The movement by technology companies to encrypt their respective corners of the Internet continues to gain steam as more and more are enabling SSL and other encryption technologies such as Perfect Forward Secrecy to ward off surveillance and enhance the privacy and security of user data.
WordPress on Thursday became the latest to promise to encrypt its traffic by default. The popular blog and content management platform said it plans to have all wordpress.com subdomains served only over SSL by the end of 2014.
“In the face of intrusive surveillance, we believe that everyone in the tech community needs to stand up and do what they can, starting with their own sites and platforms,” said Paul Sieminski, general counsel at Automattic, parent company to WordPress, Cloudup, Simplenote and other web-based development platforms.
The announcement came on the anniversary of the first news reports describing the depths of NSA surveillance, also known as Reset the Net day, a coordinated movement urging websites to encrypt traffic using SSL, HSTS and PFS, applications to also deploy SSL and certificate pinning, and promoting privacy tools such as Tor for users interested in keep Web traffic private.
Despite yesterday’s announcement, WordPress remains a laggard among its technology provider peers.
According to the Electronic Frontier Foundation’s running tally on encryption, called Encrypt the Web, WordPress does not support HTTPS Strict, also known as HSTS, nor does it support STARTTLS. The EFF was also unable to determine whether WordPress supports Perfect Forward Secrecy, or whether it encrypts data center links.
Experts believe that web and application developers that Perfect Forward Secrecy and HSTS should be default encryption technologies in any new deployment. HSTS is a policy declaration that browsers, for example, may interact only over HTTPS connections; Perfect Forward Secrecy ensures that private session keys securing an encrypted connection are random and if one is compromised, it cannot be used to compromise other messages at a future time.
“Intercepted encrypted data is protected from prying eyes long into the future, even if the website’s secret key is later compromised,” said Parker Higgins, an EFF activist, last November.
Privacy and security advocates have long urged technology companies to encrypt traffic in order to secure communication and make government surveillance that much more difficult. The NSA’s efforts have long been facilitated by laggard technology companies who were lax in encrypting not only traffic streams, but also links between data centers which the NSA hacked in order to intercept email and other data on Yahoo and Google users. Both companies have since encrypted those links.
“Just as troubling as the [Snowden] revelations themselves is the fact that since last summer, little if anything has changed,” Automattic’s Sieminski said. “Despite a lot of rhetoric, our three branches of government in the United States have not made many concrete steps toward truly protecting citizens from unchecked government surveillance.”
WordPress is not alone in failing to encrypt data center links; according to the EFF, other large providers such as Amazon, Apple, AT&T, Comcast, Foursquare, LinkedIn and Verizon do not.
“If we’ve learned anything over the past year, it’s that encryption, when done correctly, works,” Sieminski said. “If we properly encrypt our sites and devices, we can make mass surveillance much more difficult.”