Who's waging war against HTTPS?

In April 2016, Let's Encrypt went live.  Let's Encrypt is a group making it significantly easier to encrypt web traffic.  Some entity seems to have begun waging a war of public opinion against them.

Previous to their existence conveniently securing web traffic meant paying money to a company which would then provide you with a "certificate" for your website.  Servers and browsers use these certificates to create a secure communication path between them.  This secure path (denoted by URLs starting with "https://" rather than "http://") prevents entities between your computer and the website from seeing or altering the data being sent to and from the website.

Because of the cost and inconvenience many websites used unsecured connections.  However, places like banks, shopping, and healthcare providers have pretty much always used secure connections.  It took a few years but eventually social media websites began using secure connections by default as well.

Before Let's Encrypt, millions of websites only had their content available via unsecured communications.  For many people, like myself, running websites without any goal of making money from them the expense and hassle of certificates wasn't worth it.  Now, my websites are all available through secured connections, for free, thanks to Let's Encrypt.  (To be clear, many websites still haven't taken advantage of this service yet, but they at least have the option now.)

But, if banks and such use secure connections anyway, why do we care about Let's Encrypt, should I care if "someone" can see that I'm reading this blog post?

Maybe.

On March 28 Congress voted to repeal FCC regulations that prevented your Internet Service Provider (ISP) from spying on your web traffic and using that information to their financial benefit.  The regulations also prevented ISPs from altering your web traffic for similar purposes (e.g., injecting ads into a webpage when you view it).

Maybe you don't care if Comcast, or AT&T, or Verizon knows you like to knit and shop at JoAnn's Fabrics.  But maybe you'd be concerned if they started selling information to other companies about you visiting cancer treatment websites, or rape support groups, or divorce attorneys, or any number of kinds of sensitive information.

Using encrypted connections doesn't solve this problem entirely, but it makes the information available to your ISP a lot less useful.  For example, your ISP would still be able to tell you're looking at Amazon.com, but they wouldn't be able to tell if you're looking at knitting needles or books about infertility treatments.

Regardless of your stance, someone seems to be working hard to turn public opinion against Let's Encrypt and again make it harder to encrypt web traffic.  Articles like this one: "14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites" have been showing up all over the Internet recently, all making similar claims that it is Let's Encrypt's fault that people are falling for fake PayPal scam websites.

I don't think it's actually PayPal behind these articles, because this problem is nothing new, but the concerted, direct attack on Let's Encrypt is new.

Let's Encrypt does not verify the identity of the person requesting a certificate (which other certificate providers will do for steep fees, $300+ per year, these "verified" certificates are significantly different than the "non-verified" certificates issued by Let's Encrypt).  Instead Let's Encrypt verifies that you control the website for which you're requesting a certificate, slightly different.

The argument made by these articles is that now someone can get _a_ certificate for "paypall.com" and people will think that the green lock icon on their browser means they're connected to "paypal.com" instead.  Which it doesn't and never has.  The "verified" certificates show up differently in your browser.  For example, on this blog you'll see something like this:

With a "verified" certificate you'll instead see something like this:

This indicates that the company issuing the certificate verified that the company requesting the certificate is "PayPal, Inc." and the certificate is for "paypal.com".

The articles want you believe Let's Encrypt is somehow at fault if people end up at "paypall.com" with a green lock and think it's "paypal.com".  Let's Encrypt isn't providing "verified" certificates or trying to solve that problem.  The problem they're trying to solve is that too much web traffic is unencrypted by default because certificates were expensive and inconvenient.

Someone with a vested interest in being able to read and/or modify your web traffic has been working really hard to get these articles out and make it look like some kind of "public safety" issue.

I have no idea who that entity may be, but it's making me really annoyed.  Let's Encrypt is a good thing for anyone that thinks that their Internet communications should be private by default.

Update 3/31: Engadget just ran one of the attack pieces too: "When the 'S' in HTTPS also stands for shady".  Which is the most mainstream source running these articles that I've seen thus far.

To be completely clear, when a URL starts with HTTPS it only means that your connection is encrypted between your computer and the website--it has never meant anything about who is running the website is or whether the website operator is trustworthy.

Line in the Sand

In February 2016 Donald Trump emphatically told the world, "I'd bring back waterboarding and I'd bring back a hell of a lot worse than waterboarding."

