The push for web encryption, or HTTPS, is a crucial, attainable step in improving the Internet's privacy and security. And ideally, we'd encrypt the entire web, as some organizations are trying to do. But upgrading the whole Internet is complicated, and adding encryption isn't just an on-or-off switch. Some encrypted sites are faster and more efficient than others. Some are only partially encrypted. So Cloudflare---a company that touches an enormous fraction of the web---is working in that messy gray area to encrypt as much errant web traffic as possible.
The company is rolling out three new approaches today designed to help its clients' websites offer more encrypted browsing to their visitors. Those tools are meant to improve the encryption it currently offers to customers, make it easier for complex, stubbornly unencrypted websites to start the process of encrypting, and configure customers' sites so that visitors' connections are automatically encrypted wherever the option is possible. In total, Cloudflare says it serves a massive 8 to 10 percent of all Internet requests, offering content delivery, server, and security services to clients like Nasdaq and eHarmony---but about 80 percent of that web traffic is still unencrypted. At that scale, incremental security improvements for Cloudflare customers (some who pay for premium access and some who receive services for free) can have a real impact on overall web traffic around the world.
The company's goal is to move toward a version of the web where secure, encrypted channels are the norm and only unencrypted channels merit any type of notation---the opposite of the "green lock" system browsers use to signal an encrypted site today. But for individuals, implementing these features takes time and money. (Even WIRED chronicled months of struggles and setbacks in the process of fully encrypting its site.) "The big push has to be how do we now make these steps easy enough for everyone," Cloudflare CEO Matthew Prince says. "The bad potential outcome is if Google and Facebook and the big giants have the benefits of security and performance, but it's too complicated and too costly for a new startup to do it."
Cloudflare has offered encryption as a default to all its customers, even users of its free services, since September 2014. This initiative, called "Universal SSL" for the Secure Sockets Layer protocol that establishes the encrypted link between a server and a browser, laid the groundwork for Cloudflare to roll out more and more encryption optimizations to its clients. Now it will add support for Transport Layer Security (TLS) 1.3, the next generation of SSL that reduces the overhead involved in running the protocol, especially in the "handshake" where the web page and the server develop secret keys for their communication. TLS 1.3 has been agreed upon as the next-generation industry standard---its predecessor TLS 1.2 came out in 2008---but Cloudflare says it's the first service to implement it. Combined with other new standards Cloudflare has defaulted to like HTTP/2, which more efficiently coordinates between browsers and Web servers, the company says that its clients can actually achieve faster load times---up to 40 percent faster in early benchmark tests---by encrypting their sites.
Beyond encouraging sites to adopt HTTPS, Cloudflare is offering two new features that focus on encrypting wherever possible---even when HTTPS is limited or unavailable. For example, in situations where a site hasn't enabled HTTPS (perhaps because it still has too much unencrypted content on the pages from third parties, like advertisements served up from an ad network, or because it uses old and incompatible technologies) Cloudflare can still coordinate with browsers that enable a protocol called "Opportunistic Encryption" to deliver some security benefits. The protection isn't as complete as with HTTPS because Opportunistic Encryption can't authenticate servers, thus leaving users at risk for man-in-the-middle attacks. But it does encrypt data between the server and the browser, which protects the integrity of data in transit and also prevents passive surveillance. Opportunistic Encryption is controversial: Some worry it will create confusion and reduce the urgency of making the full upgrade to HTTPS. But Firefox supports the feature and Prince says that Chrome has committed to adding it as well.
The other way that Cloudflare is trying to encrypt more web traffic is by taking a piecemeal approach to sourcing the components of a web page over encrypted links. When a page as a whole hasn't achieved full HTTPS protection, the Automatic HTTPS Rewrites feature works to address what are known as "mixed content" problems where a site can't fully implement HTTPS because of components like third-party ad modules that don't support encryption. The Electronic Frontier Foundation offers a browser plugin with the Tor Project that works to fill gaps in encryption by upgrading hyperlinks and components to HTTPS versions wherever possible. Inspired by this, Cloudflare worked with EFF to create a similar feature that's now baked into the company's offerings. "Even if you’re on an unencrypted page, every component that you’re able to encrypt increases the overall security posture that you have," says Prince.
None of these initiatives will encrypt the whole web on their own. But Cloudflare is taking a practical approach: It's offering multiple tools that are meant to meet sites where they are in their evolution to strong, site-wide encryption---and coax them, or drag them if necessary, toward that goal.
