Transport Layer Security (TLS) is the current best standard for secure communication over the Internet. Almost every web browser, modern VPN, and mail client and server uses TLS to establish a “secure channel” over the Internet. TLS protects the confidentiality and integrity of the data sent through that channel in both directions. It can also be used to authenticate the parties at either end of the channel—this is the certificate check you’ve seen sometimes fail in your browser. Your web browser probably shows you a gold lock or other indicator to tell you that it’s using SSL to authenticate the server, and to ensure confidentiality and integrity.
But there’s a catch: TLS uses cryptography designed by mathematicians and implemented by programmers. The cryptographers have a special meaning for the ordinary words “confidentiality” and “integrity” and “authentication.” They don’t encompass most of what ordinary people mean by those terms. In particular, they don’t mean what many persons who want social effects of TLS want them to mean.
This confusion hurts us all in two important ways. First, it causes us to spend a big pile of work and other resources to use TLS in all sorts of new cases. Second, it gets us in trouble when we rely on benefits that TLS doesn’t really provide. When we pretend that TLS can give us privacy, especially privacy of social interactions from state actors, we may give dangerously bad advice. Anyone who relies on TLS to keep the social habits implied by their Web activity private form their ISP or nation-state may be in for a very sharp surprise.
In TLS, “confidentiality” means that we can keep an adversary from guessing short secrets embedded in other text. We can’t keep the adversary from learning which web site we’re visiting. An eavesdropper can tell—from the size and timing and coordination of who sends which messages—whether we’re visting Facebook or Wikipedia, and can make strong guesses about which pages we’re visiting inside each site. An adversary who can serve a few ads, like your ISP, can make even stronger guesses—all without doing anything to compromise your computer or behave in ways that might trip any of your defenses.
TLS confidentiality guarantees are based on the confidentiality guarantees of symmetric ciphers like AES. These ciphers aren’t proven secure—but nobody publicly admits knowing how to break them. What does it mean to “break” those ciphers? Cryptographers play a game of encrypting two messages, and asking an adversary to guess which message encryption corresponds to which message. If one of the messages is an encyclopaedia, and the other is a credit card number, of course the adversary can guess—they’re wildly different sizes. A web browser using TLS doesn’t just use AES “straight,” in the model in which its designers expected it to be used. A web browser uses TLS and AES for an interactive protocol with lots of messages flying in both directions—and to many parties.
AES doesn’t magically extend to protect confidentiality of every imaginable fact about those multi-party interactive conversations. AES’s and TLS’s designs assume that the adversary can figure out, or is told, the general shape of the conversation. They then try to protect secrets embedded in that conversation like chocolate chips in a cookie. The adversary knows we’re eating a cookie, and knows the location of the chips in the cookie. But he still can’t get the chips.
TLS is very useful for protecting those chips—and there are lots of circumstances in which we wish to do just that. TLS lets an adversary know that you’re visiting a bank, but doesn’t leak your password, account number, or balance. If you look at a set of transactions, the adversary can probably tell this—and can tell about how many transactions there are. But the adversary can’t tell what those transactions are—amounts, dates, or payees.
AES-style encryption will never achieve privacy. I don’t know how to get very strong privacy in practical cases; I know about software like Tor and Pond, but those vary in cost from high to wildly impractical.
Privacy advocates have been asking to use more cryptography in TLS. I share the value they place on privacy. Unlike them, I don’t see how to use a technology that protects only chocolate chips to keep private my habit of eating cookies.