I've previously stated how unacceptable the use of torture is by our country.

So here's my line in the sand:

I am a software developer supporting the mission of counter-proliferation of weapons of mass destruction.  I am a member of the Intelligence Community.  If Trump reinstates the use of torture by American personnel I will resign from my job in the Intelligence Community in protest.

If we come to such a point, I may keep working at the Lab, but I will not work on intelligence projects and have my efforts in any way used in support of such despicable behavior.

Waterboarding is torture.  Anything "a hell of a lot worse than waterboarding" is torture.  I will not spend my time and energy on projects that imply that such treatment of prisoners is acceptable.

We should be better than that.

I am better than that.

What do you stand for?  What is your line in the sand?

Worry, Concern, and Hope

I worry.

I worry the country will be a worse place when my girls grow up.

I worry our nation will blind itself to its faults.

I worry that anger and violence will increase.

 

I recognize that surrounding every atrocity has been a society of good people quietly saying, "That will never happen here.  We're better than that.  Let's just keep our heads down and get through this."

How does one find a balance between wariness, activism, fear, and over-reaction?

I don't know.

Are people in the U.S. currently over-reacting to President-elect Trump's language, decisions, and actions?  I hope so.  For it to be an over-reaction means things aren't really as bad as they might seem.

Four years ago I wrote about the dangers of nationalism.  That post is more relevant now that it was then.  Please go read it.

I am greatly concerned that President-elect Trump regularly, publicly attacks, demeans, and insults any opposition to his actions or opinions.  No one likes being the subject of public ridicule and I am concerned people will keep their mouths shut to avoid this treatment rather than oppose him.

I am concerned that dissent will be suppressed.

I am concerned that President-elect Trump seems to be gathering a body of "loyalists" to surround him in Washington rather than competent and qualified individuals (even if I disagree with their views).

I am concerned that many people no longer feel safe going about their day.

I am concerned that an elected State Representative was harassed and berated for her religion and ethnicity during a cab ride in the nation's capital.

I am concerned that the next few years may be marked by conflict escalation between Trump supporters and opponents.

I am concerned that the next 20 years in the United States may subject us to some type of nationalistic violence within our borders.

 

I hope these concerns are unfounded.

I hope for peaceful dissent and respectful disagreement.

I hope for a nation that can recognize it has faults even if we disagree on how to fix them.

I hope the country is a better place for my girls when they grow up.

I hope.

Is This the Country We Live in?

I'll be honest.  I thought that the United States had made a lot of progress in the last 5o years.  Apparently I was misinterpreting improving public dialog for genuine improvement of society.  Instead, for some large swath of the country, it was just a mask they felt obliged to wear while they privately stewed in a fantasy world of fear of people different from themselves.

I honestly didn't realize how mainstream the peddling of ignorance and fear had become.  I guess that probably mostly comes from not consuming news programs supported by ad revenue.

This American Life ran two episodes in October that were rather eye-opening.  The first was "Seriously?" in which they explore how people have become convinced that interpretation is the same as fact.  And in "Will I Know Anyone at This Party?" they explore the anti-Islamic movement that seems to have taken over the Republican Party.

In the latter episode a reporter looks into the anti-Islamic movement specifically in Minnesota.  I was honestly dumbfounded by the fever-pitched fear-of-others being fueled by ignorance.  I also learned about and gained a respect for Congressman Tom Emmer.  I greatly disagree with him on a good many topics, but I was impressed by his push-back during a town-hall meeting he hosted with his constituents:

Sue: You're our only chance.
Tom Emmer: For what, Sue? What is it that you want?
Sue: OK,
Tom Emmer: What is it that want from me?
Sue: I think I speak for a lot of people. I think the city of St. Cloud needs a breather. And we need to assimilate with the people that are--
Tom Emmer: What does that mean? What does that mean?
Sue: It's a break on the influx for a period of time, so we could take a little breather.
Tom Emmer: Here's the thing, your last statement, though, "take a little breather."
[SCATTERED APPLAUSE]
Tom Emmer: You guys, could you just hold on. Say it out loud. Are you suggesting that no more immigrants should be allowed to come to St. Cloud?
Sue: A moratorium for a short time.
Woman: For the whole United States!
Man: The whole United States, yes.
Tom Emmer: All right. All right, here's the thing. All I can do is respond as open and honest as I can, Sue. That's not something that I can do. That's not something that our constitution says that we do with people who are--

Earlier he said this in response to the same sentiment:

I'm going to say it out loud-- when you move to a community, as long as you are here legally, I am very sorry but you don't get to slam the gate behind you and tell nobody else that they're welcome. That's not the way this country works.

