SAN FRANCISCO — Twenty years after Netscape introduced encryption to web browsers to safeguard the private data of Internet users, roughly two-thirds of web traffic still moves on unprotected channels, according to research by Sandvine, a network equipment provider.
Whether you visit Amazon’s product pages, stream a movie from Netflix or read the tax rules on the Internal Revenue Service’s website, marketers and hackers can snoop on everything you do.
But now, the computer industry and the United States government have embarked on a major, multifront campaign to have basic web encryption — known as HTTPS or TLS encryption — more widely adopted.
A nonprofit group backed by several leading technology companies and advocacy groups, including Mozilla, Cisco Systems and the Electronic Frontier Foundation, is offering a free set of services called Let’s Encrypt to help website administrators incorporate HTTPS security into their sites.
Tech giants like Google and Apple are also flexing their power to encourage websites and mobile app makers to adopt basic encryption or be penalized in web searches and the Apple App Store.
And the Obama administration — embarrassed by Edward J. Snowden’s revelations of mass surveillance by the National Security Agency and the theft of federal personnel records by foreign hackers — has ordered all publicly accessible websites run by the executive branch to use HTTPS encryption by the end of 2016.
HTTPS encryption essentially creates a private connection between a user’s browser and the website being visited so that the information being exchanged cannot be viewed or modified by an outsider. Typically signified by a lock symbol in the address bar, it is routine on sites intended for the exchange of confidential financial data, such as bank or store checkout pages. Big sites like those owned by Facebook, Yahoo and Google have also adopted such basic encryption in recent years.
But millions of websites are unprotected, especially older sites and those whose pages pull in content from third parties, such as news sites that show advertising coming from many sources.
Without encryption, digital trackers can — and do — scoop up detailed information about people’s browsing habits on those sites. Some of the snooping is done by marketers looking to build profiles of web users and some by Internet service providers that want to insert extra ads on web pages visited by their users.
An unencrypted connection also opens the possibility of a hacker’s impersonation of a trusted website for more nefarious reasons, such as to steal personal information.
“When the page you visit is not secure anywhere along the network path, anyone, whether it’s the N.S.A. or another government or the I.S.P., can sniff on your traffic and see what you’re browsing,” said Jacob Hoffman-Andrews, a senior staff technologist at theElectronic Frontier Foundation, an Internet policy group involved in several projects to promote encryption.
Configuring a new site for HTTPS encryption can be complicated and costly, especially for a small company without a dedicated tech services team.
Let’s Encrypt, the new offering from the Internet Security Research Group, is intended to take some of the inconvenience out of the process by offering a complete package of free security services that a website operator can install on the server to easily set up or convert a site to include encryption.
“We want every site on the web to be able to provide HTTPS,” said Mr. Hoffman-Andrews, who has been working on the project. “We think that’s a value.”
The centerpiece of Let’s Encrypt is the site certificate, a sort of digital ID card that tells a web browser like Firefox or Safari that, say, the Chase.com you are visiting after typing the address into your address bar is really the bank and not an impostor. These certificates are sold by hundreds of providers around the world, some more reputable than others, but going through the process of getting a certificate and properly integrating it into your website can be more trouble than many sites want to go through.
The Let’s Encrypt team decided to simplify the setup, including getting approval to issue its own certificates. The project began offering its first certificates in September and plans wide-scale issuance in November.By VINDU GOEL
OCTOBER 14, 2015 4:35 PM