It’s 2013. We’re all being spied on. Why do security software websites not use HTTPS?

Update: This post made the frontpage of reddit and many of the comments are wrong. I took a moment to clear a couple things up at the bottom of the post.

We desperately need to work towards deprecating HTTP and replacing it only with HTTPS. The web is a huge part of what billions of people use the Internet for, and still most of it is not encrypted. Since the Snowden leaks started getting published we’ve learned that NSA and GCHQ spy on as close to the entire Internet as they can get.

It would be naive to think that the US and UK are the only governments doing this too. The network isn’t safe, and the only way to make it safe is to encrypt all the things. Websites that still use HTTP are putting users in danger. Here are a couple of examples.

If you’re a Windows user and you heard that you can use something called Off the Record (OTR) to have end-to-end encrypted chats with your friends, how do you get started?

First you go to https://pidgin.im/ and download Pidgin. This website forces HTTPS, so you probably haven’t gotten hacked yet. After downloading and installing Pidgin you need to download and install the OTR plugin. So you go to http://www.cypherpunks.ca/otr/ and download the latest OTR installer, which at the time of writing is http://www.cypherpunks.ca/otr/binaries/windows/pidgin-otr-4.0.0-1.exe. This website does not force or even use HTTPS, which means it would be trivial for spy agencies or random hackers on your wifi network to put malware on your computer.

For some reason cypherpunks.ca, the website that distributes Windows binaries of OTR, doesn’t use HTTPS and therefore puts OTR users at risk.

Let’s say you’re a Windows user and you’re interested in using OpenPGP email encryption. How do you get started?

The free software implementation of OpenPGP is GnuPG (GPG), so first you go to http://gnupg.org/ to see what to do next. This websites doesn’t force or even use HTTPS, which means any information you find on this website might not be trustworthy, and any links to download GPG installers might include malware. Assuming you haven’t already been hacked, you’ll notice that the easiest way to get GPG in Windows is to visit http://www.gpg4win.org/ and download the latest version which, at the time of this writing, is http://files.gpg4win.org/gpg4win-2.2.0.exe. It would be trivial for spy agencies or random hackers to replace this with a malicious version and put malware on your computer.

For some reason gnupg.org, the website that distributes information about and the source code for GPG, and gpg4win.org, the website that distributes Windows GPG binaries, don’t use HTTPS and therefore puts their users at risk.

Luckily the websites for the Mac OS X software for OTR (https://adium.im/) and GPG (https://gpgtools.org/) force HTTPS. And GNU/Linux users should get this software from their package manager which uses public key cryptography to authenticate the packages.

Let’s say you’re really interesting in using disk encryption and you’ve heard that TrueCrypt might be useful for you. How do you get started?

You visit http://www.truecrypt.org/. Since this website doesn’t force HTTPS, any information you find on this website might not be trustworthy, and any download links might contain malware. When you actually do download the TrueCrypt installer, the download links for Windows, Mac OS X, and GNU/Linux all download from URLs like http://www.truecrypt.org/download/transient/…. If you download and install TrueCrypt from their website, it would be trivial for an attacker to put malware on your computer.

For some reason truecrypt.org, the website that distributes TrueCrypt binaries for Windows, Mac OS X, and GNU/Linux doesn’t use HTTPS and therefore puts its users at risk.

I chose Off the Record, GnuPG, and TrueCrypt because they’re prominent examples. But the problem is much bigger than these websites. It’s almost every website. It’s not just security software that can put malware on people’s computers, it’s any software.

I understand why everyone doesn’t use HTTPS yet.

If your website is hosted on a shared hosting provider you may need to pay more money for a static IP address to turn on HTTPS. This is unfortunate, but hopefully shared hosting providers will start using Server Name Indication and make this way cheaper and easier for their customers to run more secure websites.

But if you’re not a small website stuck on shared hosting, you don’t have an excuse.

People think that it costs money to get a certificate authority to sign your cert, but StartSSL is trusted by browsers and signs certs for free.

People say that using HTTPS is a performance hit. Locking your car door is also a performance hit, and so is putting on clothes in the morning. Security and privacy is worth a performance hit, especially when we have proof that the Internet is being spied on by the most powerful governments in the world. Scaling HTTPS is a solved problem, and performance is no excuse.

If you run a website, and the HTTP version of your site doesn’t automatically redirect to HTTPS, then you’re doing things wrong. Please take steps to start supporting HTTPS and then to start forcing HTTPS for all of your traffic. It’s the responsible thing to do for the privacy and security of your visitors.

Update:

NSA sends legal requests to get data from some companies (such as everyone in PRISM) but not from all websites. Websites outside of the US can legally ignore NSA requests.

Certificate authorities don’t have the secret keys of HTTPS web servers, they just sign the associated public keys. So no, NSA can’t ask CAs for all the keys.

NSA passively monitors traffic on the Internet backbones, but they can’t see any HTTPS content without having the associated secret keys. However if the HTTPS websites use Perfect Forward Secrecy, even if NSA has the secret key they still can’t see any of the HTTPS content.

Yes, they can still do active MITM attacks using a compelled CA, but they can’t realistically do this against the entire Internet, only specific targets (tech like certificate pinning, SSL Observatory, and Convergence will detect/prevent these attacks). One of the reasons that the NSA spying programs are so unconstitutional is because they’re spying on everyone. If we make passive attacks no longer work, forcing NSA to do active attacks, that’s a huge win.

HTTPS doesn’t protect everything. When you load an HTTPS URL, such as https://micahflee.com/2013/08/its-2013-were-all-being-spied-on-why-do-security-software-websites-not-use-https/, the hostname (“micahflee.com”) gets leaked, but the rest of the URL (“/2013/08/its-2013-were-all-being-spied-on-why-do-security-software-websites-not-use-https/”) stays private. Other metadata that leaks is your IP address, the exact time of the request, and the file sizes of the request and the response.

Full disclosure: I’m the maintainer of the free software browser add-on HTTPS Everywhere. If everyone used HTTPS and no one used HTTP, HTTPS Everywhere would become obsolete. I would love it if HTTPS Everywhere were obsolete.