The Federal Trade Commission’s website just got a whole lot safer for people to peruse after the government agency said Friday that it now supports HTTPS encryption. While it used to provide secure transport for the parts of the website that dealt with sensitive information like complaint data and email subscriptions, this is the first time that secure browsing covers the entire site, the FTC said.
When a website is secured through the HTTPS communication protocol, all data passed between the site and the person who is accessing it will be encrypted through the use of either the SSL or TLS encryption protocols. Basically, the person’s browser initiates communication with the locked-down website and through the exchanging of encryption keys, all information should be scrambled from prying eyes.
In theory, this process works fine, but as the latest FREAK bug demonstrates, there can be some holes in the system, especially if the browsers or devices in questions use ineffective security protocols to speak to websites. In the case of FREAK, Android browsers using the OpenSSL protocol, Safari browsers using the Apple TLS/SSL protocol and now all supported versions of Windows that use the Schannel security package (sorry IE users) are vulnerable to hackers who can essentially weaken the encryption that takes place.
Still, many sites use HTTPS as it is one of the most common tools to prevent eavesdroppers from snooping into website sessions. In the case of the FTC, it may seem like a no-brainer to add encryption, but the U.S. government hasn’t always showed support with encryption technology, especially when it comes to tech companies and mobile-device makers who use the tech to mask data.
Both the U.S. and U.K. governments have made it clear they feel that companies using encrypted communications can impede government investigations and even the Chinese government has jumped on the bandwagon with a proposed law that would require tech companies to hand over their encryption keys.
Ironically, a leaked U.S. report on cyber threats explained that encryption technology is the “[b]est defense to protect data,” which shows that the U.S. government hasn’t quite made up its mind on where it sees encryption technology. If it protects consumers from spying eyes as in the case of the FTC website, then that’s great, but if the government perceives that the technology may prevent it from doing its job, it’s a no-go.
Either way, the corporate sector shows no signs of slowing down when it comes to developing new businesses around encryptions, with recent funding rounds for encryption-centric startups like CipherCloud and Ionic Security.
The U.S. government, as well, still has a long way to go. Many .gov domains like whitehouse.gov, the U.S. Department of Education, the U.S. Department of the Treasure and NASA’s website remain unencrypted. So expect this tug-of-war between the need to protect and the government’s need to scan encrypted company data in the case of investigations to continue.