Sophos Cloud Optix
Did you know that yesterday, 23 August 2013, was the World Wide Web’s birthday? It is 22 years and one day since the official Internaut Day – the day when Sir Tim Berners-Lee opened up the web to new users and kicked off a global communications revolution.
How fitting then that it was in the web’s 21st year, the year that traditionally signals the final transition from innocence to maturity, in which the scales fell from our eyes and we began to understand the vast scope and ambition of government internet surveillance.
If the Internet Engineering Task Force has its way then it may also become known as the year when we began to toughen up and make a web that’s fit for a grown-up world.
The IETF are a highly respected group of engineers who produce recommendations and standards for how various aspects of the internet should work.
One of those standards is the Hyper Text Transfer Protocol (HTTP) that defines how web browsers and web servers should communicate with each other.
A working group from the IETF recently met in Berlin to talk about the design of HTTP 2.0, the first update to the web’s fundamental protocol since 1999, and dealing with surveillance was at the top of their agenda.
Their minutes attest to the new reality – “There is new information; there are widespread deployments of sniffers”.
Speaking to the Financial Times, IETF member Mike Belshe reflected the sober mood:
There has been a complete change in how people perceive the world ... not having encryption on the web today is a matter of life and death
As you would expect from Belshe’s comments the discussion on how to deal with government surveillance centers on the use of encryption. That’s because anything that isn’t encrypted can be intercepted and read.
The version of HTTP that’s in use today, version 1.1, puts the power to decide what does and does not need to be encrypted at the behest of whatever website you are using (and of course the organisation behind it).
Encrypted HTTP, known as HTTPS, requires more computing power, is slower and is more complex to set up than plain vanilla HTTP.
Organisations generally limit its use to pages dealing with sensitive data like passwords and credit card numbers.
That approach is an acceptable trade off when you’re trying to protect yourself from thieves but, it’s of little use in guarding against all-pervasive snooping.
The IETF’s response to the threat of surveilance is simple; there should be ‘equal power’ between you and the website you are using so that either party can require that encryption is used.
The recommendation appears to have wide support in the working group so there is every reason to expect that this is indeed how HTTP 2.0 will be implemented.
If it is, then it will fundamentally change the relationship between browsers and websites.
In the future all websites would have to be capable of offering encryption and you would be able to use it whenever and wherever you like.
There are limits to the reach of this scheme, of course.
The first and most serious is that this proposal concerns the privacy of your information while in transit, not once it gets there.
There is nothing that the IETF or their protocol can do to stop a website from offering up your data to the NSA after it has received and decrypted it.
And of course this elegant solution won’t appear overnight.
The specification for HTTP 2.0 won’t be finalised until the end of 2014 and there are serious technical obstacles that will need to be overcome between now and then.
We may have to wait until the web is in its late twenties or older before we see HTTP 2.0 widely deployed and we can expect that both websites and web browsers will offer fall-backs to HTTP 1.1 for a long time yet.
But every revolution starts somewhere and it’s not just Sir Tim’s baby that’s growing up fast; browser vendors now compete based on their privacy features.
Web giants like Google, Facebook and Twitter are leading a charge towards increased use of HTTPS so there’s every reason to hope that the next version of the web will find itself in mature company.
And the SSL certificates don't help if you are being man-in-the-middled by your own employer with certificates being re-written on the fly with same subject name but their own trusted signing cert. Detectable yes if you read the cert chain, but since it pops no warning, not the average user.
Unless you are using a browser which implements cert pinning, such as Chrome or (soon) Firefox.
But of course if your employer can add roots to the local store on your machine, they could also change the pins. Basically, if you don't trust people with access to your machine, you are unwise to use it for anything sensitive.
Living in the UK, come HTTP 2.0, I'll be able to hide my interest in Scrabble and blues dancing from the NSA and GCHQ (perhaps) but if I lived in an oppressive regime that already blocks access to certain websites, no doubt they will also block encrypted traffic. To be really effective, encryption needs to be built-in, not opt-in.
Elliot
UK has more CCTV cameras per capita than any country in the world – smile 🙂
HTTPS Everywhere!
https://www.eff.org/https-everywhere
There is nothing that the IETF or their protocol can do to stop a website from offering up your data to the NSA after it has received and decrypted it.
Is there an echo in here?
I think Jorge's point is nothing the IETF proposes or implements will stop governments from circumventing or otherwise trampling on individual rights if it suits their agenda. Big Brother is alive and well and getting even bigger and more intrusive.
Hi Ben, Jorge's point is a verbatim quote form my article:
"There is nothing that the IETF or their protocol can do to stop a website from offering up your data to the NSA after it has received and decrypted it."
We've arrived at a very scary place. You can't trust the servers you're sending data to not to spy on you (for their economic gain and/or on behalf of governments). You can't trust that someone isn't snooping on the transport media. And you can't necessarily trust that your own computer is free from infection, since most are very quiet and very evasive. We've allowed the greatest tool for communication and potential openness ever built to become the equivalent of a dive bar. Actually, the bar might be more private because of the loud music. What we really need is a way of establishing trust between all parties involved with the traffic, and a culture which values that.
I'm with Elliot. In the sense that the NSA can now see my Scrabble games and see my emails of high scores I send on facebook and email. I welcome HTTP 2.0 because at least its some part of a hopeful resolution. We've already seen the internet landscape without security. How's that been working out?