Technology development seems to gallop a little faster each year. But there's always one laggard: encryption. Why the deliberate pace? Because a single, small mistake can cut off communications or shut down businesses.\n\nYet there are times when you take stock\u2014only to discover the encryption landscape seems to have transformed overnight. Now is that time. Although the changes have been incremental over several years, the net effect is dramatic.\n\nSome of those changes began shortly after Edward Snowden's disclosures of the U.S. government\u2019s extensive surveillance apparatus. Others are the natural result of cryptographic ideas reaching the marketplace, says Brent Waters, an associate professor at the University of Texas at Austin and the recipient of the Association for Computing Machinery\u2019s 2015 Grace Murray Hopper Award.\n\n\u201cMany of the new tools and applications available are based on research innovations from 2005 and 2006,\u201d Waters says. \u201cWe are just realizing what type of crypto functionality is possible.\u201d\n\nA step closer to an encrypted world\n\nEncrypted web traffic is the first step toward a more secure online world where attackers cannot intercept private communications, financial transactions, or general online activity. Many sites, including Google and Facebook, have turned HTTPS on by default for all users. But for most domain owners, buying and deploying SSL\/TLS certificates in order to secure traffic to their sites has been a costly and complicated endeavor.\n\nFortunately, Let\u2019s Encrypt and its free SSL\/TLS certificates have transformed the landscape, giving domain owners the tools to turn on HTTPS for their websites easily. A nonprofit certificate authority run by the Internet Security Research Group, Let\u2019s Encrypt is backed by such internet heavyweights as Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai.\n\nHow ubiquitous has HTTPS become? In October, Josh Aas, head of Let\u2019s Encrypt and former Mozilla employee, posted a graph from Mozilla Telemetry showing that 50 percent of pages loaded that day used HTTPS, not HTTP. While the graph showed only Firefox users, the figure is still significant, because for the first time, the number of encrypted pages outnumbered unencrypted pages. NSS Labs expects the trend to continue, predicting that 75 percent of all Web traffic will be encrypted by 2019.\n\nFree certificate offerings will further accelerate adoption. By next year, the number of publicly trusted free certificates issued will likely outnumber those that are paid for, says Kevin Bocek, vice president of security strategy and threat intelligence at key-management company Venafi. Many enterprises will also start using free services. With certificate cost no longer a consideration, certificate authorities will focus on better tools to securely manage certificates and protect their keys.\n\nSpeaking of certificate management, after years of warnings that SHA-1 certificates were weak and vulnerable to attack, enterprises are making steady progress toward upgrading to certificates that use SHA-2, the set of cryptographic hash functions succeeding the obsolete SHA-1 algorithm. Major browser makers, including Google, Mozilla, and Microsoft, have pledged to deprecate SHA-1 by the beginning of the year and to start blocking sites still using the older certificates. Facebook stopped serving SHA-1 connections and saw \u201cno measurable impact,\u201d wrote Facebook production engineer Wojciech Wojtyniak.\n\nFrom May to October 2016, the use of SHA-1 on the web fell from 3.5 percent to less than 1 percent, as measured by Firefox Telemetry. Enterprises can\u2019t be complacent, though, since recent estimates from Venafi suggest approximately 60 million websites still rely on the insecure encryption algorithm.\n\n\u201cWe look forward to the industry's movement toward greater use of stronger certificates like SHA-256,\u201d Wojtyniak said.\n\nCrypto is still king\n\nCryptography has taken quite a beating over the past few months, with researchers developing cryptographic attacks such as Drown, which can be used to decrypt TLS connections between a user and a server if the server supports SSLv2, and Sweet32, a way to attack encrypted web connections by generating huge amounts of web traffic.\n\nNation-state actors also have encryption in their crosshairs. Late last year, Juniper Networks uncovered spying code implanted in specific models of its firewall and Virtual Private Network appliances. Many experts believe the NSA was involved.\n\nShortly after the cache of hacking tools allegedly belonging to the NSA made its way to underground markets this summer, Cisco discovered a vulnerability in its IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw, which could be used to extract sensitive information from device memory, was similar to the vulnerability exploited by the tools and was related to how the operating system processed the key exchange protocol for VPNs, Cisco said.\n\nEven Apple\u2019s iMessage app, the poster child for how companies can bring end-to-end encryption to the masses, had its share of issues. Cryptography professor Matthew Green and his team of students at Johns Hopkins University were able to develop a practical adaptive chosen ciphertext attack that could decrypt iMessage payloads and attachments under specific circumstances. The team also found that iMessage lacked the forward secrecy mechanism, meaning attackers could decrypt previously encrypted messages, such as those stored in iCloud. Forward secrecy works by generating a new key after a set period of time so that even if the attackers obtained the original key, the previously encrypted messages can\u2019t be cracked.\n\nOne thing remains clear despite all the bad news: Cryptography is not broken. The mathematics behind cryptographic calculations remain strong, and encryption is still the best way to protect information.\n\n\u201cThe latest attacks have not been on the math, but on the implementation,\u201d Waters says.\n\nIn fact, encryption works so well that attackers rely on it, too. Criminals are equally as capable of obtaining keys and certificates to hide their activities inside encrypted traffic. The fact that this attack vector is fast becoming default behavior for cybercriminals \u201calmost counteracts the whole purpose of adding more encryption,\u201d Bocek says.