How big tech companies are encrypting the web

The Electronic Frontier Foundation did some research on some well known tech companies, and found out what they are doing to encrypt user data on the web. This is important, because as the EFF outlines in their report, if the data is not encrypted, places like the NSA can somewhat easily get a hold of your private data and use it without your knowledge.

In the EFF report, they do show some tech companies going above and beyond today’s standards to encrypt your data. Dropbox, Google, Sonic.net, and SpiderOak, all pass the test. Others come very close though, such as Twitter, LinkedIn, and Facebook. Others, well not so much.

tech

Understanding the Data

Here is how EFF breaks down the data points in the report:

[…] we have asked companies to encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default. This means that when a user connects to their website, it will automatically use a channel that encrypts the communications from their computer to the website.

We have also asked them to flag all authentication cookies as secure. This means cookie communications are limited to encrypted transmission, which directs web browsers to use these cookies only through an encrypted connection. That stops network operators from stealing (or even logging) users’ identities by sniffing authentication cookies going over insecure connections.

To ensure that the communication remains secure, we have asked companies to enable HTTP Strict Transport Security (HSTS). HSTS essentially insists on using secure communications, preventing certain attacks where a network pretends that the site has asked to communicate insecurely.

In addition, we have asked for email service providers to implement STARTTLS for email transfer. STARTTLS is an opportunistic encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard. When a user emails someone on a different provider (say, a Hotmail user writing to a Gmail user), the mail message will have to be delivered over the Internet. If both email servers understand STARTTLS, then the communications will be encrypted in transit. If only Gmail does but Hotmail does not (the current situation), they will be in the clear and exposed to eavesdropping, so it’s critical to get as many email service providers as possible to implement the system.

Finally, we have asked companies to use forward secrecy for their encryption keys. Forward secrecy, sometimes called ‘perfect forward secrecy,’ is designed to protect previously encrypted communications, even if one of the service providers’ keys is later compromised. Without forward secrecy, an attacker who learns a service provider’s secret key can use it to go back and read previously incomprehensible encrypted communications—perhaps ones that were recorded months or years in the past.