We Still Need More HTTPS: Government Middleboxes Caught Injecting Spyware, Ads, and Cryptocurrency Miners
Last week, researchers at Citizen Lab discovered that Sandvine's PacketLogic devices were being used to hijack users' unencrypted internet connections, making yet another case for encrypting the web with HTTPS. In Turkey and Syria, users who were trying to download legitimate applications were instead served malicious software intending to spy on them. In Egypt, these devices injected money-making content into users' web traffic, including advertisements and cryptocurrency mining scripts.
These are all standard machine-in-the-middle attacks, where a computer on the path between your browser and a legitimate web server is able to intercept and modify your traffic data. This can happen if your web connections use HTTP, since data sent over HTTP is unencrypted and can be modified or read by anyone on the network.
Site operators can mitigate these attacks by using HTTPS instead of HTTP. And as a user, it's easy to see when a web page has been loaded over HTTPS—check for “https” at the beginning of the URL or, on most common browsers, a green lock icon displayed next to the address bar. However, it can still be hard to tell when you're downloading files insecurely. For instance, Avast's website was hosted over HTTPS, but their downloads were not.
Today, Let’s Encrypt and Certbot make it easier than ever to deploy HTTPS websites and to serve content securely. And later this year, Chrome is planning on marking all HTTP sites as “not secure”. Thanks to these collective efforts and many more, almost 80% of web traffic in the U.S. is now encrypted with HTTPS. If you want to be sure you’re browsing securely, EFF’s HTTPS Everywhere browser extension can force your browser to use it wherever possible.
We've come a long way with HTTPS adoption since 2010, when EFF first started pushing tech companies to support it. Evidently, we still have a long way to go.