https : the forgotten security measure

I would never put my credit card details into a non-secure website. And when I log into my online banking, I just wouldn't continue if I didn't see the padlock icon and https at the start of the URL. Like you, I am not an idiot when it comes to security... Why then, in an era when identity theft, phishing and spam are rife, do I fail to apply such stringent standards to the rest of my web browsing?

Nowadays, almost every website requires me to login. And even those that don't, try to link to facebook or google, or store session information in cookies about my internet usage. Even though I am discerning about what websites I register on, the trust I have in the website is misguided if it fails to allow a secure (https) connection.

So now a bit of technical information. HTTP is a protocol (application layer of the TCP/IP stack) used for transferring web data. When a browser requests a web page, it sends a GET request over HTTP to the server, which responds and gives the details back. When a user logs in, the GET request also includes the username and password (or whatever details are part of that form). It doesn't matter how the website stores the database (see my previous blog post about not emailing passwords and MD5), the password is still sent in 'plain text'.

Wireshark can capture packets on a local network and can be used to see this. It's a bit scary actually, when you see your password in plain text inside a packet that is being sent across the internet. Wireshark works on the local network interface, and in a modern network with switches or encrypted wireless networks, it is generally quite difficult to be able to capture packets not intended for me. But does that itself mean I should no longer be concerned?

Certainly it should mean that we do NOT trust any unsecured / unencrypted wireless networks (such as Maccas free wifi etc.). Firesheep demonstrates the dangers of this. We also should take extreme care on networks we don't trust. When you plug your network cable in to a network (or connect via wifi) and access the internet, the packets are travelling via many computers / nodes / servers to get there. So maybe you trust the first server, but do you trust the others?

TraceRoute is a command line function (tracert on Windows) that shows the 'hops' that a packet takes to get to its destination. Using HTTP, it would only need one of those to be compromised and your information could be stolen.

tracert www.facebook.com - showing the hops from my computer (cropped) to facebook, via internode etc.

HTTPS is not actually a different protocol to HTTP, but rather it sets up an SSL (encrypted) connection between the server and client which then transmits the HTTP packets over that. This means that the packets are not able to be viewed along the way. This is the 'correct way' of ensuring that data being sent over the internet is not able to be viewed along the way. Wireshark can see the packets, but the contents of them is unintelligible because it is encrypted.

If HTTPS is the 'correct way' of transmitting data over the internet to avoid it being intercepted by other people, why isn't it implemented all the time?

• Performance - since https requires setting up an SSL encrypted channel there is a performance cost which for many webpages is not required. It is hard to say exactly what the performance cost is (it would depend on the size of pages / elements and many other factors) but I don't think it would be unfeasible to see a http page load in half of the time of the same page over https (or even less). This is a fairly significant performance hit for a website.

This server does not have a valid SSL certificate. (Firefox browser)

• Cost - because https is about 'trusting' a website, it costs a significant amount of money (hundreds or even thousands of dollars each year) to have a valid certificate via a company such as verisign etc. (Some companies advertise 'free ssl' certificates - personally I am dubious and want to trust that SSL certificates are quite hard to get, since I want to be able to trust 100% in a website with a valid SSL certificate). While this may sound like a small cost for security, it doesn't add anything to the implementation of https, but rather just avoids the 'warning screen' (as shown in the picture) which would most likely put visitors off actually continuing to use a website unless they definitely trust it (even though in 99% of cases it would be perfectly safe - and definitely safer than using the same website via http - I still wouldn't encourage this behaviour!).

• Laziness / apathy / ignorance - once a website is 'working' it tends to be just left. Also, the potential for identity theft or loss is for the user of the website, not the company implementing the website. Join this to the fact that most web users aren't committed to security enough to refuse to use a website if they don't trust that it is secure, apart from perhaps a banking website, and you can understand why http is the 'ignored' security hole in our lives.

Twitter now defaults to using https. This is a good thing! Facebook still defaults to http, but it has an option (only as of January, 2011) to allow 'secure browsing' inside the settings (which you should change asap!). This only helps the situation is users are aware of it. Surely Facebook should be changing it from an 'opt-in' setting to a default setting, or even better, a mandated setting. I suspect this might be because of the way Facebook apps work (they are NOT on the Facebook server, even though they appear to be - they are on the developers server), and it is up to the developers of the apps to allow SSL (so many apps won't work over https).

Finally, a word of caution: be careful!! Using HTTPS doesn't mean you can do anything you like on the web and are protected! It's just one of the pieces in the security jigsaw puzzle. If you put your credit card number into a bogus https website, it will prevent anybody along the way from reading the credit card number, but the end server still gets your credit card number!!  Remember all the other good advice about not clicking on links from emails etc.

Take an audit of the websites you use. What personal details are you risking via http, and is there an option to use https?

ABC of Hints!! (Now that everyone is an ICT teacher!)

I've been reflecting lately that with a 1-to-1 computer program in a school, suddenly every teacher is having the role of "ICT Teacher" thrust upon them, whether they like it or not!

So here is the start of my ABC's of hints and tips for being a better ICT teacher:

• Appreciate the expertise within the classroom. This should NOT be an excuse for poor preparation because we really should be an expert in the software or techniques that we expect the students to use. But in many cases a particular student may be able to teach you and / or their peers which gives them great satisfaction and helps to model collaborative learning techniques.
• Be hands off - don't continually take over and DO things for the students, this doesn't help them to learn to do it themselves and it also can significantly dent their confidence with ICTs if we make them feel bad that they can't do it as quickly as we might be able to.
• Care should be taken to not just use technology for technology's sake... what is the purpose? Will it improve the learning? Are their better ways? Model the critical thinking we expect of our students and try to not 'cheapen' technology by using it as a 'gap-filler'.
• Don't give up! The first time we teach something or try something new, never goes perfectly! That's ok! Spend time reflecting, discussing, evaluating and  improving for next time.
• Explore and investigate - when the stakes are low! Try things out beforehand, early on and think critically about what is happening. Evaluate new techniques and approaches in a formative environment before the pressure is on.
• "F1" - use the help function (keyboard shortcut F1) and expect students to do likewise. When something doesn't work, take a moment to think about it carefully and troubleshoot. Model good habits by not just getting tech support immediately something doesn't work!!
• Guidelines - Give clear guidelines every lesson. What function of the computers are we expecting the students to use this lesson? What is not appropriate for this lesson? Create some classroom language that helps the students to be clear about what is expected.
• Hypocrisy hurts the learning environment - model appropriate use of computers by following the same guidelines you have given to the students. If we expect them to be working on task, lets not become hypocrites by checking our email frequently, being on facebook or twitter, checking the cricket scores or just randomly searching the web for "funny cats photos" while in class. Students tend to respond really positively if they see that the teacher is working as well, rather than just standing over them checking that they are on task.
• "I need everybody to close their laptops and listen in". Create similar routines to things like "pens down" or "diaries out" which apply to the use of computers such as "Lids down" or "Sleeping laptops".
• Just because it's on a computer, doesn't change the fact that lost work is still lost work! Whether it's a corrupt / lost USB, disorganised files or an email that has disappeared, many times students are simply trying to con us and even if it is genuine, learning the backup / recover work is an important skill for everyone to learn.

Feel free to leave me a comment suggesting any other hints!