Each time I fire up the Interactive Brokers trading client application, I can't help but to notice that I am given an option to turn off SSL. Don't get me wrong, I am not saying that SSL should be disabled. Instead, I think it should be turned on by default and should not be allowed to be off. Even if an option to switch off SSL is required, the setting should be hidden in one of the "advanced options" and not so readily available at the login screen.
What is SSL?
SSL or Secure Sockets Layer is a security technology to establish an encrypted connection between a server and a client—typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook).
SSL allows sensitive information such as credit card numbers and login credentials to be transmitted over an encrypted channel. Normally, data sent between browsers and web servers is sent in plain-text which leaves you vulnerable to eavesdropping.
SSL is more of a legacy name as the latest version of SSL has been renamed to TLS or Transport Layer Security. Modern web browsers will typically warn you if are visiting a site without SSL encryption. Here are how some of the popular web browsers indicate a non-SSL website.
Some Interesting Stats
According to Google Transparency Report, the web traffic over SSL is on a rising trend. In 2015, less than 50% of traffic was going through SSL, now easily more than 70% are SSL encrypted. The following are the statistics of Windows Chrome users traffic broken down by countries.
- USA: 93%
- Germany: 91%
- France: 90%
- Russia: 85%
- Mexico: 84%
- Turkey: 83%
- Brazil: 83%
- India: 81%
- Japan: 78%
- Indonesia: 74%
Below is another source, from Firefox and Let's Encrypt, showing similar stats:
Interestingly, Japan only has 78% of traffic going through SSL. Given that Japan is one of the more technologically advanced countries, I thought they should be on par with the US and other European countries. Nonetheless, we can clearly see that SSL is a rising trend and it is now more a basic security hygiene than a good-to-have.
Thick clients have to do better
While it is easy to see if a website has SSL enabled, it is difficult to know whether a desktop application (thick client) is using SSL or not. Take the Interactive Brokers app as an example again, if not for the switch, I would never know if I am connected over SSL or not.
It will be great if all of such thick client applications can follow a standard and enable SSL by default. In addition, operating systems, such as Windows and Android, should also have a built-in feature to detect if a native application is using SSL for internet traffic. Users should be warned if the native apps are not using SSL.
In the earlier days, SSL encryption is considered to be bandwidth and computing intensive. However, with current internet and PC processing speed, there is no reason not to use SSL. Users should learn to be aware if their web traffic is connected via SSL and feedback to the developers if SSL is not enabled by default.
We all have to do our part to keep our internet usage safe.
Join the Steem ENS Discord server to interact with the community!
This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform:
- What is Steem? - My Interpretation
- Steem Thoughts - Traditional Apps vs Steem Apps
- Steem Thoughts - A Fat or Thin Protocol?
- Steem Thoughts - There is Inequitable Value Between Users and Apps
- Make my votes count! Use Dustsweeper!
- What caused STEEM to get dumped? Why I think the worst might be over
- Steem 2020 is about having a "SMART U"