Categories
Security

Wikipedia’s Jimmy Wales Threatens To Encrypt Wikipedia

Wikipedia’s Jimmy Wales threatened to encrypt traffic to the UK if new tracking laws are implemented:

But if we find that UK ISPs are mandated to keep track of every single web page that you read on Wikipedia, I’m almost certain – err, I shouldn’t speak for our technical staff – we would immediately move to a default of encrypting all our connections in the UK.

Truthfully, we’re going that way anyway. It’s only a matter of time before all websites will be moving to HTTPS for the sake of implementing SPDY or whatever succeeds it. I don’t see a non-secure standard taking hold any longer. Security is no longer considered a bonus, it’s a requirement. Facebook does it by default now, Twitter does it by default now, WordPress.com does it by default now (for SPDY). It’s not just personal communications. Lots of non-personal data is going over HTTPS now. The trend will keep accelerating. It’s no longer as cost prohibitive to implement. Don’t be shocked if this entire blog is HTTPS only in the not too distant future.

8 replies on “Wikipedia’s Jimmy Wales Threatens To Encrypt Wikipedia”

IMHO identity != encryption and shouldn’t be. Encryption is protecting data from point A to point B. Identity is making sure A or B (or both) are the parties they claim to be.

The CA model is flawed for trying to force the two. Most office workers just click through the warnings when a cert is self signed. IT trained them to do that years ago.

The whole problem with CA certs being compromised is just icing on the cake.

I’m surprised to hear you say that; while I agree that IT groups have mis-trained us all (what else is new), and that the way we handle encryption has serious flaws, I don’t think anyone is claiming that identity is encryption.

But I thought (common knowledge that) encryption without authentication of identity is more or less pointless… y’know, Eve and all that.

I have to disagree. Encryption without authentication is fine (and should be encouraged) in situations where authentication isn’t a top concern. For example, I shouldn’t need a CA to send some data over https between my own router and my desktop. Nor should I need to accept an “invalid” certificate.

Really, most SSL certs on the web aren’t EV. Even Amazon doesn’t appear to be using EV. It costs under $10 a year to get a basic cert. A normal web user can’t tell the diff between the cert on this blog and what Amazon.com has. That’s not identity validation anyway. Lets be honest, I’m just paying $10 to get rid of that annoying prompt.

The big flaw is the “one size fits all” (for lack of a better term) approach.

Hrm… I apparently can’t reply to 10:41 pm post; in any event, I think you need to read up on your encryption theory. I am not (nor do I claim to be) an expert, but from what little I remember from school, encryption isn’t identity, yes, but encryption without authentication of the identity is mostly-worthless.

This isn’t an argument about EV vs. non-EV, and in fact, that whole debacle illustrates my point: CAs are horrendously broken.

But I’m pretty sure the claim “we don’t need identity authentication and can be secure with just encryption” is… just wrong. (Skimming the first set of results for the Google search “encryption without authentication” seems to have good explanations that jive with my memory.)

Of course, you could claim “Yah, but it’s better than nothing,” but if everyone slaps HTTPS certs on their webservers, then attackers will just attack the identity authentication more viscerally, and we’ll have the same problem, except now we’re paying for the overhead of HTTPS. (In fact, they’re already doing this; that’s the major problem with the entire setup of the CA system right now…)

Leave a Reply

Your email address will not be published. Required fields are marked *