The widespread adoption of HTTPS instead of HTTP may be dangerous
Immediately I will warn: there will be a politotype. Do not like it - do not read. And I warn you that I am not sure of my conclusions, I just want to show an alternative point of view.
Recently, many companies are promoting the widespread use of https and the rejection of http. Google first. My version of Google Chromium (53.0.2785.143) shows the letter i in a circle in the browser line if the site is open over http, not https. Further more. Google is going to display the http connection as more and more unsafe, scaring users with “dangerous” http more and more: www.opennet.ru/opennews/art.shtml?num=41263 (the news is from 2014, but in fact, it seems to me that nothing has changed, there is a link to the English original from Chromium).
Recently appeared HTTP / 2.0. It was created based on SPDY, which was created by Google. "Despite the fact that the specification allows the creation of unencrypted connections, the developers of Firefox and Chrome intend to ensure that HTTP / 2.0 works only on top of TLS" ( www.opennet.ru/opennews/art.shtml?num=41684 ). Let me remind you that TLS is a modern development of SSL. https now usually works on top of TLS.
')
Recently, Google created QUIC. Again, QUIC encryption is mandatory. “Why does the QUIC always require encryption of the entire channel?” Is a quote from the QUIC FAQ (link from the Chromium blog ). In the same blog post it says that QUIC provides “High security similar to TLS”, which in the light of persistent vulnerabilities in HTTPS / SSL / TLS and its implementations looks like irony.
So, companies promote https and the rejection of http. At the same time, vulnerabilities are constantly found in https and its implementations (Heartbleed, POODLE, etc.). And there are plenty of indications that, perhaps, the American intelligence services are aware of many yet unpublished vulnerabilities in https, and maybe even implement their own. I emphasize: I am not sure about this, I only pay attention to the fact that this is possible. This is indicated by the leaks of Snowden, the publication of Schneier's blog. You can find a huge number of references to this on the Internet, I will show only one link: www.opennet.ru/opennews/art.shtml?num=37846 .
So, the American company Google promotes https, which the American intelligence services are supposedly able to decipher. And Russian - presumably can not. This is also because the American intelligence services have leverage to introduce vulnerabilities into standard texts, because they can cooperate with manufacturers of computers, smartphones, operating systems, with the largest sites (Google, Facebook), with the largest IM (Skype, Whatsapp) and so on (again, full of mentions on the Internet).
Now the focus of the initiative of the Russian government on decoding https and other traffic: habrahabr.ru/post/310576 . And the authors of the initiative can be understood. After all, the American special services can decipher, but ours - not. That is, say, the connection of the Russian users with Facebook is supposedly seen by the American special services, but ours are not. So you have to somehow get out. I do not in any way justify these Russian initiatives. I just pay attention to the fact that there is some logic behind them.
I will quote the already mentioned QUIC FAQ:
With this in mind, this paragraph looks sarcastic. Yes, unencrypted traffic is read and changed by all and sundry. All kinds of "middle boxes". And the encrypted traffic, which is encrypted using QUIC, which has “high security similar to TLS” (and we already understand how secure TLS is), apparently, can only decrypt the “middle boxes” of the American special services. But (at the moment) not Russian.
I am writing all this just to show that there is an alternative point of view. If now in the news of the form “Chrome shows an even more terrible icon warning of unencrypted traffic” not all comments will support the innovation, but will also disagree, then I will consider my mission accomplished.
And once again: I am against surveillance in any way. Neither the Russian nor the American intelligence services should decipher the traffic.
UPD from 2016-11-16 20:31. I by no means urge to use http instead of https. https is safer than http. I just pay attention to the fact that in promoting https, especially Google and especially by gradually banning http, everything is not so simple.
Recently, many companies are promoting the widespread use of https and the rejection of http. Google first. My version of Google Chromium (53.0.2785.143) shows the letter i in a circle in the browser line if the site is open over http, not https. Further more. Google is going to display the http connection as more and more unsafe, scaring users with “dangerous” http more and more: www.opennet.ru/opennews/art.shtml?num=41263 (the news is from 2014, but in fact, it seems to me that nothing has changed, there is a link to the English original from Chromium).
Recently appeared HTTP / 2.0. It was created based on SPDY, which was created by Google. "Despite the fact that the specification allows the creation of unencrypted connections, the developers of Firefox and Chrome intend to ensure that HTTP / 2.0 works only on top of TLS" ( www.opennet.ru/opennews/art.shtml?num=41684 ). Let me remind you that TLS is a modern development of SSL. https now usually works on top of TLS.
')
Recently, Google created QUIC. Again, QUIC encryption is mandatory. “Why does the QUIC always require encryption of the entire channel?” Is a quote from the QUIC FAQ (link from the Chromium blog ). In the same blog post it says that QUIC provides “High security similar to TLS”, which in the light of persistent vulnerabilities in HTTPS / SSL / TLS and its implementations looks like irony.
So, companies promote https and the rejection of http. At the same time, vulnerabilities are constantly found in https and its implementations (Heartbleed, POODLE, etc.). And there are plenty of indications that, perhaps, the American intelligence services are aware of many yet unpublished vulnerabilities in https, and maybe even implement their own. I emphasize: I am not sure about this, I only pay attention to the fact that this is possible. This is indicated by the leaks of Snowden, the publication of Schneier's blog. You can find a huge number of references to this on the Internet, I will show only one link: www.opennet.ru/opennews/art.shtml?num=37846 .
So, the American company Google promotes https, which the American intelligence services are supposedly able to decipher. And Russian - presumably can not. This is also because the American intelligence services have leverage to introduce vulnerabilities into standard texts, because they can cooperate with manufacturers of computers, smartphones, operating systems, with the largest sites (Google, Facebook), with the largest IM (Skype, Whatsapp) and so on (again, full of mentions on the Internet).
Now the focus of the initiative of the Russian government on decoding https and other traffic: habrahabr.ru/post/310576 . And the authors of the initiative can be understood. After all, the American special services can decipher, but ours - not. That is, say, the connection of the Russian users with Facebook is supposedly seen by the American special services, but ours are not. So you have to somehow get out. I do not in any way justify these Russian initiatives. I just pay attention to the fact that there is some logic behind them.
I will quote the already mentioned QUIC FAQ:
Why does the QUIC always require encryption of the entire channel? If we’ve learned that we’ve been encrypting the traffic, then we’ve been able to get it.
With this in mind, this paragraph looks sarcastic. Yes, unencrypted traffic is read and changed by all and sundry. All kinds of "middle boxes". And the encrypted traffic, which is encrypted using QUIC, which has “high security similar to TLS” (and we already understand how secure TLS is), apparently, can only decrypt the “middle boxes” of the American special services. But (at the moment) not Russian.
I am writing all this just to show that there is an alternative point of view. If now in the news of the form “Chrome shows an even more terrible icon warning of unencrypted traffic” not all comments will support the innovation, but will also disagree, then I will consider my mission accomplished.
And once again: I am against surveillance in any way. Neither the Russian nor the American intelligence services should decipher the traffic.
UPD from 2016-11-16 20:31. I by no means urge to use http instead of https. https is safer than http. I just pay attention to the fact that in promoting https, especially Google and especially by gradually banning http, everything is not so simple.
Source: https://habr.com/ru/post/372879/
All Articles