Akamai's HTTPS fail sets a bad example

"If your firm uses Akamai, know that they can't even be bothered to install a valid HTTPS cert for their own website," tweeted Christopher Soghoian, a technologist whose day job is with the American Civil Liberties Union (ACLU), on Tuesday. He's referring to the digital certificate, which, if it were valid, would confirm when you make an encrypted connection to the website that it's actually connecting to the right place — as opposed to being intercepted by an impostor.

Except it isn't, so it doesn't.

Soghoian is also clearly unimpressed with Akamai's response. Apparently, the certificate has been dodgy for months, and it has been told about it several times. "Thanks for noting, Chris. It's something we're actively addressing. Hope you'll let your followers know that, as well," tweeted Jamie Pappas, a social media consultant who's working with Akamai.

Now, in this particular instance, we're probably not connecting to an impostor. "You attempted to reach akamai.com, but instead you actually reached a server identifying itself as a248.e.akamai.net," says the warning in the Google Chrome web browser. I'm guessing that a248.e.akamai.net is a server in Akamai's cloud that's correctly serving out Akamai's website.

But that's only a guess. Little ol' a248.e could also be run by any one of Akamai's customers — or even hackers who've found their way into Akamai's infrastructure somehow — running a web proxy, intercepting my web traffic, or even loading my computer with malware, all while simultaneously showing me Akamai's site, or even just a convincing replica.

There's simply no way I can tell.

So I weigh the odds, chew my thumb, toss a coin, and click on "Proceed anyway".

It's a bad habit to be getting into. Once I start ignoring warnings in cases like this, I'll end up paying less attention to them, and I might start missing the times when I connect to examp1e.com instead of example.com — imagine what fun the bad guys will be able to have once Unicode is more widespread in domain names. Or I'll be tempted to skip over more serious warnings, such as expired certificates, or certificates that come from a less-than-reputable source.

Laziness, some might say? Inevitable, given human nature, a realist would say.

That's why Soghoian is right to be giving Akamai a slap. It's one of the world's largest content distribution networks — it claims to serve out 30 percent of all web traffic by volume — and yet, it hasn't bothered to get this basic bit of security configuration sorted out. That's the real laziness. And Akamai is far from being the only guilty party when it comes to this sort of thing. I'm embarrassed to admit it, but I'm guilty, too.

I suppose some will argue that it's all a fuss over nothing, that all I'm looking at is Akamai's public website, and there's nothing confidential about that. If I'm wanting to do something that needs security, like manage any Akamai services I might run, then I'd be using its control panel at control.akamai.com — and there the certificates are in order.

My counter-argument is that, as the revelations of Edward Snowden have shown us, anything and everything can be of value to an observer. It all adds up.

Indeed, when it comes to securing credit card data, the traditional use for HTTPS, I tend to agree with security megastar Gene Spafford: "Using encryption on the internet is the equivalent of arranging an armoured car to deliver credit card information from someone living in a cardboard box to someone living on a park bench," he's been quoted as saying. The bad guys scoop up credit card numbers in bulk these days, and the banks have become very good at spotting fraudulent transactions, which means there's no value in picking off credit card numbers one at a time.

No, think instead about what you could learn by monitoring ordinary, unencrypted web browsing, perhaps by sniffing the hotel or airport Ethernet. Watch what academic papers the researcher is reading, revealing her company's plans for future products. Note the married businessman browsing an escort agency, providing an opportunity for blackmail. See the shipping company confirmation that the order will be delivered on Friday, meaning an opportunity to intercept and steal the package.

Any organisation that purports to care about their customers' privacy but doesn't use HTTPS is basically telling porkies — especially when certificates can be had for free, and even if you need to screw around with the approval process, it takes under an hour to configure it.

I've just added "Install HTTPS certificate" and "Enable HTTPS by default" as to-do list items for all the websites I'm personally responsible for. If you manage any websites, you should be doing the same.