His constituents are telling him they want him to stop immigrants from moving to their city (and the whole country).  And he flat out tells them that's not an option.  And they were not happy about it.  I think that must take real guts as a politician who, presumably, wants to get reelected by these same people.  Good for him.

Later on in the program the reporter, Zoe Chase, goes to South Dakota to witness a meeting by, essentially, an anti-Islamic evangelist.  He's not a preacher of religion, but he has a donation basket and spends his time traveling around telling people how Islam is destroying America.

After the meeting Chase spoke to a state representative who attended:

In this hotel ballroom in Aberdeen, South Dakota, people aren't interested in a debate over the economics of immigration. This is a conversation about fear. The most memorable conversation I had was with this state rep Al Novstrup. He's been in state government for 14 years, and he came to this meeting to get more information on Sharia law potentially taking over his city. Like it has other places, he says.

Zoe Chase: Like where?
Al Novstrup: Dearborn, Michigan?
Zoe Chace: Have you seen that happen there?
Al Novstrup: I haven't been to Dearborn, Michigan.
Zoe Chace: From my perspective, as a national reporter, there's still the Constitution. There's no Sharia anywhere.
Al Novstrup: You don't think there's Sharia anywhere in the United States?
Zoe Chace: Correct.
Al Novstrup: I think you need to read more.
Zoe Chace: I do read.
Al Novstrup: You don't think there's Sharia any place in the United States? You don't think-- wow. OK. You don't think there's Sharia? I'm just blown away. We're living on two different planets.

And clearly Representative Novstrup has one thing right: we're living on two different planets.  The planet he lives on is a fantasy world of fear fueled by confirmation bias and willful ignorance.

When I hear people freaking out about Sharia Law being practiced in the United States I used to assume they meant something like how orthodox Jews live by Jewish Law or Mormons might subject themselves to disciplinary action from their church because they want to.  Which, by that measure, I'd be surprised if Sharia law isn't being practiced within the United States.  That's sort of a foundational principle of freedom of religion.  People can choose to voluntarily live by a stricter code of conduct than the legal code prescribes.  Not really something worth freaking out about, but people choose to be afraid of things they don't understand.

But apparently that's not what is meant by many of the people freaking out.  They seem to be of the opinion that the legal code in some parts of the country is now literally Sharia Law.  That whether you're a follower of Islam or not you'll be arrested and charged based on Islamic legal codes.  If so, that would be completely inappropriate, but also really, really easy to prove.  But they can't prove it, because it isn't happening.  But that fact is irrelevant.  They apparently want to live in fear and so facts can't permeate their barrier of intentional ignorance.

Perhaps people of this mindset are simply unaware of concepts like confirmation bias, frequency illusion (sometimes called the Baader-Meinhof effect), declinism, framing effect, illusory truth effect, or a dozen other well studied cognitive biases that cause our perception of the world to be out of sync with reality.  Everyone is susceptible to these problems.  The best we can do is recognize they happen and attempt to acquire actual data through well-examined methodologies to get past our own psychology.

Perhaps our greatest challenge as a society right now is that technology has perpetuated and encouraged all of these cognitive biases rather than fought against them.  Confirmation bias lets us only see what we expect to see, frequency illusion allows us to feel like we're discovering something novel about the world, the framing effect makes us feel like our in-group thinking is right so long as all new information is framed to fit, the illusory truth effect describes why we'll begin to believe anything so long as we see/hear it enough times, declinism encourages us to see things as getting worse despite all evidence to the contrary.  And cognitive dissonance ensures we'll stop seeking out contradictory information because it makes us feel weird/bad.

Now go on to Facebook or Twitter or Instagram or whatever and realize that the algorithms deciding what you see are exploiting these cognitive biases to drive ad revenue.  Playing to these biases gets you to stay longer, come back more frequently, and engage more often; which means they get to show you more ads and make more money.  Truth be damned.

