Earth Encrypted, Part 1: Authentication?
The Internet isn't secure. It wasn't designed to be; however, it's become ubiquitous and exposed each and everyone of us on Earth to... well, everyone else on Earth. This creates much benefit. Unfortunately to those without understanding of Internet technology, and even those that do, it also creates much opportunity for malice.
An easy, and actually very effective, recourse to thwart such malice is to encrypt Internet traffic by default, even if no private data is exchanged. This isn't difficult. For instance, the Eyesaac System Technologies web site (https://eyesaac.com) and this blog (https://microscopium.eyesaac.com) are separate encrypted services of the same, even though no private data is exchanged.
Before clicking the links for the first time though, please know your browser will warn the connection is untrusted. This is because our certificate is self-signed and not certified by a 3rd party CA (certificate authority). This brings us to probably a more important topic of discussion.
Even though self-signed, the connection is still encrypted for secure data transfer; however and assuming you trust us (you can), there's no way for to know if there's not a "man in the middle" or you haven't connected to a spoof site. This is where CAs with a root certificate configured in most browsers by default help: by generating certificates based on their root for entities they've authorized... for a fee (We'll get back to that fee in a minute.). Sites for entities using CA-issued certificates generated from a CA's root are then authenticated and passed through browsers without warnings and users assured they and the free world are safe. Well... maybe not.
There's been an increasing number of breaches with methods used to authenticate entities requesting CA-issued certificates. And in some cases, due to dereliction. And in some cases further still it's well-knowing dereliction, in that they somehow rationalize collecting a fee without (much) effort to authenticate. Duty to scrutinize someone giving you money is a whole other ball of wax that probably deserves its own article.
Anyway, this begs the question: why should entities even pay for inclusion into or web users trust a certificate system that's become flawed? A system that was really flawed from the start because money is payed by entities seeking to be authenticated, rather than entities needing authentication of another, and thus having no inherent accountability. It's a classic conflict of interest.
The Internet Security Research Group (ISRG) have stepped up to this and are helping to secure ALL Internet traffic by issuing FREE certificates from Dec. 3rd via public beta of Let’s Encrypt: a free, automated, and open certificate authority (CA) who's root will be configured in most browsers (https://letsencrypt.org). Taking money out of the conflicted side equation and making certificates free are 2 large steps in the right direction towards Internet security for us all.
Please anticipate Eyesaac System Technologies' sites moving to only encrypted connections and using certificates from Let’s Encrypt.