All information is confidential

by Francois Joseph de Kermadec

Most servers and clients today are capable of handling some form of encryption, be they e-mail servers, web servers, chat servers, streaming servers. Yet, in many cases, the applications we rely on to connect to them or the administrators that configure them do not make the use of secure protocols mandatory.

There was a time where the overhead accompanying such transfers translated into heightened bandwidth costs and a much slower user experience. The web of today, though, is without the slightest doubt able to serve encrypted content at decent speeds and, given the current discussions on identity theft, I am willing to bet that most users would prefer a slightly less snappy but secure experience over an immediate and dangerous one.

The reasoning behind not using encryption everywhere is that most of what we transmit daily is not confidential. After all, your little brother's sock size, your favorite brand of mayonnaise or a picture of your pet are of little use to potential evildoers, right?

That is however a very misleading reasoning. Indeed, while these three elements are in themselves of little interest, it is possible, by aggregating non-confidential facts to learn quite a bit about your tastes, your life or yourself. If a particular note is of no interest, the merging of them can allow someone to know what stores you go to, what schedule you are most likely to have on a specific day, what your political or religious views are and, from this information, perform the damaging or hurtful action that was planned.

I'll gladly admit that this can sound totally paranoid. However, there is no need to be an ex-secret services agent to be spied on: disgruntled employees, former lovers, coworkers, competitors have all been known to do some sneaky things in the past. For all you know, your smiling neighbor's main goal in life might be to get you thrown in jail for tax evasion — OK, that last one might be a bit of a stretch.

We constantly hear about elaborate identity theft schemes and the first reaction we have is to lock down bank accounts, credit cards and everything money related without realizing, as important as these are, that the most successful attacks will be built upon the details, the little elements that we all deem so unworthy of our attention that they become our trademarks, our signatures without our realizing it.

Checking that "SSL" box is easy and it might just save you a lot of trouble.


2005-09-02 02:01:57
It actually doesn’t scale well. SSL requires a protracted handshake and quite a few cycles. The figure I’ve seen bob up repeatedly is that peak simultaneous request rates for webservers tends to be about three orders of magnitude greater for unencrypted connections than for encrypted ones.

For such as checking mail on your home server from vacation, 100% encrypted communication works well; for a public-facing site with high traffic though, encryption is costly.