Elephantsquared.

Back in 2008, Google released a nice feature inside Gmail’s settings where you could opt to enable https throughout your session. That made you feel a little bit safer when browsing your emails using a public WiFi at your local coffee shop. However, the usage of SSL/TLS protocol has one main drawback which is imposing some extra overhead. Thus causing some extra latency. This latency could be noticeable a few years ago when the average broadband speed did not exceed 1 Mbps in contrary to nowadays. So after researching the security/latency tradeoff, Google decided to roll out default https for all Gmail users for the sake of security (you can still turn it off at any time but https will still be “on” when you login).

About two months ago, I came across with a couple of interesting articles at the h-online.com regarding a vulnerability in SSL/TLS protocol which could lead to password theft. It is surprising that something we used to trust for years now has been compromised. At first I thought “what the heck..?!”. Indeed, what’s the point of choosing to use https or not at all. Well, the truth is that if you are investing in 100% security you are wasting your money. Unfortunately there is no such thing as 100% secure (at least for the time being). The good news is that there seems to be a solution to the TLS vulnerability. According to H-online:

The Internet Engineering Task Force (IETF) has ammended the RFC 5246 specification (Transport Layer Security [TLS] Protocol Version 1.2) and introduced a new renegotiation_info TLS extension which will store a connection’s cryptographic information.

If you ask me, there is nothing even close to 100% secure. The harsh truth is even when quantum cryptography will be applicable somehow, end-to-end security will still suffer from various kinds of attacks. Still having second thoughts every time you try to login somewhere..? In that case you should check out ForceHTTPS (a Firefox add-on) which forces https “every” time you hit the enter button.

ForceHTTPS allows sophisticated users to transparently retrofit security onto some insecure sites that support HTTPS.

Related posts