1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 12:24 pm May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Is the unencrypted web sustainable?

         

lammert

2:39 am on May 25, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Triggered by the recent discussion [webmasterworld.com] about Google starting to offer SSL encrypted SERPs, I have been thinking a lot about the unencrypted state of the Internet. Some specific uses of the Internet are often encrypted. Think of on-line banking or payment processing and shell access to remote computers with SSH for example. But most of the traffic on the net--especially general web surfing and email reading--is transferred in plain readable packets.

There is a historical reason for this. When Tim Berners-Lee invented the web it was seen as a method to make information easily available to everyone. The HTTP protocol was stateless and applications like eCommerce were unheard of. The stateless design made it impossible to have "personalized" Internet connections, so there wasn't flowing much personal information over the web anyway. Cookies were invented later to overcome this hurdle, but were not part of the original HTTP protocol. Encryption was also still something special, requiring a lot of processing power on both the server and client side.

Oddly enough at about the same time, the popular Telnet and FTP protocols were under fire because all their traffic was in plain text, and passwords and other sensitive information could be easily sniffed by other devices on the same network. System administrators changed the use of Telnet to SSH wherever possible, and SFTP and FTPS came as replacements for the unencrypted FTP file transfers. Telnet is now almost wiped out as a tool to get shell access to remote computers over the Internet and many people use one of the encrypted alternatives of FTP for critical file transfers. But strange enough web and email traffic stayed at about the same low encryption level. Except for situations where direct financial information was involved, almost no Internet traffic converted to encrypted traffic. A strange situation, because with the emerge of on-line email systems like Hotmail and Gmail, and CMS based web applications, social networks and all other kinds of on-line applications where people had to use passwords and stored their personal or business critical information, it seemed that no-one was thinking of the security implications of this.

I may have been in a special situation because the ISP I have used since 1997 for my Internet access has always offered webmail via SSL and also offered encrypted versions of the SMTP and POP3 protocol to send and receive email messages between my home office and their servers. When I started to offer these services to my clients some years ago, it was therefore a no-brainer for me to offer all these protocols also in an encrypted form. But the large part of the Internet community at the same time seemed to be unaware of the problems. Despite the warnings that had gone out years ago about the Telnet and FTP protocols, no-one seemed to link those threats to the new usages of Internet as they had emerged in recent years, which is a really strange situation if you look closely at it. For example, almost all ISPs offering secure SSH access to their servers, many on-line payment processors-and even my on-line Governmental VAT account--have the option to send a new password, or retrieve a lost password via email.

Think of it again. The main keys to your valuable information are sent via an unencrypted communication channel, often stored on servers where access is granted via unencrypted web interfaces and other plain-readable communication protocols, everyone is aware of that, and everyone finds it a normal situation. Why should your access to services be encrypted, if the keys to these services are sent and stored in an unencrypted way? Or should we instead encrypt the larger part of the Internet, because systems and protocols are so interconnected now that it is almost impossible to draw a clear line between public and private information?

A sophisticated attack on Google [webmasterworld.com] was needed to wake-up some people. At Google they now seem to understand that the situation as it has grown with a mostly unencrypted Internet is not sustainable anymore in 2010. They first encrypted their Gmail system [webmasterworld.com] and are now slowly converting the search engine. My personal idea is that their other services will follow soon. As websites won't get referrer information anymore from encrypted SERPs, website owners will start to convert their sites to make use of encryption. Pressure on social networking sites will increase to offer default SSL access to all personal data. And maybe in a few years time, we should say thank you to the hackers who made this all happen by showing us the large holes in our current Internet infrastructure which we refused to see in the past.

Granted, it is 16 years too late since the invention of the cookie and the personalization of web access, but better do it now, than wait another 16 years and clear up the mess then.

tangor

2:52 am on May 25, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



lammert... well presented. Can't argue any points. Merely state that in the paradigm of "free radio or tv" the consumer is dumb as a post. Preaching to the choir, then again, we don't all sing the same song.

lammert

4:16 am on May 25, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The consumer is not really involved in the process of converting the surfable web to encryption. Encrypting the web is something we as webmasters can do without the consumer even knowing it. It merely requires the installation of a certificate, a 301 redirect from the http: to the https: URLs and--except from search engine re-indexing and a different behavior of cachable content--the main part of the work is done.

Encrypting the full email stream requires much more effort. Every single Internet user has to change the protocol settings of his locally installed email software to use the secure versions of POP3, SMTP and IMAP for his local email connections. Encrypting the global stream of email between SMTP servers may be even more challenging as I know no large scale email hosts which accept incoming encrypted SMTP connections for global email transiting at the moment.

tangor

6:28 am on May 25, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Agreed. Preaching to the choir. Where we go from here is... interesting...

incrediBILL

6:37 am on May 25, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Encrypting the full email stream requires much more effort.

This can be mandated and forced by the ISPs just like the elimination of the SMTP port on most services.

Lots of good points but I can think of an even better one for secure email.

Anti-Spam.

If your email system rejected everything simply because the other side didn't have a valid email cert you might be free from phishing and most spam.

How many spammers do you know would pay for and offer their actual information to qualify for valid SSL certs?

It would raise the bar of make running scams costly and open up the perpetrators to being actually caught, or 100% ignored, since they couldn't do their dirty deeds without SSL, making their only other option hacking into servers that have SSL and use them until they get caught.

The hacked servers would end up being hardened more, another good benefit.

I'm all for 100% secure email just to see if it is possible to finally drive the spammers and the phishers out of business once and for all.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 12:24 pm May 21, 2026