Responding to reports of mass surveillance, engineers say they’ll make encryption standard in all Web traffic.
In response to the public outcry over mass Internet surveillance by the National Security Agency (NSA), the engineers who develop the protocols that underpin the Internet are deep into an effort to encrypt all Web traffic, and expect to have a revamped system ready to roll out by the end of next year.
The effort, by the Internet Engineering Task Force, or IETF, an informal organization of engineers that changes Internet code and operates by rough consensus, involves HTTP, or hypertext transfer protocol, which governs information exchanges between the Web browser on your phone and computer and the servers that hold the data of the website you are visiting.
Leaked documents brought to light by former NSA contractor Edward Snowden suggest the NSA routinely harvests and stores huge amounts of information from major cloud computing platforms and wireless carriers. Today, much of the Web traffic between your device and Web server is not encrypted unless websites choose to use a variant of the HTTP protocol called HTTPS—which includes an encryption step, called transport layer security. This is commonly used by banks, e-commerce sites, and by some big sites, including Google and Facebook. (If a website’s address starts with “https://” it already uses encryption.)
The IETF change would introduce encryption by default for all Internet traffic. And the work to make this happen in the next generation of HTTP, called HTTP 2.0, is proceeding “very frantically,” says Stephen Farrell, a computer scientist at Trinity College in Dublin who is part of the project.
The hope is that a specification will be ready by the end of 2014. It would then be up to websites to actually adopt the technology, which is not mandatory.
Many experts have pointed out that mass Internet spying is done in part because it’s so easy to do. Some argue that making life a little harder for agencies like the NSA may make them focus on legitimate national security targets rather than scooping up everything and asking questions later (see “Bruce Schneier: NSA Spying Is Making Us Less Safe” and “NSA Leak Leaves Crypto Math Intact but Highlights Known Workarounds”).
“I think we can make a difference in the near team to have Web and e-mail encryption be ubiquitous,” Farrell says.
Indeed, an even nearer-term step the IETF is taking, he says, involves beefing up security in e-mail and instant message traffic—two key targets for dragnet surveillance. Right now, protocols exist to encrypt these communications as they make several hops: first from your device to your e-mail provider, then to the recipient’s e-mail provider, and finally to the recipient’s phone or computer.
The problem is that often the protocols needed for encryption are not set correctly and then don’t work between different e-mail servers, such as those of small organizations, or when they hop between big encrypted services like Gmail and that of a small company or institution.
When this happens, your e-mail winds up being sent “in the clear” because e-mail protocols elevate actual delivery over all other concerns, including whether or not the encryption actually was working. “I think we can do better on that,” Farrell says, to make the setup easier and verifiable.
In some ways this is an about-face, because a year and a half ago a group within the IETF had decided against adding encryption by default in HTTP. Part of what makes the task hard, Farrell says, involves the static portion of Web pages that are “cached,” or stored on local servers nearer to the user.
Caching is problematic because the cached content sits between the browser and the server, and it is typically kept “in the clear”—or unencrypted—so it can be identified. By its nature, encryption makes every piece of content appear unique. “The issue is, if you turn on the crypto, you make it harder to do that caching,” Farrell says. “And the technical challenge is, how do we get the security benefit and keep the caching benefit? That’s being worked on.”
A range of other potential technical avenues for tightening up Internet privacy was outlined in a recent blog by Tim Bray, who helped develop several key Web protocols and now works at Google. He attended an IETF meeting last week in Vancouver (see “Time for Internet Engineers to Fight Back Against the Surveillance Internet”).
Bray did not reply to an interview request but outlined the relevance of these efforts in his post. “At the end of the day this is a policy problem [and] not a technology problem; but to the extent that anything can be done at the technology level, a lot of the people who can do it are here,” he wrote, referring to the engineers and browser makers attending the IETF.
Indeed, Jari Arkko, the IETF chair and an expert on Internet architecture with Ericsson Research, says that nobody should harbor illusions about technical quick fixes. “I need to be honest and open—technology is only part of the issue here,” he says.