The developers of the Mozilla Firefox browser have moved one step closer to an Internet that encrypts all the world’s traffic with a new feature called Opportunistic Encryption (OE), which can cryptographically protect connections even when servers don’t support the HTTPS protocol.
The feature is included in the just-released Firefox 37.
“Opportunistic encryption is meant to improve the transport properties of legacy HTTP resources that would otherwise be carried in clear text,” Patrick McManus, platform engineer at Mozilla, told eWEEK. “Any transport layer security (TLS) certificate, including self-signed ones, may be used with opportunistic encryption because it does not enforce authentication. Servers must run either HTTP/2 or SPDY/3.1.”
Security researchers said that Mozilla is on the right track. “Opportunistic encryption is not a ‘better’ solution than (TLS), but this standard removes almost all barriers to encrypting web traffic,” said Terence Spies, CTO at HP Security Voltage, in an email. “It doesn’t resist attackers that can actively alter traffic, but keeps data private from attackers that are passively recording the contents of network connections.”
So, if site administrators can enable encryption with a simple configuration switch, it moves the web toward an internet where data is encrypted by default.
“It doesn’t solve every security problem, but raises the default security level from unprotected to privacy-protected,” Spies said.
Franklyn Jones, CMO of Spikes Security, added that it’s merely a first step in a broader effort.
“All web traffic should be encrypted, from the internal client to the destination web site. Google has long been a proponent of this,” he said. “However, cyber-criminals also know how to insert malware into encrypted SSL connections. So for that reason, it will be increasingly important that IT security teams adopt appropriate policies for decrypting and inspecting SSL traffic before it is delivered to the endpoint device.”