Is web encryption just for sites with sensitive data? Security expert Scott Helme explains why every site needs this layer of cybersecurity, and how the industry is quickly adopting it.
According to recent reports, about half of all web traffic is encrypted, providing a layer of protection for users. Google even announced that 77 percent of its traffic is encrypted. While the rate of web encryption is increasing, some sites still leave user information exposed.
Information security consultant Scott Helme says that while high-traffic sites are fully encrypted, only a small percentage of all websites use proper encryption. So why don’t more sites use web encryption, and what are the barriers to adopting it? Helme, an international speaker on the topic, shares his insights.
Why aren’t all organizations using web encryption?
There are a few different things. One of them is that historically it was expensive to deploy encryption. Cost is usually the biggest hurdle for businesses. There was the cost of buying the certificates, but there was also quite a performance overhead with encryption, so you would have to have more or better servers.
There were technical challenges of deploying that as well, so you would need people within your organization who would perform these roles or have these specialist skills, which goes back to the cost aspect. We’ve removed a lot of those barriers now, but it takes a long time for that information to filter through, especially into larger organizations and government bodies.
How are those barriers to encryption being removed?
One of the biggest ones is a certificate authority called Let’s Encrypt that was set up with the sole purpose of giving out certificates to anyone who wants it and for free. Any person or business can get one of the certificates that historically you would have to pay for.
In terms of performance, which ties back to cost, hardware has become so efficient and we’ve optimized encryption so much. The overhead of doing it is negligible from a performance aspect. Our education and our tooling have become better. Historically, it was hard and you needed to know a lot about settings and options, whereas now we have a lot of information out there for people to educate themselves, and we also have a lot of automated tooling.
How much is having enough qualified staff an issue with adoption?
We’re trying to tackle this from the tooling side and the automation side to make it better and more reliable, but we’re also trying to broaden the number of people you would see involved in it in organizations.
While historically you may have seen dedicated staff for it, there’s a broader range of people getting involved in web encryption because we lowered the technical barrier.
Why is it so important for the full web to be encrypted, not just sensitive data?
There are many reasons. In the past, we’d only offer encryption on certain portions of websites – so not even an entire website. We very quickly found out that wasn’t sufficient, so if you want the benefits and protection of encryption, you have to encrypt the entire website.
There are attacks that depend on websites not using encryption. For example, my website uses encryption, but if another website you visit doesn’t, that can be used to launch an attack on my website. We saw the Chinese government use this in an attack against GitHub. Even though GitHub used encryption, they leveraged the fact that other websites were not secure to attack GitHub.
What’s the future of web encryption?
My desire is for a full encrypted web, though that’s many years down the track. I’m waiting and hoping for the day we have a default encrypted web. Now, everything on the web is insecure by default, and we have to deploy encryption and enable it. I’m looking forward to the day when web encryption is the default, and we have to opt in to have an insecure web.
Learn more about getting the skills and training to secure information by exploring our Careers in Cybersecurity section.