If you get fired up about the stupid thing Trump did today and start reading about it and posting about it then Facebook will make sure to show you more and more things like that whether they're based in reality or not.

If you "know" refugee immigrants are destroying the country and make sure everyone on Facebook knows, then guess what "news" articles are going to show up in your feed.  It will be articles about immigrants destroying the country regardless of veracity and you won't even question the validity before frothing at the mouth about it because your cognitive biases are firing on all cylinders.

Let's try an example.

Find me the quote where Trump says he'd like to put all Muslims in the United States into a registration database.  Many people are sure he said it, but I couldn't find it.  The Washington Post (certainly not a pro-Trump publication) did the best they could to nail this down.  Yes, he talked out the side of his mouth a bit and let people draw their own conclusions, but he never actually said, "I want to put them in a database," or anything comparable.  Also, yes, it would have been easy enough for him to denounce the idea entirely and he should have done so.  But the discussion isn't about what he didn't denounce, it's about what he said.  And he didn't say it.

If your reaction to reading the above is, "I didn't know Kyle was a Trump supporter" then you've both proved what I'm talking about while completely missing the point yourself.  I'm not.  You've jumped from facts to interpretation.  Pointing out that something did or did not happen does not make you for or against that thing.  Back up a few paragraphs and try again.

I don't know what the solution is as a society.

We need to learn to take a breath and step away for a while before responding to things that make us emotional.  We need to reward news organizations that don't focus their reporting on making us emotional.  We need to learn to critically evaluate what we're reading and hearing before responding.  We need to accept that we will disagree with each other on topics we feel are really important.  We need to understand that the person we disagree with is still a person.  The other person may seem smug, arrogant, condescending, and infuriating, but we not only get nowhere by responding in kind we can also galvanize the "other side" in their position (see Backfire Effect).

Possibly the most important thing we all can do is be willing to accept the possibility (no matter how remote it may seem) that we may be wrong about something.  When we become dogmatic in our beliefs we guarantee nothing will change.

Rational Dialog? Nah. Religion Edition

I've spent the last few months watching the BBC's 1973 mini-series titled, "The World at War" about World War II.  It's a fantastic study of the war.  It doesn't demonize the Axis; it doesn't revere the Allies.  It recognizes that the vast majority of participants were just everyday people trying to live their lives as best they could in unbearable circumstances.  It would be great to have a production of this quality done today with all of the information we know from after the fall of the Soviet Union and the declassification of many documents.

I bring this up because one of the important threads from WWII was the persecution of minority groups and how the general population was led from (often) having some underlying negative feelings towards these groups in general to willingly rounding them up and shipping them off to their slaughter.

With these lessons fresh in my mind some of the rhetoric I'm seeing in the news as it relates to Muslims is concerning.  Do I think the U.S. is on the verge of rounding up Muslims in to concentrations camps like we did U.S. citizens of Japanese descent during WWII?  Not today.  I hope not ever.

Nevertheless, rhetoric that riles up emotions of anger, mistrust, and fear will inevitably escalate to calls-to-action.  Fearful members of the public will lash out in their own simple-minded ways.  Activities like these people attempting to intimidate Muslims by standing outside their mosque with firearms and following around people who come and go will increase.  Without some calming influence I fear it's only a matter of time before one of these people murders a Muslim and believes they are "protecting America."

I am heartened, however, by the counter-protesters who are calling out this dangerous activity.  So long as counter-protesters keep showing up and are willing to defend those targeted by anger then I believe we can avoid national disgrace--and unmitigated bloodshed.

Last year, as part of obtaining a graduate certificate in national security affairs, I took a graduate course on the history of terrorism and counter-terrorism.  One thing Americans seem to be playing directly in to is one of the recruiting tactics used by Islam-based terrorist organizations.  The recruiting message is that the West is at war with Islam and that God (Allah) is calling them to fight.  Anything we do as a country and as a people that provides evidence that this is true amplifies their message.

We need to be the calming influence that prevents these events from spiraling out of control.  We need to show that we understand the difference between religion and violence that uses religion as an excuse.

Terrorism is a parasite that, throughout history, has infected one ideology after another.  The current ideology that it infects is extremist Islam.  It will eventually move on to find another host.  When it does, how are we going to view ourselves and how we handled it?