[governance] FW: [Dewayne-Net] IETF sets out to PRISM-proof the Net

michael gurstein gurstein at gmail.com
Thu Oct 31 11:21:29 EDT 2013


From: Richard Forno <rforno at infowarrior.org>
Subject: IETF sets out to PRISM-proof the Net
Date: October 31, 2013 at 8:48:34 AM EDT
To: Infowarrior List <infowarrior at attrition.org>
Cc: Dave Farber <dave at farber.net>

In response to NSA revelations, the internet’s engineers set out to
PRISM-proof the net

Published on : 26 October 2013 - 12:25pm | By Julie Blussé	 (CC)

<http://www.rnw.nl/english/article/response-nsa-revelations-internet%E2%80%9
9s-engineers-set-out-prism-proof-net>

Greatly disturbed by the recent revelations of mass internet surveillance,
the Internet Engineering Task Force (IETF) have announced plans to ramp up
online security. You may never have heard of them, but the IETF are the
creators and engineers of the internet’s architecture. Is there a technical
solution to the problem of mass surveillance?

For the IETF, Edward Snowden’s revelations were “a wake-up call,” said Jari
Arkko, the task force’s chair. Arkko spoke at this week’s UN-initiated
Internet Governance Forum in Bali, Indonesia. Surprised by the scale and
tactics of surveillance, Arkko stated the engineers are “looking at
technical changes that will raise the bar for monitoring.”

“Perhaps the notion that internet is by default insecure needs to change,”
he said. The IETF’s will is there, and Arkko believes significant technical
fixes  “just might be possible.”

Technical, not political

The engineers of the IETF keep a low profile, but they have been crucial to
creating and setting the standards on which the internet was built, ever
since its birth in 1969. They have developed email, instant messaging, and
many protocols that hide behind acronyms that sound familiar yet mysterious
to most Internet users, like HTTP and TCP/IP.

As the internet evolved from an academic project into a global network, the
role governments and companies played in how it functions grew dramatically.
But the IETF maintained its well-respected role, thanks in part to its
fervently apolitical stance and focus on technical issues.

That focus remains in the current plans to make the internet more resistant
to mass surveillance, Arkko emphasised in an interview with RNW: “This is a
technical, not a political decision.” 

In his speech, Arkko chose his words carefully as he addressed an audience
comprising representatives from governments that perpetrate the same
mass-surveillance he hopes to curtail.

“I do not think we should react to specific cases,” Arkko stated during the
forum’s opening sessions. “But our commerce, business and personal
communications are all depending on the internet technology being secure and
trusted.”

More, new and better security

Ideas about how the internet might be secured against mass surveillance are
currently discussed over the IETF’s publicly accessible mailing lists, to
which anyone can subscribe and contribute. While nothing is set in stone
yet, Arkko sketched out a few of the IETF’s ideas in his public address.

Firstly, the IETF wants to eventually apply encryption to all web traffic.

“Today, security only gets switched on for certain services like banking,”
Arkko explained, referring to IETF-developed standards like SSL – the little
lock that appears in the upper left corner of your browser to secure online
purchases. “If we work hard, we can make [the entire internet] secure by
default.” To this end, the IETF might make encryption mandatory for HTTP
2.0, a new version of the basic web protocol.

Secondly, the IETF plans to remove weak algorithms and strengthen existing
algorithms behind encryption. This means that the US National Security
Agency and other surveillors will find it harder to crack current forms of
encryption.

In other words: the IETF proposes putting locks in more places and making
existing locks harder to pick. If the protocols are applied, intercepting
the traffic between any two points on the internet— the sender and receiver
of an email, the visitor and owner of a website, the buyer and seller of a
product—will be close to impossible.

Starting November 3, the IETF will hold a week of meetings in Vancouver,
Canada to concretise the online security plans in person.

Raising the bar for surveillance

The IETF is confident that their plans will make a difference, but what do
other experts on the internet’s technical infrastructure think?

Axl Pavlik, managing director of the Europe’s Internet Registry (RIPE NCC),
is guardedly optimistic. 

“It wouldn’t stop the problem, but it would make the effort [of
surveillance] more expensive.”

Pavlik likens the plans to a successful countermove in an indefinite arms
race between internet users and snoopers.

“You and I have limited resources, and the surveillor has limited resources
–maybe more than we have – but if millions of users of the internet raise
the bar a little bit, the requirements to surveil every little bit of
internet traffic would be much higher,” he explained to RNW.

The IETF’s plans also benefit people who are already encrypting their online
activities themselves, argued Marco Hogewoning, technical adviser to RIPE
NCC. According to him, these people currently stick out like a sore thumb to
the very surveillors they hope to evade.

“If you see an armoured car now on the street, you know there must be
something valuable inside,” Hogewoning explained. “If everybody drives
around in an armoured car, I can go around and put a lot of effort into
breaking into each and every car, and hope I get lucky and find something
valuable inside, but it might be empty. If everybody encrypts everything,
all you can see is armoured cars.”

Take it or leave it

Yet while the IETF can propose standards and protocols, it has no power to
enforce their adoption. The onus to adopt the standards lies with the
software developers who make browsers and web servers, as well as website
owners, and everyday internet users who need to heed browser updates.

“It’s a great initiative,” said Gillo Cutrupi, a digital security trainer at
Tactical Tech. “But it if it’s not adopted, it’s just a piece of paper.”

A standard like HTTPS, for instance, can already be applied by every website
to improve security. Cutrupi explains that many websites unfortunately still
make use of unsafe options.

Such options might be popular because they are easier to use. Some websites
don’t care for security, and ignore the standard; Yahoo Mail will only make
HTTPS encryption the default setting starting January 2014.

Yet Arkko, the IETF chair, doesn’t see universal adoption as a big hurdle.
“I have no worry about that,” he said. “Our standards are very widely
applied.”

He stressed that in addition to increased security, newer standards offer
multiple advantages.

“HTTP 2.0 has many other improvements.” In one example, he pointed out that
“for the users, websites would load faster.”

These improvements would no doubt serve as an incentive for websites to
implement the new protocol.

The end point of trust

Yet one major caveat remains. While the IETF might be able to secure the
pipes through which users’ data travel, users must also be able to trust the
parties where their data is stored: software, hardware and services such as
Cisco, Gmail and Facebook. These parties can hand over user data directly to
government agencies.

Arkko stressed the limitations of what the internet’s engineers can do. “We
are trying to do as much as we can,” he explained, “which will help
situations where there’s someone in the network monitoring you. It will not
help situations where someone has direct access to your email provider.”

Axl Pavlik identifies the problem of trust at another level altogether

“In the end, it’s down to public policy, governments, secret services. And
maybe the secret court orders to release a key [which] we will never know
about. That shatters the trust of the internet as we know it. That’s the
very bad situation that we need to get out of.”

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>

 


-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list