The way we use the Internet is creating a growing trend of web encryption
Last week, we were proud to host the January edition of the London Web Standards meetup at our 20 Air Street space. We welcomed a hundred Web developers for talks on subjects as diverse as automation machine builds for software deployment to localization of in-language content to SEO, and using “blameless review” to assess mistakes made during the software development process.
I also gave a talk on the rise of encryption on the Web, which is a topic we are covering in the W3C TAG group which I co-chair. Since 2009, the London Web Standards community has been running monthly meetups and larger events such as their influential State of the Browser conference. The focus of London Web standards is on the open web and on empowering web developers through sharing knowledge and best practice. This focus fits together well with Telefónica’s leadership on leveraging open web technologies such as WebRTC and HTML5 mobile webapps. LWS is a volunteer organization run by dedicated individuals with day jobs who give their time to set up and run these (free-to-attend) events, and we appreciated this opportunity to give back by hosting this event (and hopefully future events as well). Watch out for future events and sign up to their mailing list from their web site.
My own talk was on the growing importance of encryption on the web, the reasons for this trend and what we’re doing in the standards world to support it.
Luckily for me, Internet encryption has been in the news of late so this talk had some extra timeliness. Beyond the headlines, though, when we talk about encryption on the web, we are generally talking about moving web sites from http to https. The significance of the s in https is that it stands for “secure” and it generally means the connection between your browser and the web site you’re connecting to is encrypted (and therefore not readable by anyone snooping on your Internet connection, such as someone using the same café wifi). Additionally, it means that the connection is certified to be between your browser and a specific party – e.g. your bank, your social network, an ecommerce site – rather than just anyone. An https connection is usually signified in the browser with a padlock icon (you know the one), and if you click on it, you get information from your browser that allows you to verify the identity of the party that page is coming from.
In case you’re wondering, this is all accomplished through the modern science of public key cryptography.
The idea of secure web connections using https was invented to encourage people to be more comfortable spending money (entering their credit card numbers) online and it largely achieved this goal. These days you wouldn’t imagine executing any kind of financial transaction on the web unless your connection to that website was over https.
In the past few years, however, web sites that are not primarily financial in nature such as Google, Facebook & Twitter have moved over to https in order to protect their users’ privacy and credentials. Now some additional trends are accelerating the adoption of https: the rise of so-called powerful features on the web platform and the imminent rise of HTTP/2.
With great power comes great responsibility, someone said. Powerful features of web applications might include the ability to read or write to your address book, to get access to your device’s camera or to save persistent information on your device so that an application can be used whilst you are offline. These are the kinds of features that have long been available to native mobile applications and are now becoming available to web applications as well. Ensuring that these features are used only from web sites served over https gives some added reassurance that when you grant permission for a web application to access certain private information or to perform a certain task, that you are not being tricked by malware from an unknown source and that your private information will remain so as it travels back to the web site that is requesting it. HTTP/2 is a forthcoming upgrade to the underlying protocol of the web, hypertext transport protocol (which is what HTTP stands for). It’s work that’s been a long time coming – HTTP hasn’t had a revision since 1999 and in the mean time the web has transformed itself into a ubiquitous – and increasingly mobile-device-centric – platform for multimedia application delivery. HTTP/2 brings the HTTP protocol up to date and streamlines it with the goal of faster delivery of web content (more info on https://http2.github.io). Users won’t see any visible difference with HTTP/2 other than a faster web. In fact, you are already using HTTP/2 if you are using certain versions of the Chrome or Firefox browsers to visit Google or other sites supporting HTTP2. Significantly, browser makers are currently looking to support HTTP2 over an encrypted (https) connection so the adoption of HTTP/2 will also increase the adoption of https.
That’s a lot of Hs, Ts, and Ss, and you could be forgiven for asking “so what?”
Well, the rise of encryption on the web is in some way linked to the way we are using the web in the modern age. In the early days of the web, we only needed encryption when we were dealing with financial transactions or banking because maybe those were the only “important” things happening on the web for most people. These days we are all on the web and social media and there isn’t a single aspect of modern life where the web does not play a role. The demand for more encryption on the web is a reflection of the vital nature the web is playing in our lives. The technical community needs to come together to support this growing trend, and the community of web users also need to be more aware of when they are – and are not – using the web securely. As can be seen from web sites such as https://httpswatch.com/, we’re just at the beginning.