Who's waging war against HTTPS?

In April 2016, Let's Encrypt went live.  Let's Encrypt is a group making it significantly easier to encrypt web traffic.  Some entity seems to have begun waging a war of public opinion against them.

Previous to their existence conveniently securing web traffic meant paying money to a company which would then provide you with a "certificate" for your website.  Servers and browsers use these certificates to create a secure communication path between them.  This secure path (denoted by URLs starting with "https://" rather than "http://") prevents entities between your computer and the website from seeing or altering the data being sent to and from the website.

Because of the cost and inconvenience many websites used unsecured connections.  However, places like banks, shopping, and healthcare providers have pretty much always used secure connections.  It took a few years but eventually social media websites began using secure connections by default as well.

Before Let's Encrypt, millions of websites only had their content available via unsecured communications.  For many people, like myself, running websites without any goal of making money from them the expense and hassle of certificates wasn't worth it.  Now, my websites are all available through secured connections, for free, thanks to Let's Encrypt.  (To be clear, many websites still haven't taken advantage of this service yet, but they at least have the option now.)

But, if banks and such use secure connections anyway, why do we care about Let's Encrypt, should I care if "someone" can see that I'm reading this blog post?

Maybe.

On March 28 Congress voted to repeal FCC regulations that prevented your Internet Service Provider (ISP) from spying on your web traffic and using that information to their financial benefit.  The regulations also prevented ISPs from altering your web traffic for similar purposes (e.g., injecting ads into a webpage when you view it).

Maybe you don't care if Comcast, or AT&T, or Verizon knows you like to knit and shop at JoAnn's Fabrics.  But maybe you'd be concerned if they started selling information to other companies about you visiting cancer treatment websites, or rape support groups, or divorce attorneys, or any number of kinds of sensitive information.

Using encrypted connections doesn't solve this problem entirely, but it makes the information available to your ISP a lot less useful.  For example, your ISP would still be able to tell you're looking at Amazon.com, but they wouldn't be able to tell if you're looking at knitting needles or books about infertility treatments.

Regardless of your stance, someone seems to be working hard to turn public opinion against Let's Encrypt and again make it harder to encrypt web traffic.  Articles like this one: "14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites" have been showing up all over the Internet recently, all making similar claims that it is Let's Encrypt's fault that people are falling for fake PayPal scam websites.

I don't think it's actually PayPal behind these articles, because this problem is nothing new, but the concerted, direct attack on Let's Encrypt is new.

Let's Encrypt does not verify the identity of the person requesting a certificate (which other certificate providers will do for steep fees, $300+ per year, these "verified" certificates are significantly different than the "non-verified" certificates issued by Let's Encrypt).  Instead Let's Encrypt verifies that you control the website for which you're requesting a certificate, slightly different.

The argument made by these articles is that now someone can get _a_ certificate for "paypall.com" and people will think that the green lock icon on their browser means they're connected to "paypal.com" instead.  Which it doesn't and never has.  The "verified" certificates show up differently in your browser.  For example, on this blog you'll see something like this:

With a "verified" certificate you'll instead see something like this:

This indicates that the company issuing the certificate verified that the company requesting the certificate is "PayPal, Inc." and the certificate is for "paypal.com".

The articles want you believe Let's Encrypt is somehow at fault if people end up at "paypall.com" with a green lock and think it's "paypal.com".  Let's Encrypt isn't providing "verified" certificates or trying to solve that problem.  The problem they're trying to solve is that too much web traffic is unencrypted by default because certificates were expensive and inconvenient.

Someone with a vested interest in being able to read and/or modify your web traffic has been working really hard to get these articles out and make it look like some kind of "public safety" issue.

I have no idea who that entity may be, but it's making me really annoyed.  Let's Encrypt is a good thing for anyone that thinks that their Internet communications should be private by default.

Update 3/31: Engadget just ran one of the attack pieces too: "When the 'S' in HTTPS also stands for shady".  Which is the most mainstream source running these articles that I've seen thus far.

To be completely clear, when a URL starts with HTTPS it only means that your connection is encrypted between your computer and the website--it has never meant anything about who is running the website is or whether the website operator is trustworthy.

Corinne's 2nd Birthday!

Corinne turned 2 yesterday.  The night before, she decided sleep was for the weak and stayed up 4 hours past her bedtime.  She was happy as could be, but she needed to be asleep.  The consequences were felt the next day.

Also, being St. Patrick's Day, Heather had special activities at school and was totally worn out by the time she got home.  (She did not manage to catch any leprechauns either at home or at school.)

Corinne doesn't seem to have a favorite food other than grabbers, so we tried Chick-fil-A for dinner.  She wasn't interested in any of the food.  She did have fun wandering around the restaurant though.

So then it was home for presents and cake.  She very much enjoyed opening presents.

(FYI: If you know kids that like My Little Pony Friendship is Magic, seasons 1-3 are only $12 each on Amazon; which is not only reasonable, but a good price, especially for a kids' show where the norm seems to be to gouge.)

But things went downhill when we started singing Happy Birthday.

And Heather was saddened by the whole thing too:

Corinne's been sick on and off since Christmas.  This week she got her third ear-infection diagnosis in that time frame.  Hopefully her future birthdays are a little healthier and more enjoyable.

A Hike up Brushy Peak

I went for a hike at Brushy Peak Regional Preserve today.  Water is still just coming out of the hills and turning trails into mud, but it was only a few places that were really bad.  I made it about 3.5 miles before I couldn't keep my feet dry anymore.  Luckily, I only had another half mile to go so I didn't end up with massive blisters.  But my shoes were covered with mud.

The path runs through cattle grazing land up in the hills above Livermore.  I started taking pictures of the cows.  They became quite interested in me and started forming a circle around me.  I was getting a little concerned, but they shooed away when I got up to leave.

Several times I came across a few cows just hanging out on the path daring you to approach them.

I started on the West Loop Trail and then transferred to the Brushy Peak Trail where I found a copse of trees growing around the stream as it tumbled down the hill.  So I took a rest and then pulled out my tripod to take some more "smooth" water pictures.

Once I packed up and got moving again I reached the highest part of the path (it doesn't actually go to the peak as far as I could tell).  Some nice views of Livermore from up in the hills, especially while everything is still green.

Then it was down again and through the mud to get back to the parking lot.  I hiked a little over 4 miles and it took me about 4 hours.  I wasn't intending to hike that far or be out that long, but there weren't a lot of options for trails and hiking a trail and then just turning around is lame.  My legs are going to be sore tomorrow though.  Surprisingly I don't seem to have a sunburn.