Why should I care if a site uses encryption or not if I'm not exchanging any sensitive data?

Question

Lots of sites these days, that don't deal with sensitive data, enable encryption. I think it's mostly to make (paranoid?) users feel safer. In cases where there is a user's account being logged in, their personal data accessed, I see how it can be useful.

But what if I'm just reading a news site? Everyone has access to that, it's all over newspapers even. What's the point of encrypting such easily accessible information?

Many users have public social network profiles with their interests listed in them, political and religious beliefs, or that information can be easily found from their personal blogs and websites. They don't see that as a threat to their personal life, so they choose not to hide it. How can viewing non-encrypted popular public content harm them? And how does encrypting such pages protect their privacy?

Answer 1

The issue you're dealing with, here, is that if you decide not to encrypt a connection, you're making assumptions regarding the sensitivity of the data that goes over that connection.

Unfortunately, it is impossible to properly make that assumption because:

• You might not have fully understood all the implication of the data (for instance, if Twitter didn't encrypt data, it could be used by government agencies to spot dissidents and opponents).
• Data can become sensitive after they are being transmitted (for instance, answering "who was your first grade teacher" in a web chat with old school buddies could lead to a compromise of your iTunes account later on).

In the end, it is the same as dealing with sensitive paper documents: you can decide to shred what's sensitive only but all it takes for that model to crumble is a single mistake. It's much easier to simply destroy ALL documents securely and not worry about sorting.

Given the relatively low cost and of using connection security and the fact that it wards you against all the above problems (mostly), it makes a lot more sense to encrypt everything that to try to cherry-pick the "right" content to be encrypted.

Answer 2

Encryption is not just about preventing eavesdroppers from reading data, it also prevents them from changing it.

Flipping images on webpages upside down is an amusing prank to play on housemates but a malicious person could inject ads, or harmful code (Java, Javascript, Flash etc.) into your webpages without you realizing it.

http://www.ex-parrot.com/pete/upside-down-ternet.html

Answer 3

In addition to the other good answers I would add that HTTPS ensures that when I think I'm reading bbc.com, I really am reading the content provided by bbc.com, not a hostile third-party who wants to fool me.

Some news sites still present facts. People make decisions based on those facts -- decisions that have real-world consequences.

Answer 4

One reason in general I would like to add to the above answers is that even though you might not be doing something highly illegal in a western country, you should not assume that the government is not interested in what you read. Reading the following might put you on a list:

• Classified, documents leaked by whistle-blowers that are technically illegal
• A news site or magazine in a Muslim country (if you live in the United States)
• A news site or magazine, etc. based in the United States if you live in China or a Muslim Country

In general, we know that many governments build profiles of people who visit certain sites and you might wish to keep your political interests private. For your example of any news source, even just considering China alone and none of the reasons above is reason enough.

Edit: Steve below reminded me, in this situation the page you visit is private, but not the website. So you need to be aware of that.

Answer 5

As a general rule, it's good policy to strongly encrypt all data travelling across public networks.

The reason is that if only "sensitive" data is encrypted, it's very easy for eavesdroppers to target potentially useful data simply by looking for anything that's encrypted.

However, if everything is encrypted by default then they have no idea what information is useful until they've already decrypted it.

Given that decryption (without the key) is relatively expensive in terms of processing power while encryption is quite cheap, and that no system of encryption is entirely secure, the best way to ensure that your data remains secure is if absolutely everything is encrypted with strong encryption, even information which is trivial or already in the public domain.

Answer 6

I think that really depends on the extent of definition of "sensitive data." Passwords and credit card numbers is certainly one, but perhaps looking up on WebMD info about a rash, while a generally public info, may be something that you're sensitive about, and don't want employer or your ISP to know (employers' rights and use of work equipment arguments notwithstanding). Or perhaps following the news and elections, and not necessarily wanting to disclose your affiliation. Election news is public, yet which ones you read may not be something you wish to disclose. So in general, the information itself may be in public domain. Who accesses what information and what can be profiled about one does not necessarily have to be. This is where encryption may be useful (and of course other technologies making such information available again notwithstanding - just giving an argument strictly with respect to encryption).

Answer 7

Lots of news sites/newspaper sites provide accounts for additional functionality, subscriptions, etc. Forcing all web traffic through SSL reduces risk by making sure no one can ever log in on an unencrypted connection.

Generally it's better to be safe than sorry. Nowadays HTTPS isn't as much as an overhead as it used to be, so why not encrypt all connections to be sure?

Answer 8

Some background before I get to my answer:

I find telephones fascinating and one of the most interesting phones I came across was the STU or Secure Telephony Unit which basically consisted of an a/d-d/a some audio codecs a digital encryption module and a modem and a bypass circuit all stuffed inside a telephone and was for the most part connected to ordinary telephone lines and the public telephone network. They were very popular during the cold war. The basic way they were used is pickup the handset, verify dial tone, place the call, verify that you reached the right number, agree to initiate secure mode, both parities would turn the key to initiate secure mode, wait for the crypto to sync, have secure conversation, agree to end secure mode, turn key to insecure, end call.

In my research into STUs I came across an account of some Russian Spies discussing intercepting calls between STUs. Although these field agents were unable to learn the contents of the encrypted conversation, they made a special effort to listen to all calls on a line that had a STU connected to it in addition to recording the encrypted conversation for analysis, They said that they learned all sorts of interesting and valuable things from the unencrypted portion of the calls, quite a bit beyond the identities of the parties to the call.

