Web Security for All

Accessing a web site sends information back and forth as you access pages and click on links.  This data travels through numerous computers on its way to the web site’s server and to your computer.  This varies depending on your Internet provider and the provider of the web site.  Recently, I traced my access to this site and counted 13 computers passing my data, to and fro.  And I only control one of them.  Many more people have access to these 13 computers and their connections.

The Hypertext Transfer Protocol (HTTP) is the foundation of data communication for the World Wide Web.  HTTP Secure (HTTPS) provides authentication of the website and associated web server and provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with the website and ensuring that the contents of communications between the user and site cannot be read or forged by any third party.

HTTPS is especially important over insecure networks (such as public WiFi access points), as anyone on the same local network can packet sniff and discover sensitive information (user name, password, etc.) not protected by HTTPS.

The security of HTTPS is that of the added Transport Layer Security (TLS) protocol, which uses public key encryption to generate a session key which is then used to encrypt the data flow between client and server. To validate public keys, certificate authorities (CA) and public key certificates are necessary to verify the relation between the certificate and its owner, as well as to generate, sign, and administer the validity of certificates. Certificate authorities are trusted by web browser creators to provide valid certificates.  The top three certificate authorities, in 2016, issued over 75% of all certificates in use.

  1. Comodo CA – certificates for $63.95 to $809.10/year.
  2. Symantec Corp. – $399.00/year.
  3. GoDaddy – $69.99 to $249.99/year.

As of April 5, 2016, 41.7% of the Internet’s 141,160 most popular websites have a secure implementation of HTTPS.  That adds up to a lot of revenue for CAs using standard protocols and freely available software. The certificate costs are only a few cents to generate a certificate and a few dollars to administer.  That makes selling TLS certificates one of the biggest cash cows in the world.  All the certificates are exactly the same!  Otherwise they would not work in our browsers.  The only difference in certificates is marketing hype.  Even Comodo CA sells cheaper certificates for $12.00/year through their PositiveSSL brand.

Now there are free certificates available issued by Let’s Encrypt certificate authority sponsored by Cisco, Hewlett Packard Enterprise, mozilla, and facebook among others.  These certificates work the same as the certificates costing much more.  You can verify this using Qualys SSL Labs’ SSL Server Test for this site which uses a Let’s Encrypt certificate.