Case Study #1: Using Transit Encryption by Default

Photo: Shutterstock

What is Transit Encryption?

Transport Layer Security (TLS) is a protocol for adding encryption to different forms of internet communications while they are in transit, hence we refer to it as “transit encryption”. It establishes a method for two computers to authenticate and set up an encrypted connection. This process is an intricate one that involves an entire ecosystem consisting of the web browser producers, third party validators that check identities and issue certificates, called Certificate Authorities, and website operators themselves. When TLS is deployed over the web’s Hypertext Transfer Protocol (HTTP), that protocol is called Hypertext Transfer Protocol Secure, or HTTPS. However, TLS not only can secure web connections, but also email and wide variety of other internet interactions.

TLS provides three important features: First, it secures the encrypted connection against electronic eavesdroppers who might want to intercept the content of the communication for a variety of reasons. This provides privacy, or as security experts would say, “confidentiality”. Second, it guarantees that the communications have not been modified in transit. This is often referred to as “integrity”. Lastly, TLS ensures that the other party is who they say they are, proving “authenticity”.

The Emergence and Adoption of Transit Encryption

When taken together with its predecessor, Secure Sockets Layer (SSL), the history of TLS goes back to the early days of the commercial internet, in 1994. That’s when Netscape, one of the original browser companies, developed the transit encryption protocol SSL. That protocol was eventually supplanted by the TLS standard developed in 1999 by the Internet Engineering Task Force, a standards body responsible for the protocols that make the internet possible. Although initially deployed mostly to protect passwords or sensitive financial or consumer data such as credit card details, in the twenty years since its inception we have seen transit encryption—and especially HTTPS—grow into perhaps the most important and broadly used technique for protecting the privacy of internet communications.

That shift began slowly in the mid-2000s as some online services, most notably Gmail, allowed savvy users to turn on HTTPS to protect their entire session rather than just when they were logging in. However, after years of pressure from privacy advocates and growing cybersecurity threats—especially from China—Google would turn HTTPS on by default for all of Gmail in 2010. Following Gmail’s lead, a variety of other Google services—and other email and search providers—began slowly testing and adopting deployment of SSL, whether as an option or by default.  

That trickle turned into a flood, however, when documents leaked by NSA contractor Edward Snowden in 2013 revealed the extent to which the NSA had been intercepting the traffic of major internet companies, including tapping their private links between data centers. This prompted companies, concerned both about their security and their reputation with international customers, to begin widely deploying transit encryption across their services and between their data centers. This encryption explosion accelerated in 2014 when Cloudflare, a company that offers content distribution and cyberattack mitigation services  to a broad swath of the web, turned on HTTPS for all the sites it served, and in 2016 when WordPress—using the newly launched “Let’s Encrypt” certificate authority aiming to make TLS deployment much cheaper and easier—did the same for all of the blogs it hosts.

Now that almost all major online service providers are offering HTTPS by default, the focus is moving to other online sectors, with specific campaigns and tools pushing online news sites and adult entertainment sites to improve their security. In the meantime, the push to encrypt the Web hit a major tipping point by the end of 2016, when for the first time over half of all Web traffic was protected by HTTPS—up from just 13% in 2014.

Key Factors Spurring Adoption of Transit Encryption

Although not addressed in our timeline, a key factor spurring the adoption of transit encryption is the simple fact that technology has steadily improved such that encrypting connections no longer causes a noticeable delay for most users—what the techies call “latency”. However, there were a broad range of other factors—beyond solving the latency problem—that helped HTTPS go from something that no one offered by default to a standard that almost all major services offer by default.

As in all other aspects of online security, privacy advocacy played a large role in spurring the widespread adoption of transit encryption—whether it was ACLU technologist and privacy activist Chris Soghoian throwing Twitter-bombs and organizing coalition letters, or the Electronic Frontier Foundation giving gold stars to companies deploying HTTPS or building the HTTPS Everywhere browser plug-in to help users more easily take advantage of the technology. Other tech interventions have been arguably less ethical but equally impactful—the Firesheep hacking tool that demonstrated how easy it was to break into social network accounts that weren’t secured by HTTPS helped publicize the problem, so much so that Senator Chuck Schumer publicly demonstrated the technology himself at his local coffee shop. In addition to lawmakers, commissioners at the Federal Trade Commission helped make the deployment of HTTPS a security priority by highlighting its importance to consumer protection.  

However, as with many other privacy and security practices, it was the one-two punch of Chinese hacking and the Snowden revelations that really turbo-charged the adoption of HTTPS.  It was attacks by China that prompted Google to be the first major online service to finally offer HTTPS by default for all its users, after having previously only offered it as a hidden option—and it was the crisis in international consumer confidence caused by the Snowden revelations that forced all of Google’s competitors to follow suit, starting a snowball effect that has led to wide swaths of the web being encrypted in just the past few years—including all of the web sites of the federal government. That pace of adoption would not have been possible, however, without one more massive technical intervention—the founding of a new certificate authority called “Let’s Encrypt”, a partnership between organizations like EFF and Mozilla that has made the process of securing your website with HTTPS exponentially easier and cheaper.

Looking Toward the Future of Transit Encryption

Now that the major online services and the federal government are securing their web traffic and the overall percentage of encrypted web traffic has passed the halfway mark, the continued adoption of TLS will require constant advocacy directed at other, more narrow slices of the web ecosystem. Recent pushes to educate the press and the adult entertainment industry about the importance of securing their web sites are a good example of this, as are efforts to lean on online advertisers. There is also now an opportunity to push state and local governments to follow the federal government’s lead and shift all of their web offering to HTTPS. The increasing ease of use and lowering of costs around HTTPS deployment, thanks to projects like Let’s Encrypt, should continue to help spread the technology.

Although not addressed in our timeline, just as we are seeing transit encryption edge toward ubiquity, we are also seeing a significant increase in the availability of end-to-end encrypted messaging—that is, messaging that is encrypted completely between sender and recipient such that even the service provider can’t access the content. Following a pattern similar to transit encryption, one company—this time, Apple—took the lead in 2011 as an early adopter when it integrated end-to-end encryption into its iMessage service for iPhones. That lead was quickly followed by others after the Snowden leaks, with the Facebook-owned Whatsapp integrating the encryption technology of another messaging app, Signal, to offer end-to-end messaging to its billion-plus users in the spring of 2016. After increasing pressure from privacy advocates to provide similar tools, Google and Facebook soon got in the game too, providing end-to-end options in their messaging offerings Allo and Facebook Messages, respectively. Within the space of just a few years, end-to-end encryption has gone from a technology that was once arcane, hard to use, and more or less unknown to the public, to one that is super-simple to use and is in the hands of practically every smartphone user.

TLS Timline