When you look at your web browser, the key features for some are the bookmarks. For others, it’s a more textual experience with the URL bar, also known as the location bar, or, perhaps more popularly, the address bar. If you’re viewing this article on The Factory Times’ website, it should say something to the effect of thefactorytimes.com in the address bar. When you visit Google, or the SUNY Polytechnic Institute’s website, you’ll additionally see in front of the address itself, an icon for a padlock, indicating that a secure connection has been established with the website. Some browsers may also turn the padlock or another part of the address bar a stop-versus-go color such as green, yellow, or red. If you’ve ever wondered what that all means, or why you should only enter private information or personally identifiable information (PI/PII) on a secure page, then welcome to the tech behind the page.

The 🚦 color scheme is a little drastic, I know, but the importance of only entering PI/PII in a page that registers with the 🔒 is really vital. The below table gives some technical, and not so technical information regarding regular web sites, HTTP, versus secure websites, HTTPS. The port numbers are well known, one of the qualities that makes the server side of the equation a popular target. An unsecured or misconfigured server port quickly becomes what is known as an attack surface. In an unsecure setting, an attacker could intercept traffic, hijack sessions, or just sniff the line for information. In a secure setting, an attacker can still sniff the line for information, but the data is encrypted.

Check out this link to view some graph comparisons between HTTP v.s. HTTPS.

The minimum standard for encryption in 2021 is Transport Layer Security version 1.2, which was approved as an Internet Engineering Task Force (IETF) standard known as a Request for Comments, RFC 5246, in August 2008. A newer version, TLS 1.3, has been gaining popularity since it’s approval as RFC 8446 in August 2018, especially among early adopters and security conscious vendors. Earlier versions, such as TLS 1.0 and 1.1 have been compromised and are no longer considered secure. The Secure Sockets Layer (SSL) protocols, which predate TLS, are considered not secure in all its versions; 1, 2, and 3.

“TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.”

RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3

Since TLS version 1.4 is just a twinkle in a researcher’s eye right now, the next best thing in securing webpages is Quick UDP Internet Connections protocol, better known as QUIC. QUIC builds on UDP ports instead of TCP ports, building secure tunnels to those UDP ports using TLS 1.3. Quickly (pun intended) things change on our table above, as QUIC negotiates a dynamic range of ports to communicate with, rather than using the static and vulnerable known TCP ports of 80 or 443. Both security and speed are enhanced, making QUIC suitable for a wider range of secure applications without the normal performance decrease of HTTPS.

“QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances.”

draft-ietf-quic-transport-34 - QUIC: A UDP-Based Multiplexed and Secure Transport

For now, the IETF continues their diligent efforts to build and better secure the Internet. And you can trust they’re not the only ones working towards those same goals. The week of March 8th, 2021 is the 110th meeting of the IETF. That week also starts the 70th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN), another organization that helps to build and maintain the core services of the Internet. Now that the world has accepted virtual meetings and virtual conferences, these organizations are opening up to even wider audiences, myself included, which can only lead to a better Internet for everyone. For more information on the extensive work of the IETF and ICANN, visit their websites ietf.org and icann.org, respectively. This semester, I look forward to bringing our readers more articles about these kinds of core standards and technologies that make the Internet one of the things we hate to love. Stay tuned for next week’s edition!