CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Internet

Privacy push means free encryption for websites

Secure network connections protect people against snooping and criminals, but it's a hassle for websites. Mozilla, Cisco, the Electronic Frontier Foundation and others want to change that.

The US National Security Agency is one organization that benefits from being able to read unencrypted Web traffic.
The US National Security Agency is one organization that benefits from being able to read unencrypted Web traffic. NSA

A tech-industry alliance announced a move Tuesday to help make privacy on the Web the rule rather than the exception.

Web privacy comes through encrypted connections that scramble data sent across a network between servers that house a Web page or Web app and browsers used to view them. But it's something of a hassle and expense for site operators to obtain the necessary certificate, an essential part of setting up an encrypted connection. Certificates provide a digital mechanism to let a browser trust a Web server's encryption.

That's where an alliance comes in that links Firefox browser maker Mozilla, network equipment maker Cisco Systems, Internet content distributor Akamai Technologies, digital-era rights advocate Electronic Frontier Foundation, certificate provider IdenTrust and researchers from the University of Michigan. They're backing an effort called Let's Encrypt that offers free certificates to those running servers on the Internet.

"Let's Encrypt...lets everyone be up and running with basic server certificates for their domains through a simple one-click process," said Josh Aas, executive director of the Internet Security Research Group, which the organizations tasked to run the operation. The domains should become available in the second quarter of 2015.

Encryption got its start on the Web to protect sensitive data like online purchases, but it's been expanding in response to concerns over privacy, government snooping and identity theft. The standard used to provide encryption on the Web is called Transport Layer Security (TLS), previously named Secure Sockets Layer (SSL).

One major advocate is Google, which added encryption to Gmail, YouTube and Web searches in recent years and is spreading it to its other sites through a program called HTTPS-100. Encrypted websites are signified by an address that begins with "HTTPS" rather than just "HTTP."

With its HTTPS-100 program, Google is moving existing services to encrypted connections, launching all new services with encryption and making sure data is encrypted not only while in transit over a network but also while stored.

"We're not there yet, but we're making rapid progress," said Ilya Gregorik, a Web performance engineer and developer advocate at Google, in a presentation at the Velocity Conference this week in Barcelona, Spain. It's part of a long-running campaign to convince website operators that encrypted connections don't add an undue performance burden.

Google also gives preferential treatment in search results to pages that are delivered over an encrypted connection.

Tech companies, displeased with 2013's revelations about government snooping revealed by former National Security Agency contractor Edward Snowden, have been responding with more encryption. The NSA and its UK counterpart, the GCHQ, evidently are displeased with that response. The GCHQ's chief said tech titans' communications networks are now "the command-and-control networks of choice for terrorists and criminals."

The Internet Architecture Board (IAB), an organization that helps oversee standards work at the Internet Engineering Task Force, also is pushing for encryption.

"We have seen evidence that the capabilities and activities of attackers are greater and more pervasive than previously known," the IAB said in a mailing list message on November 14 to a standards group. "The IAB now believes it is important for protocol designers, developers and operators to make encryption the norm for Internet traffic."

That will cause problems with network services that rely on processing unencrypted network traffic -- detecting network intruders and screening out spam, for example -- but it's worth the difficulty, the IAB said. "We believe that each of these changes will help restore the trust users must have in the Internet."

Corrected at 10:48 a.m. PT to identify the group calling for standards designers and programmers to make encryption the norm. The group is the The Internet Architecture Board.