Why is SSL still an option?

in #security5 years ago

Each time I fire up the Interactive Brokers trading client application, I can't help but to notice that I am given an option to turn off SSL. Don't get me wrong, I am not saying that SSL should be disabled. Instead, I think it should be turned on by default and should not be allowed to be off. Even if an option to switch off SSL is required, the setting should be hidden in one of the "advanced options" and not so readily available at the login screen.

Interactive Brokers Trading


What is SSL?

SSL or Secure Sockets Layer is a security technology to establish an encrypted connection between a server and a client—typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers and login credentials to be transmitted over an encrypted channel. Normally, data sent between browsers and web servers is sent in plain-text which leaves you vulnerable to eavesdropping.

SSL is more of a legacy name as the latest version of SSL has been renamed to TLS or Transport Layer Security. Modern web browsers will typically warn you if are visiting a site without SSL encryption. Here are how some of the popular web browsers indicate a non-SSL website.

Non SSL Site on Firefox Browser

Firefox Browser

Non SSL Site on Chrome

Chrome Browser

Non SSL Site on Brave Browser

Brave Browser


Some Interesting Stats

SSL Browsing Stats Based on Google Transparency Report

Source

According to Google Transparency Report, the web traffic over SSL is on a rising trend. In 2015, less than 50% of traffic was going through SSL, now easily more than 70% are SSL encrypted. The following are the statistics of Windows Chrome users traffic broken down by countries.

  • USA: 93%
  • Germany: 91%
  • France: 90%
  • Russia: 85%
  • Mexico: 84%
  • Turkey: 83%
  • Brazil: 83%
  • India: 81%
  • Japan: 78%
  • Indonesia: 74%

Below is another source, from Firefox and Let's Encrypt, showing similar stats:

SSL Browsing Stats from Firefox/Let's Encrypt

Source

Interestingly, Japan only has 78% of traffic going through SSL. Given that Japan is one of the more technologically advanced countries, I thought they should be on par with the US and other European countries. Nonetheless, we can clearly see that SSL is a rising trend and it is now more a basic security hygiene than a good-to-have.


Thick clients have to do better

While it is easy to see if a website has SSL enabled, it is difficult to know whether a desktop application (thick client) is using SSL or not. Take the Interactive Brokers app as an example again, if not for the switch, I would never know if I am connected over SSL or not.

It will be great if all of such thick client applications can follow a standard and enable SSL by default. In addition, operating systems, such as Windows and Android, should also have a built-in feature to detect if a native application is using SSL for internet traffic. Users should be warned if the native apps are not using SSL.

In the earlier days, SSL encryption is considered to be bandwidth and computing intensive. However, with current internet and PC processing speed, there is no reason not to use SSL. Users should learn to be aware if their web traffic is connected via SSL and feedback to the developers if SSL is not enabled by default.

We all have to do our part to keep our internet usage safe.


10% of post rewards goes to @ph-fund, 5% goes to @steemworld.org and 5% goes to @steempeak to support these amazing projects.


SteemENSlogosmall.png

Learn how to get your a simple name for your Ethereum wallet through Steem ENS!
Join the Steem ENS Discord server to interact with the community!


This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform:

Sort:  

I didnt know interactive brokers that retail clients anymore especially foreign from US clients.

Yup I have been using IB for years

Being a feature to protect the client from fraud, SSL ought to be turned on ALWAYS and be on by default. I keep wondering why some website aid vulnerabilities. Cheers!

It is always good to put an additional security layer and when it comes to operations that involve investments or capital movement I think that is something very obvious.

You reminded me of something from a long time ago, I think the first time I heard these acronyms for SSL was in 1997, it was SSL 3.0, certainly that at that time the browsing speed and the power of the computers available for most of my friends cannot be compared with the current ones, that led to the use of this security layer being reserved for very sensitive uses. Certainly much of that time has passed and today I think there is no excuse for not implementing this by default.

It is very important to have the SSL activated. And I'm sure (as a web programmer) that this must be a requirement for both web platforms and desktop applications (I didn't know they were called thick clients).

The SSL creates an asymmetric encryption shield if I remember correctly (The same encryption technology used by cryptocurrencies and blockchain), which wraps the transmission of information making it difficult for intruders in the middle to use it for their benefit.

It is very important to have this option enabled for banking and financial transactions, cryptocurrency investments, etc; in short, everything that involves money or private information.

Thanks for sharing ^_^

SSL/TLS is largely using asymmetric encryption algorithms. But the actual implementation uses both asymmetric and symmetric algorithms. And you are right in saying that it encrypts the network traffic so that people who hijack your traffic will not be able to know what it is about

Most likely, for most users who read us, they may think we are speaking Chinese or Mandarin. However, it is important to tell them to always check that the little closed padlock is present for their safety :D

I agree that link encryption is a must in this day and age. I even go so far as to use a VPN on all my connections all the time, changing providers now and the as well. Maybe I’m just paranoid, but I feel that’s the way the world is heading with the cyber threats that are evolving...

You are not paranoid, I am the same 😂

Though I do not use VPN all the time, but I will do that most of the time. I even have 2 VPN providers that I switch around with


ibt
Congrats! on your upvotes from the IBT Community