Hint: you want your email to be encrypted in transit. Now, lets take a look at some stats. From my earlier post about ‘Why is Canada less encrypted than the US‘?, and from Google’s Transparency Report, we dig into Sympatico. This is Bell Canada‘s brand for Internet. We see that there is no encrypted email exchanged to Bell from Google (so your friend with a Gmail account mails you on your Sympatico account).

Gobsmacked, I double checked this. First we find the mail exchanger (as below), and then we head to https://www.checktls.com/. Story checks out. Bell does not allow encryption in transit of your email, from anywhere in the world.

$ nslookup
> set q=mx
> sympatico.ca.

Non-authoritative answer:
sympatico.ca	mail exchanger = 0 mxmta.owm.bell.net.


Phishing has hit the halfway point on encryption. This means that being TLS-encrypted is no indication a site is real or not (its an indication that it is exactly what it says it is, but not what it might appear as).

Ironically, they might be stronger than the average web site. If we look at whynothttps.com, we find some big ticket names that are not encrypted. I’m looking at you bbc.com (interestingly they do support encryption, but don’t turn it on unless you force it). There’s a workaround (install HTTPS Everywhere as a chrome add-on).

Now, the percent of pages fetched, and of browsing time, is high. See the Google Transparency report. But this is an 80/20 type thing. A small number of sites capture the majority of time, but its the other sites that you get phished and leaked from.

Lets take a look by country. For Canada, there’s a set of non-https sites. Some are owned by our federal government (http://www.cic.gc.ca/). Who’s up for taking their favourite site, checking whether it:

  1. Is available in HTTPS
  2. Is *only* available in HTTPS (or redirects all non HTTPS to the HTTPS version)
  3. Has HSTS enabled?
  4. Has a strong certificate?

Its easy, head on over to https://www.ssllabs.com/ssltest/analyze.html and run a quick check. If its not an A, maybe write to their IT admin and ask why not.

Courtesy of our friends @ Google and their Transparency Report we see that Canada is 89% encrypted to Google. Good, but not great when you realise the UK is 97% encrypted. What could drive this difference? I would think device-types and ages would be similar. This traffic is a bellwether of other encrypted traffic, and we want it to be 100%.

Anyone got any comment?

I started my web-ish life with HTTP 0/9. It was the dialect that ‘escaped’ from Cern. Soon after HTTP/1.0 came along, and then 1.1. And we stuck on 1.1 for a long time (more than 2 decades). And then HTTP/2 came along, and it was great. 100% encrypted, asynchronous, etc.

In parallel some folks started experimenting with HTTP and TLS-like encryption over UDP. This allowed them to build their own congestion-control algorithms independent of the operating system, to reduce latency of setup, of throughput. And it went quite well but was a bit controversial for some.

And now, after some discussion it looks like the camps are merging. There seems to be a fair bit of support for HTTP/3 to be UDP-based, all-encrypted all the time.

So, if you are still on HTTP/1.1, get going. HTTP/2/SPDY/QUIC/… are all about higher performance, better safety, more security, more privacy. Who doesn’t want that?