Hint: you want your email to be encrypted in transit. Now, lets take a look at some stats. From my earlier post about ‘Why is Canada less encrypted than the US‘?, and from Google’s Transparency Report, we dig into Sympatico. This is Bell Canada‘s brand for Internet. We see that there is no encrypted email exchanged to Bell from Google (so your friend with a Gmail account mails you on your Sympatico account).

Gobsmacked, I double checked this. First we find the mail exchanger (as below), and then we head to https://www.checktls.com/. Story checks out. Bell does not allow encryption in transit of your email, from anywhere in the world.

$ nslookup
> set q=mx
> sympatico.ca.

Non-authoritative answer:
sympatico.ca	mail exchanger = 0 mxmta.owm.bell.net.


Phishing has hit the halfway point on encryption. This means that being TLS-encrypted is no indication a site is real or not (its an indication that it is exactly what it says it is, but not what it might appear as).

Ironically, they might be stronger than the average web site. If we look at whynothttps.com, we find some big ticket names that are not encrypted. I’m looking at you bbc.com (interestingly they do support encryption, but don’t turn it on unless you force it). There’s a workaround (install HTTPS Everywhere as a chrome add-on).

Now, the percent of pages fetched, and of browsing time, is high. See the Google Transparency report. But this is an 80/20 type thing. A small number of sites capture the majority of time, but its the other sites that you get phished and leaked from.

Lets take a look by country. For Canada, there’s a set of non-https sites. Some are owned by our federal government (http://www.cic.gc.ca/). Who’s up for taking their favourite site, checking whether it:

  1. Is available in HTTPS
  2. Is *only* available in HTTPS (or redirects all non HTTPS to the HTTPS version)
  3. Has HSTS enabled?
  4. Has a strong certificate?

Its easy, head on over to https://www.ssllabs.com/ssltest/analyze.html and run a quick check. If its not an A, maybe write to their IT admin and ask why not.

Courtesy of our friends @ Google and their Transparency Report we see that Canada is 89% encrypted to Google. Good, but not great when you realise the UK is 97% encrypted. What could drive this difference? I would think device-types and ages would be similar. This traffic is a bellwether of other encrypted traffic, and we want it to be 100%.

Anyone got any comment?

I started my web-ish life with HTTP 0/9. It was the dialect that ‘escaped’ from Cern. Soon after HTTP/1.0 came along, and then 1.1. And we stuck on 1.1 for a long time (more than 2 decades). And then HTTP/2 came along, and it was great. 100% encrypted, asynchronous, etc.

In parallel some folks started experimenting with HTTP and TLS-like encryption over UDP. This allowed them to build their own congestion-control algorithms independent of the operating system, to reduce latency of setup, of throughput. And it went quite well but was a bit controversial for some.

And now, after some discussion it looks like the camps are merging. There seems to be a fair bit of support for HTTP/3 to be UDP-based, all-encrypted all the time.

So, if you are still on HTTP/1.1, get going. HTTP/2/SPDY/QUIC/… are all about higher performance, better safety, more security, more privacy. Who doesn’t want that?

In 2017 an Amazon Alexa ‘testified‘ in a murder trial in Arkansas, and is now scheduled to do so in New Hampshire (a double murder!).

No word on Siri, Bixby, “OK Google” and their kin.

Now, obviously big tech would prefer to keep mum on what they are recording around your house, and a subpoena kinda makes that hard. We’ve already had some issues with smart TV listening in.

I wonder who would be interested in a ‘what goes on in my house when i’m not using the Internet’ report?’ Have we reached the state where home ‘robots’ use more bandwidth than people?

What’s next to get smart around the home that can be subpoened? I mean, toilets got Internet some time ago.  Definitely we need some sort of kitchen-counter that is a large touch display (that is using some super gorilla glass that can withstand the slap-chop).

I look forward to the day we have a smart central vacuum testify in court. Or run for government.