Why is SSL so important? Your ISP may be watching you more closely than you think

Saturday, September 10, 2016
As you know from my previous blog entries, I have been focused on security and privacy.  I actually spent a lot of time trying to determine if SSL enabling this particular site was important (please see my previous blog entry at https://blog.flexency.com/2016/08/enabling-ssl-on-blogger-with-custom.html for a longer discussion on this)

I had originally decided that SSL was not important for a site that:
1) Does not require you to login
2) Does not have any information specific to an individual or group
3) Was on a platform that would be difficult to hack (notice that I did not say "secure")

Since I am using Blogger as my hosting environment, I thought it was better to have a fully managed platform that would be free from code defects.  On a non-SSL site, what can people in the middle really see?  Your IP address, browser information, the number of times you visit a site????  Is this information really sensitive enough to care about encrypting?

Then the epiphany hit - ISP level tracking.  There are ISPs out there that are using something called an X-UIDH header to track your activity across all HTTP sites you visit.  If you are not familiar with the X-UIDH header, you should read the extremely information Electronic Frontier Foundation (EFF) posting on this topic at https://www.eff.org/deeplinks/2014/11/verizon-x-uidh

The very short summary is that ISPs can (and are) changing your browser requests to include a unique tracking ID.  You can not stop this, you can not prevent it, you *may* be able to opt out (if you believe an opt out will work).  It is also unclear who gets to purchase this information and how it is used.

The good news is that SSL requests can not be easily modified without much more sophisticated techniques.

VPNs also protect your traffic against modification.  There is a catch with VPNs, like everything else.  Any VPN encrypts your traffic to their VPN server.  Once your traffic reaches the VPN server, the VPN's encryption is removed and the normal traffic flows out.  Therefore, if you are sending HTTP requests over a VPN you have changed who can see your traffic but you have not fixed the underlying problem.......*someone* can see it.  You have to trust your VPN to be honest about what they do with your data.