\n\nCybercriminals are using encryption to great effect in ransomware. Once the files are encrypted, victims have to either pay up to obtain a key or wipe their systems and start over. Just as attackers target flawed implementations, security researchers have successfully developed decryption tools for ransomware variants that contained mistakes in their encryption code.\n\nGovernment backs down on backdoors\n\nTechnology firms have always had to balance security and privacy concerns with law enforcement requests for user information. FBI Director James Comey had been pushing hard for backdoors in technology products using encryption, claiming that increased use of encryption was hindering criminal investigations. While companies frequently quietly cooperate with law enforcement and intelligence requests, the unprecedented public showdown between the FBI and Apple showed that in recent years, enterprises are beginning to push back.\n\nThe FBI backed down in that fight, and a bipartisan Congressional working group\u2014with members of both House Judiciary and Energy & Commerce Committees\u2014was formed to study the encryption problem. The House Judiciary Committee\u2019s Encryption Working Group unequivocally rejected Comey's calls for backdoors and advised the United States to explore other solutions.\n\n\u201cAny measure that weakens encryption works against the national interest,\u201d the working group wrote in its report. \u201cCongress cannot stop bad actors\u2014at home or overseas\u2014from adopting encryption. Therefore, the Committees should explore other strategies to address the needs of the law enforcement community.\u201d\n\nWeakening encryption so that police can break into encrypted devices would speed up criminal investigations, but it would be a short-term win "against the long-term impacts to the national interest," the working group warned. Alternative strategies include giving law enforcement legal methods to compel suspects to unlock their devices and improving metadata collection and analysis.\n\nWhile the working group report indicates Congress will not pursue legal backdoors, other encryption-related battles are looming on the horizon. The report seemed to support letting police use "legal hacking" to break into products using software vulnerabilities that only law enforcement and intelligence authorities know about, which poses its own security implications. The technology industry has an interest in learning about vulnerabilities as soon as they are found, and not letting the government stockpile them with no oversight.\n\nAs for Comey's "going dark" claim, the working group said \u201cthe challenge appears to be more akin to \u2018going spotty.\u2019\u201d\n\nAdding to the enterprise tech stack\n\nGovernments have been trotting out the terrorists \u201cgoing dark\u201d argument for years and will always play on those fears, says Mike Janke, co-founder and chairman of encrypted communications company Silent Circle. What's changing is that the enterprises are becoming more serious about securing their communications stack and are less willing to compromise on those features.\n\nMany organizations were shocked at the extent of government surveillance exposed by former NSA contractor Edward Snowden. They reacted by integrating secure video and text messaging tools along with encrypted voice calls into the enterprise communications stack, Janke says. Encryption is now a bigger part of the technology conversation, as enterprises ask about what features and capabilities are available. IT no longer treats encryption as an added feature to pay extra for, but as a must-have for every product and platform they work with.\n\nConsumers were outraged by the surveillance programs, and anecdotal evidence indicates many have signed up for encrypted messaging apps such as WhatsApp and Signal. But for the most part, they aren't paying for secure products or changing their behaviors to make privacy a bigger part of their daily lives.\n\nThe change is coming from CSOs, vice presidents of engineering, and other technical enterprise leaders, because they're at the forefront of making security and privacy decisions for their products and services. With Tesla now digitally signing firmware for every single one of its internal components with a cryptographic key, it's easier to ask TV manufacturers or toymakers, "Why aren't you doing that?" says Janke.\n\nConsumers are the ones who will benefit from encryption built in by default as enterprises change their mindset about the importance of encryption. \n\nRiding the innovation wave\n\nCryptography tends to go in waves, with important innovations and research from 2005 to 2006 finally coming out as practical applications. Researchers are currently looking at improving the "precision of encrpytion," instead of the current model of all or nothing, where if something is exposed, everything gets leaked. "Encrpytion can be precise like a scalpel, giving fine-grained control over the information," Waters says.\n\nGoogle has looked at cryptography in its experiments with neural networks. Recently, its Google Brain team created two artificial intelligence systems that was able to create their own cryptographic algorithm in order to keep their messages a secret from a third AI instance that was trying to actively decrypt the algorithms.\n\nThe dawn of quantum computing will also spur new avenues of research. \u201cIf large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use,\u201d wrote the National Institute of Standards and Technology in a public notice. Once such machines become widely available, \u201cthis would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere."\n\nTo prepare for that eventuality, NIST is soliciting work on "new public-key cryptography standards," which will "specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.\u201d The submission deadline is Nov. 30, 2017, but NIST acknowledges the work will take years to be tested and available, noting that "historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure."\n\n[ ALSO ON CSO: What 2017 has in store for cybersecurity ]\n\n\u201cRegardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing,\u201d NIST said.\n\nThere have been a number of intriguing advances in cryptography, but it will likely be years before they become available to enterprise IT departments, and who knows what form they will take. The future of cryptography promises even more security. The good news is we are already experiencing some of the benefits now.