Comment by ok123456
17 hours ago
Snowden was the other big reason that TLS became the de facto standard for every site.
Prior to that, the consensus was that you only really needed TLS if you were dealing with money and wasn't worth the hassle otherwise. You could sniff traffic from Facebook and Twitter easily.
I remember listening to a talk given by an IRS investigator in around 2008 about how they were able to do a sting and shutdown illegal internet casinos. They collected a good bulk of that evidence from clear-text packet captures of gambling sessions and messages. He preemptively answered the question of whether encryption was a hurdle, by saying no one used it.
This is a retcon. Facebook rolled out TLS in 2011, 2 years before Snowden, and went TLS-by-default within a month of the Snowden disclosures. Google Mail was TLS-by-default in 2010. TLS was a universal best practice long before 2013 --- by 2010, you'd have gotten a sev:hi vulnerability flagged on your site if you hadn't implemented TLS. SSLLabs was 2009; BEAST was 2011, and was a huge global news story because of how widely deployed TLS was.
I think you're right that this consensus was clearly emerging then (I remember Firesheep in 2010 as another big identifiable contributing factor), but I remember actively asking smaller sites to enable HTTPS in that era, and they would often refuse. So I think Snowden also contributed to the spread of the norm.
It is possible that there's a retcon element, because it's not always clear in my memory exactly what year various sites became more favorably disposed towards the request to use HTTPS. So I could be misremembering some of them as agreeing post-Snowden when they'd actually agreed one year before, or something.
I think it would be a stretch to say that Snowden did nothing to accelerate the uptake; for better and worse he clearly did. But he didn't set it into motion; we were going to have an all-TLS Internet within a decade with or without him.
I'm not sure that refutes the idea that encryption was uncommon. A couple tech giants with challenging threat models will be ahead of the curve.
Google started tracking adoption of TLS in 2015, with adoption below 50% and some regions below 30%.
https://transparencyreport.google.com/https/overview?hl=en
Yes. And I remember sniffing Facebook traffic in clear text in 2011. The fact remains that it was considered a significant engineering problem for them to deploy it. It was a "best practice" that most people rolled their eyes at.
Most users and system owners didn't care unless money was being transacted.
Between Snowden and ISPs injecting content into pages, the consensus changed.
The consensus obviously changed. It's just that it changed years before the Snowden leaks.
3 replies →
I think it was a lot earlier than 2013 - SSL was inevitable by the late 2000's, as soon as major ISPs decided they could make more money by injecting ads into http connections (e.g., [1]). It obviously took a while for the infrastructure to scale up ... but I'd imagine that concerns about stolen ad impressions drove a lot more HTTPS adoption than concerns about the NSA.