser and the server that serve the website. It’s what makes internet banking, secure accounts, secure payment possible. Without TLS anyone whose sitting between you and the server can see or change what you’re doing.

The TLS adoption was in part helped by Let’s Encrypt and the industry giant pushing for it. Let’s Encrypt made getting a certificate basically an automatic process. That created a huge boost in certification, the total number of certificates increased by more than 13.2 million between June 2017 and June 2018. Nowadays 90.2% of the browsing time on Chrome is spent on HTTPS pages. This very big adoption rate made Google, and Firefox even change their default UI elements. Both browser went from normal being HTTP with a green mark for HTTPS to default being HTTPS with warning otherwise.

Chrome change from 67 to 69:

DNS over HTTPS aka DoH

DoH is another now rising industry standard. It encrypt DNS query from your browser over HTTPS. Each time you ask for an address online your browser make a DNS query. That query is to ask for the IP address associated with the name you requested. DNS was one of the last pieces of the internet stack without protection or encryption. That allowed ISP and nearly everyone to see which website you wanted to access. Even if the following connection is secured over TLS, they would know you were going there. In 2019 Firefox plans to make all their request with Cloudflare DoH by default. But Firefox is not the only one, Chromium is also going in that direction. They’ve recently announced so:

Chrome 78 will check if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider. If the DNS provider isn’t in the list, Chrome will continue to operate as it does today

Microsoft is another who is currently prioritizing DoH for Windows 10. They stated it will “provide immediate value to everyone”. While they haven’t stated any dates for the release, the fact that it is happening is big enough.

Signal Protocol

This one is also something most people wouldn’t know about, even if you might be using it. The signal protocol from Open Whisper System is an audited very strong end-to-end encryption chat protocol. Encrypted chat either in text, voice or video format are not just for things you want to hide. You may just not want some of your conversation to be possibly looked into for various reasons. It might be for work-related reason, keeping company secrets is important. Or even personal reasons like a private conversation with a traveling family member.

The signal protocol is what a lot of chat app uses to be private or have a private chat option. The primary chat app using it is the Signal App itself. Another big one is WhatsApp, since 2014 it provides end-to-end encryption with the help of the protocol. There’s also the now discontinued Google Allo which had an incognito chat mode powered by Signal. Since October 2016 Facebook has added a new chat feature called Secret Conversation which also relies on the protocol. A final one is Skype. Since January 2018 it uses the protocol to power Skype Private Conversation.

Future

The future will be an interesting place for sure. As the industry keeps pushing for TLS, DoH and use signal we should expect more and more security. There are also a lot of other technologies I didn’t touch here, encrypted file sharing, DNS over TLS, secure chip on mobile phones, etc. Those are all good things to be excited about.

Not everything is all rosy, though, as encryption and other security mean finally hit mainstream. In the U.S. and other countries, many law enforcement entities are starting to push back. There’s also some strong push by some government to ban encryption altogether like in China or Russia. Some are trying to be more subtle like Australia which just requires company to provide the data, even if encrypted. Those and probably more to come are why more people knowing about those technologies and even seeking them out is important. If we reach market majority adoption, it will be a lot harder to just push agenda without strong reasons.

Now what can you do to help it keep going? Here are some things you can do. For starters, already knowing is a good but also favoring the service you see using those tech. If you run a website or a blog or an app look to use TLS in it. There’s also some other encryption mechanism available if TLS wouldn’t fit. Otherwise just sharing the idea of using more secure technologies is also good.