Technology development seems to gallop a little faster each year. But there's always one laggard: encryption. Why the deliberate pace? Because a single, small mistake can cut off communications or shut down businesses.
Yet there are times when you take stock―only to discover the encryption landscape seems to have transformed overnight. Now is that time. Although the changes have been incremental over several years, the net effect is dramatic.
Some of those changes began shortly after Edward Snowden's disclosures of the U.S. government’s extensive surveillance apparatus. Others are the natural result of cryptographic ideas reaching the marketplace, says Brent Waters, an associate professor at the University of Texas at Austin and the recipient of the Association for Computing Machinery’s 2015 Grace Murray Hopper Award.
“Many of the new tools and applications available are based on research innovations from 2005 and 2006,” Waters says. “We are just realizing what type of crypto functionality is possible.”A step closer to an encrypted world
Encrypted web traffic is the first step toward a more secure online world where attackers cannot intercept private communications, financial transactions, or general online activity. Many sites, including Google and Facebook, have turned HTTPS on by default for all users.But for most domain owners, buying and deploying SSL/TLS certificates in order to secure traffic to their sites has been a costly and complicated endeavor.
Fortunately,Let’s Encrypt and its free SSL/TLS certificates have transformed the landscape, giving domain owners the tools to turn on HTTPS for their websites easily. Anonprofit certificate authority run by the Internet Security Research Group, Let’s Encrypt is backed by such internet heavyweights as Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai.
How ubiquitous has HTTPS become?In October, Josh Aas, head of Let’s Encrypt and former Mozilla employee, posted a graph from Mozilla Telemetry showing that 50 percent of pages loaded that day used HTTPS, not HTTP. While the graph showed only Firefox users, the figure is still significant, because for the first time, the number of encrypted pages outnumbered unencrypted pages. NSS Labs expects the trend to continue, predicting that 75 percent of all Web traffic will be encrypted by 2019.
Free certificate offerings will further accelerate adoption.By next year, the number of publicly trusted free certificates issued will likely outnumber those that are paid for, says Kevin Bocek, vice president of security strategy and threat intelligence at key-management company Venafi. Many enterprises will also start using free services. With certificate cost no longer a consideration, certificate authorities will focus on better tools to securely manage certificates and protect their keys.
Speaking of certificate management, after years of warnings that SHA-1 certificates were weak and vulnerable to attack, enterprises are making steady progress toward upgrading to certificates that use SHA-2, the set of cryptographic hash functions succeeding the obsoleteSHA-1 algorithm. Major browser makers, including Google, Mozilla, and Microsoft, have pledged to deprecate SHA-1 by the beginning of the year and to start blocking sites still using the older certificates. Facebook stopped serving SHA-1 connections and saw “no measurable impact,” wrote Facebook production engineer Wojciech Wojtyniak.
From May to October 2016, the use of SHA-1 on the web fell from 3.5 percent to less than 1 percent, as measured by Firefox Telemetry. Enterprises can’t be complacent, though, since recent estimates from Venafi suggest approximately 60 million websites still rely on the insecure encryption algorithm .
“We look forward to the industry's movement toward greater use of stronger certificates like SHA-256,” Wojtyniak said.Crypto is still king
Cryptography has taken quite a beating over the past few months, with researchers developing cryptographic attacks such as Drown , which can be used to decrypt TLS connections between a user and a server if the server supports SSLv2, and Sweet32 , a way to attack encrypted web connections by generating huge amounts of web traffic.
Nation-state actors also have encryption in their crosshairs. Late last year,Juniper Networks uncovered spying code implanted in specific models of its firewall and Virtual Private Network appliances. Many experts believe the NSA was involved.
Shortly after the cache of hacking tools allegedly belonging to the NSA made its way to underground markets this summer, Cisco discovered a vulnerability in its IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw, which could be used to extract sensitive information from device memory, was similar to the vulnerability exploited by the tools and was related to how the operating system processed the key exchange protocol for VPNs, Cisco said.
Even Apple’s iMessage app, the poster child for how companies can bring end-to-end encryption to the masses, had its share of issues. Cryptography professor Matthew Green and his team of students at Johns Hopkins University were able to develop a practical adaptive chosen ciphertext attack that could decrypt iMessage payloads and attachments under specific circumstances. The team also found that iMessage lacked the forward secrecy mechanism, meaning attackers could decrypt previously encrypted messages, such as those stored in iCloud. Forward secrecy works by generating a new key after a set period of time so that even if the attackers obtained the original key, the previously encrypted messages can’t be cracked.
One thing remains clear despite all the bad news: Cryptography is not broken. The mathematics behind cryptographic calculations remain strong, and encryption is still the best way to protect information.
“The latest attacks have not been on the math, but on the implementation,” Waters says.
In fact, encryption works so well that attackers rely on it, too. Criminals are equally as capable of obtaining keys and certificates to hide their activities inside encrypted traffic. The fact that this attack vector is fast becoming default behavior for cybercriminals “almost counteracts the whole purpose of adding more encryption,” Bocek says.
Cybercriminals are using encryption to great effect in ransomware. Once the files are encrypted, victims have to either pay up to obtain a key or wipe their systems and start over. Just as attackers target flawed implementations, security researchers have successfully developed decryption tools for ransomware variants that contained mistakes in their encryption code.Government backs down on backdoors Technology firms have always had to balance security and privacy concerns with law enfo