Some positive news for the white hats emerged this week after Mozilla revealed that more web pages are now loaded by Firefox using the secure HTTPS protocol than not.
As of 30 January the figure stood at 50.1%, but it’s been on a steady rise since November 2015 when the figure was under 40%.
The uptake is being helped by initiatives such as the Mozilla and Chrome-backed Let’s Encrypt, which act as an automated certificate authority to provide HTTPS certs to sites for free, and HTTPS Everywhere – a Firefox, Chrome and Opera extension designed to encrypt communications with major websites.
“Billions of users will start to regularly experience a web that is more encrypted than not,” Let’s Encrypt co-founder, Josh Aas, told Wired. “Expectations for security will continue to rise, and as a result we expect to see sites move to HTTPS even faster than they have been.”
HTTPS is slowly gaining more and more acceptance in the marketplace, with the UK government last year enabling it on sites to protect against Man in the Middle and other attacks. Also, Google switched it on for all BlogSpot domains last year.
However, HTTPS is not a silver bullet.
The black hats have also been observed in the past registering HTTPS domains to help them carry out attacks under the radar.
In one case they used Let’s Encrypt to hide malware from security scanners and legitimize malicious sites hosting the Angler exploit kit.
Kevin Bocek, VP security strategy and threat intelligence at Venafi, argued that attacks will increasingly use encryption to hide.
“At the heart of this is the fact that encryption is underpinned by cryptographic keys and digital certificates, which provide identity and access management for machines – much like biometrics and passwords do for humans,” he explained.
“If your cyber defenses do not have access to the right keys and certificates, then they can’t look in encrypted tunnels, making them useless. Yet the industry is largely failing to wake up to this danger. The only way to safely implement encryption is to maintain control – you need to make sure the security systems have access to the keys they require to inspect your traffic for threats. This requires automation that industry still must catch up on.”