Over a year ago, when we first announced SPDY, the most prominent criticism was the requirement for SSL. Weâ€™ve become so accustomed to our unsecure HTTP protocol, that making the leap to safety now seems daunting.
Since that time, many things have happened, and it is now more clear than ever that SSL isnâ€™t an option â€“ itâ€™s a matter of life and death.
SSL was invented primarily to protect our online banking and online purchasing needs. It has served us fairly well, and most all banks and ecommerce sites use SSL today. What nobody ever expected was that SSL would eventually become the underpinnings of safety for political dissidents.
Last year, when China was caught hacking into Google, were they trying to steal money? Two months ago, when Comodo was attacked (and suspected the Iranian government), did they forge the identities of Bank of America, Wells Fargo, or Goldman Sachs? No. They went after Twitter, Gmail, and Facebook â€“ social networking sites. Sites where youâ€™d find information about dissidents, not cash. To say that these attacks were used to seek and destroy dissidents would be speculation at this point. But these incidents show that the potential is there and governmental intelligence agencies are using these approaches. And of course, it is well known fact that the Egyption government turned off the Internet entirely so that their citizens could not easily organize.
The Internet is now a key communication mechanism for all of us. Unfortunately, users canâ€™t differentiate safe from unsafe on the web. They rely on computer professionals like us to make it safe. When we tell them that the entire Web is built upon an unsecured protocol, most are aghast with shock. How could we let this happen?
As we look forward, this trend will increase. What will Egypt, Libya, Iran, China, or Afghanistan do to seek out and kill those that oppose them? What does the US government do?
Fortunately, major social networking sites like Facebook and Twitter have already figured this out. They are now providing SSL-only versions of their services which should help quite a bit.
So does all this sound a little dramatic? Maybe so, and I apologize if this sounds a bit paranoid. Iâ€™m not a crypto-head, I swear. But these incidents are real, and the potential is real so long as our Internet remains unsecure. The only answer is to secure *everything* we do on the net. Even the seemingly benign communications must be encrypted, because users donâ€™t know the difference â€“ and for some of them, their lives are at stake.