Getting Website Security Implemented, The Right Way
There is current tension over security and the surveillance state together. One side stands for personal security, while the other side stands for national securit. Where do we strike this balance? Recent hype has developed on the pro-personal security side in the making of government proof products. But lets step back, government proof? When someone uses the word government proof, everyone suddenly becomes scared and on edge because it easily sounds like a ‘terrorist’ or ‘criminal’ operation, especially to policy makers. The actual purpose of the pro-personal security mission is far different than seen in the public spotlight. However, using anti-government buzzwords attracts unwanted attention and actually sets the personal security back. Instead we should focus on larger subject that enhances security and gives freedom without the hype.
In a recent seminar at Def Con 22, Christopher Soghoian, principle technologist at the ACLU, outlines why we need HTTPS encryption across the web and how to get system administrators to actually implement it without using scare tactics.
The general population does not push for system administrators or whole companies to implement security features across their website. In the event the company is pushed in the direction of personal security, they questions the reasoning for implementation. The reasoning the users push stems from government surveillance, and honestly, the company sees no benefit in implementing the security suite other than to appeasing user demand. What do the users get? Enhanced privacy, but now that company has put a substantially larger load onto the website servers and cost them money? And this is all to deter the NSA from seeing you went to freedomhacker.net to read news?
Soghoian explains why we need to deter the NSA from collecting the whole haystack, but why we can’t do that when websites won’t make the simple implementation of HTTPS alongside HSTS, to deter them. We need valid reasoning for this, rather than mentioning three letter agencies attacking the internet every other day.
Soghoian mentioned three general ways to get system administrators to explain to companies why forced SSL sitewide is essential:
- Naming and Shaming – Publishing transparency reports that give bad publicity or let users know their security and privacy are at risk because of the company the company has failed to implement proper measures
- Make something of the Game – Companies will start to compete to get a better security ratings from sites such as SSLLabs and others
- Bribes – Soghoian briefly mentioned how he offered whiskey to one security administrators who implemented it. The story was later published in the media and he showed a humorous email a system administrator had reticently sent him in regards to getting two bottles of whiskey if he implemented SSL across the site.
This means we no longer mention the government, we offer or bribe the administrators in other ways than stating the government is causing these issues.
While there are many legal issues concerning SSL, encryption and fundamental security and privacy as a whole, it needs to be explained properly. Soghoian mentions how the government sees the negative results such as only terrorist, pedophiles, and drug dealers utilize the secure protocols. While such assertion are false, Congress will not be able to further demonize SSL in the coming future as it is implemented in Google, Facebook, Yahoo, and a huge portion of the web that are currently utilizing security technologies without any ‘vital’ hiccups.
While we begin to implement security further, Soghoian outlines that companies need to make their documentation sound “boring.” Saying these new emails stating they are ‘NSA-proof‘ or safe from these three letter agencies is “scaring congress.” Soghoian goes over why these buzz words deter further implementation and won’t stop the government spying. The implementation needs to sound ‘boring’ so that policy makers are not scared by the ‘NSA-proof‘ buzz, and will implement it for the real security reasons.
With the ‘NSA-proof‘ buzzword, “it starts to become a security vs. security world”, Soghoian outlines. No longer are we working to create a secure internet, we are challenging people’s implementations, slowing policy makers work to a halt, and challenging each others security implementations.
Soghoian concludes with why sitewide SSL is needed, how it’s needed, and the benefits over the drawbacks. What Soghoian didn’t mention, another speaker did, Ladar Levinson, CEO of Lavabit and DarkMail now known as DIME, is that these three letter agencies will start to implement hardware surveillance. No longer will it matter if these servers have security, the agency can intercept computers, email, and utilize retroreflector technology to contaminate the market and surveil the same data, but have any ones data at their fingertips at any moment.
The implementation is vital, but the outcome could be devastating. The solution… unknown.