Why It's Time to Encrypt Lawfare

The good people at Just Security, a fellow online security blog, recently moved their entire website to "HTTPS". This means you'll always see "https://" in your browser when you visit, with a little lock sign next to it that means your connection is secure and encrypted.

Just Security kindly took the time to describe why they did that:

We write frequently about online privacy, cybersecurity, electronic surveillance, encryption backdoors, and data breaches. We know that our internet history...can create detailed descriptions of our lives. HTTPS is one way we can better protect our readers’ privacy. HTTPS also makes Just Security more secure by protecting the integrity of our site's content.

The Washington Post also recently migrated its homepage and tech/security sections to HTTPS, saying it will "[make] it more difficult for hackers, government agencies and others to track the reading habits of people who visit the site."

This is all right on -- and all of it applies to Lawfare too.

Lawfare's editor in chief, Benjamin Wittes, asked me to explain why HTTPS matters for a site like Lawfare. After all, Lawfare does not carry financial transactions or private information. Lawfare's content isn't all that sensitive, and even with HTTPS, surveillance can still show that someone is visiting the site as a whole. So what does HTTPS really do for Lawfare and its readers?

The answer is that HTTPS creates a safer space for readers, and gives publishers control over their platform. Moving to HTTPS would mean that the Lawfare its readers get is exactly the same Lawfare that its writers intend them to get.

This might sound like an odd concern for a public news site, but unfortunately, there's plenty to worry about. Today's networks are an aggressive bunch.

One prominent example is Verizon injecting tracking flags into their customers' unencrypted web traffic. By exploiting their position as the owner of the network, Verizon is able to create a backdoor "supercookie" that users can't delete or control.

Like a GPS tracker hidden under a car fender, that supercookie silently follows Verizon's users to every unencrypted site they visit -- including Lawfare -- so that Verizon can connect the dots. Even worse, other companies you've never heard of can "piggyback" on Verizon's identifier to track users without their knowledge or consent, as Turn did until public attention was turned their way.

Unfortunately, even public attention didn't dissuade Verizon. After months of pressure, the only change is that Verizon now lets users opt-out -- something most people won't learn about or understand, much less actually do. And of course, there's no reason to assume Verizon is the only ISP that runs or plans such a program.

Like many sites, Lawfare integrates a number of popular third party services for fonts, social media widgets, and website analytics. Since Lawfare is unencrypted, Lawfare uses unencrypted channels to communicate to all of these services by default. It's bad enough that this exposes even more data about Lawfare's readers to the network, but third party services are by their nature ubiquitous, which invites easy large-scale network attacks.

In other words, an ISP may not spend resources to target lawfareblog.com, but they could get a lot of bang for their buck by adding network rules that target google-analytics.com and typekit.net.

Lawfare could improve its resilience to those kinds of attacks by tweaking its third party embeds to use HTTPS, but since Lawfare itself is unencrypted, an attacking network could still use a generic rule (without specifically targeting Lawfare) to rewrite Lawfare's code to use insecure embeds again. The only way to seal those kinds of attacks off is to use HTTPS for the whole site.

In fact, a large network in China recently took this kind of attack to the next level, and used the lack of encryption on commonly used analytics scripts to weaponize the browsers of innocent visitors around the world to attack GitHub and pressure them to take down anti-censorship materials.

Ironically, it's GitHub's use of HTTPS that required such an enormous attack, rather than simply censoring the specific materials. Because HTTPS obscures which page a user is visiting and protects it from being modified, HTTPS forces a network to block all of it or none of it -- and blocking all of GitHub doesn't fly.

This dynamic has made network censorship a major issue for Wikipedia around the globe, which for most of its life has allowed users the choice of an encrypted or unencrypted connection. Countries haven't been shy about applying that censorship by redirecting citizens to the unencrypted version. Citing censorship as a concern, Wikipedia recently decided to go all in and move entirely to HTTPS. How this plays out for them around the globe is yet to be seen.

In short, we live on a very different internet than we did 20 years ago. Today, corporations and governments, foreign and domestic, have become more sophisticated and more opinionated about managing "their" networks. By coming together and making encryption standard on every corner of the web, we counter that trend and help preserve the internet's promise to "interpret censorship as damage".

This is why the internet's standards bodies are decrying pervasive monitoring and calling for a secure web, and why Firefox and Chrome are pushing the internet away from plain HTTP altogether. The US government recently declared "HTTPS everywhere" for the executive branch, saying "All browsing activity should be considered private and sensitive."

When publications like Just Security, the Washington Post and (hopefully!) Lawfare move to HTTPS, they're not only protecting their readers: they're demonstrating leadership at an important time and helping to change the internet's defaults.

In doing so, they help move power out of the network and into the hands of readers and writers around the world -- where the internet always intended that power to be.