Hint: you want your email to be encrypted in transit. Now, lets take a look at some stats. From my earlier post about ‘Why is Canada less encrypted than the US‘?, and from Google’s Transparency Report, we dig into Sympatico. This is Bell Canada‘s brand for Internet. We see that there is no encrypted email exchanged to Bell from Google (so your friend with a Gmail account mails you on your Sympatico account).
Gobsmacked, I double checked this. First we find the mail exchanger (as below), and then we head to https://www.checktls.com/. Story checks out. Bell does not allow encryption in transit of your email, from anywhere in the world.
> set q=mx
sympatico.ca mail exchanger = 0 mxmta.owm.bell.net.
Phishing has hit the halfway point on encryption. This means that being TLS-encrypted is no indication a site is real or not (its an indication that it is exactly what it says it is, but not what it might appear as).
Ironically, they might be stronger than the average web site. If we look at whynothttps.com, we find some big ticket names that are not encrypted. I’m looking at you bbc.com (interestingly they do support encryption, but don’t turn it on unless you force it). There’s a workaround (install HTTPS Everywhere as a chrome add-on).
Now, the percent of pages fetched, and of browsing time, is high. See the Google Transparency report. But this is an 80/20 type thing. A small number of sites capture the majority of time, but its the other sites that you get phished and leaked from.
Lets take a look by country. For Canada, there’s a set of non-https sites. Some are owned by our federal government (http://www.cic.gc.ca/). Who’s up for taking their favourite site, checking whether it:
Is available in HTTPS
Is *only* available in HTTPS (or redirects all non HTTPS to the HTTPS version)
Courtesy of our friends @ Google and their Transparency Report we see that Canada is 89% encrypted to Google. Good, but not great when you realise the UK is 97% encrypted. What could drive this difference? I would think device-types and ages would be similar. This traffic is a bellwether of other encrypted traffic, and we want it to be 100%.
You’ve no doubt noticed that chrome now marks any non https-site as insecure. Its no longer that ‘https is secure the rest is unspoken’. Its actively insecure.
Some sites have no support for https (shame). Some have support, but you have to remember to use that URL (should redirect).
But, what is the thinking behind ones that actively down-grade you? Witness Canadian Cire. A great spot to buy a belt perhaps. But why if i try ‘https://www.canadiantire.ca/’ it will force me to ‘http://www.canadiantire.ca’?
Here’s the tale of the tape. We see the server has a valid certificate. It even supports HTTP/2. But, it forces me to drop to non-encrypted flow. You see those last couple of lines? These are your session cookies. They maintain if you do switch to ssl to buy something online w/ them. This is terrible.
Google has also started to raise the search relevance of secure sites, so it actively hurts them.
So who’s with me in starting a campaign. If we see a web site that is not TLS, lets say something. Let’s Encrypt has made it free and easy. Google has launched the .app domain, SSL included w/ your name. Its 2018. We should be demanding TLS 1.3 w/ encrypted SNI, 0-RTT, elliptic-curve only. We should not be accepting ‘downgrade to in-the-clear’.
Lets make a ‘see something say something’ type campaign. #tlsorbust ? #tlswallofshame?
$ curl -v https://www.canadiantire.ca/
* Trying 126.96.36.199...
* TCP_NODELAY set
* Connected to www.canadiantire.ca (188.8.131.52) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=CA; ST=Ontario; L=Toronto; O=Canadian Tire corporation; CN=www.canadiantire.ca
* start date: May 9 00:00:00 2018 GMT
* expire date: Aug 8 12:00:00 2019 GMT
* subjectAltName: host "www.canadiantire.ca" matched cert's "www.canadiantire.ca"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.canadiantire.ca
> User-Agent: curl/7.58.0
> Accept: */*
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 250
< X-Frame-Options: SAMEORIGIN
< Location: http://www.canadiantire.ca/en.html
< Cache-Control: max-age=86400
< Expires: Thu, 30 Aug 2018 20:56:26 GMT
< Content-Encoding: gzip
< Date: Wed, 29 Aug 2018 20:56:26 GMT
< Connection: keep-alive
< Set-Cookie: disp_id_prd11=173769bf046e88 ...; path=/
< Set-Cookie: BIG_COOKIE_PRD2=rd40o000 ...; path=/
< Set-Cookie: TS01915929=012ceeafe60a6c ... Path=/