Let’s make encryption “boring” and not something that users need to look for, as we fix mistakes made in the past.
Speaking at the SANS and NCSC Cyber Threat conference in London, security researcher Scott Helme ran through the history of the SSL, PCT and TLS standards, including the passing of the mantle of creating encryption standards to the IETF, and the rebranding of SSLv3.1 to TLSv1.0 in January 1999, and the creation of TLSv1.1 in 2006 and TLS1.2.
Helme called that introduction the first time that a carrot rather than stick approach has been used “as when it came out there were some phenomenal performance increases” and pages loaded much faster, while there were “security benefits under the hood.”
Despite encryption standards being broken, Helme was positive on the state of encryption standards asking delegates to “think of a website that you visit without HTTPS?” He said that we want security, but we are not incentivizing people to use it, and praised the introduction of TLS1.3, saying that the “benefits are enormous.”
As well as the use on browsers, Helme said that the use of SSL in advertising has massively increased in the last five years as websites use HTTPS. “No matter how far we go back we cannot get away from the phenomenal growth of security on web traffic” and while we see the use hitting a plateau, “we have got to keep pushing.”
However, we are also seeing HTTPS used on phishing websites, Helme claimed, saying that this is tied into the drop in price of certificates, and people still trust the padlock “and mistrust can now be misused. If we want more encryption it is going to include bad websites.”
Helme said that while some excellent education has been done on browser security, there has been a shift in browser and padlock safety, and users should be told when there is a problem.
He concluded by saying that the “lack of encryption on the web is a bug,” and we need to fix a mistake we made at the beginning.