If you aren’t using SSL to have a conversation with a website, your traffic is readable by anyone on the Net who can see your network packets flying past. But more to the point, since the audience for this blog post is website administrators, if your website is not running SSL, you are talking to your customers in plain text.
If you are a site admin but haven’t played with network packet analysis, I’m going to give you some real-world insight into what this means:
When I ask my web browser to connect to news.netcraft.com which is an unencrypted (non-SSL) website, my traffic goes through about 18 ‘hops’, which is the techie word for routers, before I hit Netcraft’s firewall:
Looking at the names of the routers, I count around 4 vendors that have access to my traffic including Wave, Spectrum Networks, XO Communications and BT (British Telecommunications). I also count two countries: the UK and USA.
Here’s what my traffic looks like when I import it into a packet analysis tool (I’ve blanked out personal info I don’t want the World to see):
As you can see, everything is in plain text including:
- The URL I requested.
- Any cookies and their values including cookies that a hacker could steal and use to login as you.
- Any other data I sent including form values which would include things like passwords and usernames.
- The entire response is in plaintext and clearly readable. This might include email contents, documents, social security numbers etc.
It’s easy to automatically parse network traffic like this for valuable data using Linux tools like tcpdump and algorithms to look for specific kinds of data. For example, if you’re looking for card numbers, you just look for 16 digit numbers that conform to the Luhn algorithm. [Yes, it’s rare to pass card numbers via non-ssl connections, but this illustrates an algorithmic approach to data recognition and capture]
Besides private hackers, countries like the USA and China parse network data like this on an industrial scale using the best computer science minds on the planet. That is why there is a sense of urgency to move towards a completely encrypted web.
Historically you have had to pay anything from $10 dollars to over $1000 for an SSL certificate for your website. If you hunt around you can find free SSL certificates but they are either a paid ‘trial’ or part of some other commercial incentive to get you to sign up with a service where you will inevitably part with your money one way or another.
Yesterday, November 18th, the Electronic Frontier Foundation (EFF) announced a project that will make SSL and encryption on the web completely free. They have created a non-profit organization called the Internet Security Research Group (ISRG) in collaboration with Mozilla, the University of Michigan, Cisco, Akamai and Identrust.
The ISRG are launching a project called Lets Encrypt which will be making free SSL certificates available for any website starting Summer 2015. But they go further than that. It has always been fairly technical to install an SSL certificate and so Lets Encrypt are creating applications for platforms like Linux and other web hosting operating systems that let you install and activate SSL for your web server with a few keystrokes.
So the net result is that, starting Summer 2015, not only will SSL for any website on the Net be completely free, but you will also be able to install and activate SSL on your site with just a few keystrokes and no payment.
Below is the official Lets Encrypt video which does a great job of making it clear how easy (and cost free) it’s going to be to install an SSL certificate from the project.
Please share this post with other webmasters to raise awareness of the importance of enabling SSL on your website (and the excellent news that it will soon be free and easy to implement).