All that, for this.

Interview on NPR with John C. Inglis of the NSA:

While Inglis conceded in his NPR interview that at most one terrorist attack might have been foiled by NSA’s bulk collection of all American phone data – a case in San Diego that involved a money transfer from four men to al-Shabaab in Somalia – he described it as an “insurance policy” against future acts of terrorism.

(Source)

Emphasis mine.

On being secure

With all the recent news about the US government collecting and analyzing everything we do online and in our daily lives, we’ve all been looking for ways to increase our privacy.

Today, an article was posted on Hacker News about Google Analytics not being served over https. After reading this, I remembered that I use it and questioned whether or not I should keep it on this blog. Google Analytics has been installed on this blog for years, but today I found it hard to answer exactly why. It provides no real value to me other than satisfying my curiosity.

In the end, I decided to remove it. Not only because it is not served over https, but because the only real parties it benefits are Google and the NSA. My site is not large or popular, but it’s just one less site on the network being tracked through that channel.

I believe, in life, we should lead by example. I believe the web should be secure by default. I believe web servers should only function when using encryption (Supporting http was a design flaw, https should have been the only option. Even a self-signed certificate is safer than plaintext http.)

To that end, I’ve come up with a short list of simple things us website owners can do in order to hinder attacks or snooping by third parties. I’ll compare my own site against this post and update as I move toward compliance (red means failure):

  1. Serve content only when encrypted by perfect forward secrecy.
  2. Serve content entirely from web hosts and CDNs under your control.
  3. Encourage others to do the same.

It’s amazing how quickly my view on this has changed. If you would have asked me a year ago whether or not it was important to self-host images and scripts used on your site (or whether you should even be hosting your blog yourself versus using a third-party service like Tumblr), I would have answered an emphatic no and provided many reasons why letting a bigger, better player handle that is much better.  As a site operator, I want my site to be as fast as possible. As a web user, I want to be as secure as possible. Which is more important?

With the way things are now, it’s worth being a second or two slower to serve knowing that your stuff is your own.