We're a long, long way from securing the Web with SSL/TLS

It sounds so simple: Just use SSL or TLS for secure Web connections. So, why are 99 out of the world's top 100 Web sites not automatically securing their connections?
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Firesheep can certainly be mis-used as a hacking tool. It was meant, however, to serve up as a wake-up call to everyone that Web site managers were doing a lousy job of securing their Web sites. How has that worked out? Not well at all as far as I can tell.

I, and lots of other people, have written lots of stories about what you can do to protect yourself from Firesheep; how to keep your Wi-Fi connection safer; and what Web site administrators need to do to secure their sites. So, I'm sure some people at least are trying to practice safe Interneting. But, what about the Web hosting companies and the major Web sites? Eh, not so much.

Over at the official Firesheep Google group, there's a whole 143 messages, and most of them are technical support style questions. I don't see a single message about how would someone go about securing their Web server. Mind you, there's no rocket-science to how to start using Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS). But, you'd think someone would ask. They haven't.

Far more telling is AccessNow's analysis of the top 100 Web sites. According to AccessNow, a group devoted to the belief that the realization of human rights and democracy in the twenty-first century depends on Internet access, only one of the 100 most popular Web sites currently use TLS/SSL correctly.

The one site that does get it right is PayPal. There, both your login and all your activities are protected by encryption.

Other sites will let you force a secure connection with the use of Firefox extensions such as include HTTPS Everywhere and Force TLS. But, there are fewer of them than you might think and not all their pages are protected by HTTPS.

AccessNow's Website spreadsheet (XLS format), shows that only Adobe; Hotfile, a file hosting site; Mozilla; and GoDaddy will let you manually protect all your Internet activities Other popular sites, such as Google, Facebook, and YouTube, will let you manually protect some, but not all, your activities on their sites.

The vast majority of popular Web sites, including Baidu, the Chinese search engine; Wikipedia; and the various national versions of Google, such as Google India and Google Hong Kong don't offer encrypted connection protection. In Google's case, according to AccessNow and my own tests, if you try to force the use of a secure connection on a national site all that happens is that you're redirected to a non-encrypted U.S. Google site. Not good.

How can we fix this? AccessNow suggests that we sign a petition, saying: "To the executives of the world's 100 most visited websites, we demand privacy and security for everyone everywhere and call upon you to immediately install HTTPS security on all pages of your websites."

That's not a bad idea. I don't think it will work mind you, but I think it's still worth trying. The only way I really see most Web sites installing automatic security connection protocols is after some users lose important information on their sites to someone using Firesheep or a real network protocol sniffer tool. Then, after the Web site has their their sued pants off, and only then, will they finally spend the money to update their sites.

In the meantime, just watch what you say on-line. On most Web sites, most of the time, you never know who's listening.

Editorial standards