This column is now in its third year with Information Security Buzz. As a result, there are now two past “security predictions” entries for 2015 and 2016. For 2015, I predicted that HTTP/2 and TLS 1.3 would have a disrupting effect on the Internet. Perhaps because I missed the mark on Internet disruption, I was a little less bold in asserting that data center blind spots would continue to be a huge challenge for security teams when making 2016 predictions a year later.
Fortunately, wait long enough, and some predictions can be vindicated. HTTP/2 finally started to see significant adoption in 2016, nearly tripling to 240K of the Alexa top 1 million websites from the same time in 2015. Driving this adoption is not the advanced security built in to the HTTP/2 protocol specification, such as TLS encryption by default and only Forward Secrecy ciphers. The main driver, as you might expect, are the serious performance enhancements offered by HTTP/2.
Performance and availability will almost always supersede security when architecting, engineering, and operating any application infrastructure. While the primary drivers for updating the HTTP protocol were improved performance and support for richer web applications, the inclusion of default security requirements promises a great benefit to the privacy and integrity of Internet traffic. Among the performance enhancements in HTTP/2 is the negotiation of the application layer protocol during the TLS handshake, which noticeably reduces the overhead when supporting encrypted HTTPS instead of clear-text HTTP. These performance improvements for HTTPS apply even when encrypting with the current TLS 1.2 protocol.
In 2017, we fully expect the IETF to finally ratify the TLS 1.3 standard. This new TLS protocol standard includes security enhancements heavily informed by the litany of vulnerabilities to existing SSLv3 and TLS 1.x standards, as well as the underlying ciphers associated with those protocols. However, enhanced security isn’t the only goal of TLS 1.3. Performance improvement is another primary goal, which is aimed at enabling greater adoption of HTTPS. One key TLS 1.3 optimization implements a “zero round trip” or zero-RTT handshake, which will substantially improve page-load times, a key metric for any web application. Another experimental transport encryption technology from Google, known as QUIC, is also pushing forward performance optimization. QUIC implements encryption for UDP, which has obvious benefits to the many streaming protocols and services ubiquitous on the Internet.
The future looks bright for those of us who think HTTPS Everywhere is not only inevitable, but essential to our lives on the Internet. HTTPS doesn’t solve all security and privacy concerns of conducting our digital lives. However, HTTPS is foundational to a safer Internet. At the BSides NYC conference last year, Chris Wysopal of Veracode gave a talk about changing the paradigm of information security practices. Instead of warfare with attack and defense modes of design, Wysopal asserted that we must pursue improving safety. This notion aligns well with the calls for a “Cyber UL” led by prominent security pioneer Mudge, which focuses primarily on apps and desktop software. Others like Josh Corman, are leading the charge on medical devices, cars, and other potentially lethal hardware running insecure and unscrutinized software.
The trend of improving safety of software and systems along with the pervasiveness of encryption is a convergence of many trends, and a bubbling to the larger public consciousness. As generations of so-called digital natives grow up, the demand for safety and security by default is increasingly a competitive differentiator for any service offered on the Internet. Social media platforms now tout their privacy and safety features, as a means to entice new users. Those same digital natives are also less patient than ever, and do not tolerate services that are unavailable or even slow. HTTP/2 and TLS 1.3 largely address these significant performance concerns for transport encryption, and will see accelerated adoption in 2017 so that organizations can offer the privacy and safety consumers demand without compromising the performance.