Group items tagged

Edward Snowden's leaks show that the NSA and GCHQ have been systematically subverting key technologies that underlie the Internet. That betrayal of trust has prompted some soul-searching by the Net engineering community, which realizes that it needs to come up with more surveillance-resistant approaches. This story from Radio Netherlands Worldwide (RNW) provides information about the kind of thing they are working on in one key group, the Internet Engineering Task Force (IETF). It reports on a speech given by the IETF's chair, Jari Arkko, at the recent Internet Governance Forum in Bali, Indonesia.

Firstly, the IETF wants to eventually apply encryption to all web traffic. "Today, security only gets switched on for certain services like banking," Arkko explained, referring to IETF-developed standards like SSL -- the little lock that appears in the upper left corner of your browser to secure online purchases. "If we work hard, we can make [the entire internet] secure by default." To this end, the IETF might make encryption mandatory for HTTP 2.0, a new version of the basic web protocol. Secondly, the IETF plans to remove weak algorithms and strengthen existing algorithms behind encryption. This means that the US National Security Agency and other surveillors will find it harder to crack current forms of encryption.

Putting that in context, Axl Pavlik, the managing director of Europe's Internet Registry (RIPE NCC), notes that you can never stop surveillance completely, but you can make it more expensive: "You and I have limited resources, and the surveillor has limited resources -- maybe more than we have -- but if millions of users of the internet raise the bar a little bit, the requirements to surveil every little bit of internet traffic would be much higher," he explained to RNW. Mandatory use of encryption helps do that. And here's another good reason for adopting it: The IETF's plans also benefit people who are already encrypting their online activities themselves, argued Marco Hogewoning, technical adviser to RIPE NCC. According to him, these people currently stick out like a sore thumb to the very surveillors they hope to evade.

The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it’s deployed properly, reducing the errors that could make surveillance and other attacks easier.

“There is a renewed and urgent interest in the IETF to increase the security of transmissions over the Internet. Many application protocols have defined methods for using TLS to authenticate the server (and sometimes the client), and to encrypt the connection between the client and server. However, there is a diversity of definitions and requirements, and that diversity has caused confusion for application developers and also has led to lack of interoperability or lack of deployment. Implementers and deployers are faced with multiple security issues in real-world usage of TLS, which currently does not preclude insecure ciphers and modes of operation,” the description in the working group’s charter says.

"David Talbot writes at MIT Technology review that engineers on the Internet Engineering Task Force (IETF), an informal organization of engineers that changes Internet code and operates by rough consensus, have asked the architects of Tor to consider turning the technology into an Internet standard. If widely adopted, such a standard would make it easy to include the technology in consumer and business products ranging from routers to apps and would allow far more people to browse the Web without being identified by anyone who might be spying on Internet traffic. The IETF is already working to make encryption standard in all web traffic. Stephen Farrell believes that forging Tor into a standard that interoperates with other parts of the Internet could be better than leaving Tor as a separate tool that requires people to take special action to implement. 'I think there are benefits that might flow in both directions,' says Farrell. 'I think other IETF participants could learn useful things about protocol design from the Tor people, who've faced interesting challenges that aren't often seen in practice. And the Tor people might well get interest and involvement from IETF folks who've got a lot of experience with large-scale systems.' Andrew Lewman, executive director of Tor, says the group is considering it. 'We're basically at the stage of 'Do we even want to go on a date together?' It's not clear we are going to do it, but it's worth exploring to see what is involved. It adds legitimacy, it adds validation of all the research we've done.'"

(U) HTTPS – HTTP traffic secured inside an SSL/TLS session, indicated by the https:// URL, commonly using TCP port 443 (U) IPSEC -- IPSec, or IP Security, is the Internet Engineering Task Force (IETF) standard for layer 3 real-time communication security. IPSec allows two hosts (or two gateways) to establish a secure connection, sometimes called a tunnel. All traffic is protected at the network layer. (U) SSH – Secure Shell. A common protocol used for secure remote computer access (U) SSL – Secure Sockets Layer. Commonly used to provide secure network communication. Widely used on the internet to provide secure web browsing, webmail, instant messaging, electronic commerce, etc. (U) TLS – Transport Layer Security. The follow-on to SSL, SSLv3 and TLSv1.0 are nearly identical. (U) VoIP – Voice over Internet Protocol. A general term for the using IP networks to make voice phone calls. The application layer protocol can be standards-based (e.g., H.323, SIP), or proprietary (e.g., Skype). (U) VPN – Virtual Private Network. A private network that makes use of the public telecommunications infrastructure, maintaining privacy via the use of a tunneling protocol and security procedures that typically include encryption. Common protocols include IPSEC and PPTP.

All of the major internet organisations have pledged, at a summit in Uruguay, to free themselves of the influence of the US government. The directors of ICANN, the Internet Engineering Task Force, the Internet Architecture Board, the World Wide Web Consortium, the Internet Society and all five of the regional Internet address registries have vowed to break their associations with the US government. In a statement, the group called for “accelerating the globalization of ICANN and IANA functions, towards an environment in which all stakeholders, including all governments, participate on an equal footing”. That’s a distinct change from the current situation, where the US department of commerce has oversight of ICANN. In another part of the statement, the group “expressed strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance”. Meanwhile, it was announced that the next Internet Governance Summit would be held in Brazil, whose president has been extremely critical of the US over web surveillance. In a statement announcing the location of the summit, Brazilian president Dilma Rousseff said: “The United States and its allies must urgently end their spying activities once and for all.”