The moral of the story: Even if you don't think the information is valuable, the enemy might. (regardless of who we think the enemy is)

Answer 9

Because you don't really know what can be infered from the data you emit. Since the whole NSA fuss surfaced in the news, lot of people think : "yeah, right, the NSA knows about the emails I send to my little cousin and my buying habits ? So what ?".

Unfortunately we've entered the age of BigData and machine learning. This isn't just about crunching huge databases to get models and predictions. Personnally, I think machine learning represents a huge step forward for sciences in general. It represents a shift from analytical to what I'd call meta-analytical methods. "Back in the days", you'd start with data coming from some domain (say, demographics), analyze it with some analytical framework that matches the domain, and get a result in this domain's terms (e.g. a model to predict the growth of some given population).

Machine learning works on the level above : it has its own set of analytical tools and methods, but it is used to build "electronic brains" that will perform the actual analysis. The direct consequence of this being that it is easier to bind domains and perform cross-inferences between them. For instance, it is possible to predict where you'll be 24 hours from now on the basis of some of your Facebook data.

Or tell whether a woman is pregnant by looking at what she buys.

Target Predicts Pregnancy with Big Data.

After shopping at Target, the girl began receiving mail at her father’s house advertising baby items: diapers, clothing, cribs and other baby-specific products. Her father was incensed at the company’s attempts to “encourage” pregnancy in teens and complained to the management. A few days later, a shamefaced Dad called the manager to apologize; it appeared his daughter actually was pregnant. This is not an unusual occurrence with today’s computer-assisted data collections on the part of retail stores. Target assigns customers a Guest ID number that is tied to their name, credit card, email address and every other piece of information the store can collect. Using the information on past purchases, Target is able to create a startlingly accurate profile to use in customer-specific advertising.

Of course, I am overstating the power of machine learning (and understating the importance of domain-specific knowledge/experts). Yet, the prospects are freightening : identifying gay people or political opponents from some apparently unrelated activity could be achieved by ill-intentioned governments or organizations sounds plausible. They could even repress revolutions before people even get the chance to protest on the streets. Etc...

I think this is a very important issue for our modern societies, even more so since it hasn't been identified as one of the great ethical challenges of this century, unlike human genetical engineering.

Answer 10

One point that often gets missed in this discussion is the fact that SSL also encrypts the page URL that you use when accessing a website.

If someone were eavesdropping on your connection, (NSA?) and you were visiting a site that wasn't provided over SSL, someone could see which pages you access and build a profile around you based on your browsing habits.

If you visit sites with SSL enabled, it is not just the page content that is encrypted but the actual page URL (the path on the server) that gets encrypted too.

So if someone is eavesdropping they only know which domains you visit. They can't tell what pages you access.

Answer 11

All the main points have been covered but I thought it's worth covering this particular scenario:

It was/is popular to encrypt a login page, then allow the authenticated user to continue browsing the site on an unencrypted connection (to save CPU cycles on the server). This seemingly efficient and parsimonious use of encryption is actually next to useless.

It allows a mitm to capture your session cookies and then fully impersonate you on the site in question. Possibly allowing them to change you login credentials or even retrieve your plain text password.

Answer 12

THE THREAD-STARTER WROTE: But what if I'm just reading a news site? Everyone has access to that, it's all over newspapers even. What's the point of encrypting such easily accessible information?

MY RESPONSE: Yes, everything on the news site is public; but would you feel comfortable with someone standing over your shoulder while your with your computer at a coffee shop, using its WI-FI, for example seeing which articles you choose to read? And what if the news site nevertheless has a login so that readers may customize the feed? Doesn't that part of what you do there need to be encrypted? Between the two things, it's easier for the site owner to just encrypt everything.

THE THREAD-STARTER WROTE: Many users have public social network profiles with their interests listed in them, political and religious beliefs, or that information can be easily found from their personal blogs and websites. They don't see that as a threat to their personal life, so they choose not to hide it. How can viewing non-encrypted popular public content harm them? And how does encrypting such pages protect their privacy?

MY RESPONSE: Some of them don't care about their privacy. They have, as psychologist Sherry Turkle put it, an "I share, therefore I am" sort of mentality. In any case, as with the previous example, even they who so freely share must login to said pages to change things, no? And their so doing must be encrypted, no? Additionally, those who read their informationn may not want others in the coffee shop where they're using their laptop to know that they're looking at so-and-so's social networking page.

Learn about what's called "sidejacking," wherein someone sitting at another table with his/her laptop, in a coffee shop where you're also using your laptop, with both of you on the same WI-FI LAN, can be using a simple Mozilla Firefox extension called "Firesheep" to "see" on his/her screen, everything you're doing on your computer at your table on the other side of the room. Or s/he can be using his/her android phone, and a little thing called "DroidSheep" to accomplish much the same thing. And there are other similiarly-nefarious tools.

Would their doing that to you be okay with you? Right about when you figure out that they are, wouldn't it be nice if the website you're using just happened to have SSL turned-on, and your access to said site were via https:// instead of mere http://?

That's why Firefox and Chrome extensions like "HTTPS Everywhere" exist: to automatically switch thousands of sites from insecure "http" to secure "https", thereby protecting you from many forms of surveillance and account hijacking/sidejacking; and in countries less free than the US, even some forms of censorship.

All websites, anymore, should be utilizing SSL for all content. Period. It should be as normative as that we must put on chothing before we leave the house.

Hope that helps!