In the two years since the details of the NSA’s deep penetration of the Internet infrastructure began to emerge, there has been a major movement afoot among Web companies to encrypt more and more of their resources and services. The latest large property to make this move is Reddit, which by the end of the month will move to an HTTPS-only model for its sites.
Reddit is one of the 10 most popular sites in the United States and its move to HTTPS-only follows similar decisions by companies such as Google, Apple, and many others. Google’s Gmail service has been available only on HTTPS connections for several years and its main search function is HTTPS by default. Apple has recently announced a move that pushes app developers to make all connections from their apps HTTPS-only. Microsoft has moved to implement encrypted links and Perfect Forward Secrecy in many of its cloud services, as well.
And, last week, the White House announced that all federal agencies will be required to move all of their publicly accessible sites and service to HTTPS only by the end of 2016.
The change to secure connections by default gives users a baseline expectation of security and privacy for their interactions with these properties. It certainly doesn’t guarantee that specific sessions can’t be intercepted and decrypted by a man-in-the-middle attack or other techniques, but using SSL makes life harder for most adversaries.
Last year, Reddit began offering users encrypted connections, and the company now is moving its services to an HTTPS-only model.
“Nearly 1 year ago we gave you the ability to view reddit completely over SSL. Now we’re ready to enforce that everyone use a secure connection with reddit. Please ensure that all of your scripts can perform all of their functions over HTTPS by June 29. At this time we will begin redirecting all site traffic to be over HTTPS and HTTP will no longer be available,” a post by Reddit moderator Ricky Ramirez says.
The company also said it is planning to look into the viability of using certificate pinning. This technique enables a provider to specify one certificate or a small number of certificates that are the only valid ones for a given service, such as Gmail or reddit.com. This allows browsers to know which certificate to expect for a given site, and reject others if they should appear. The use of an unexpected certificate for a site that employs pinning could be an indicator of a compromise somewhere along the line.