IETF Begins To Work On Designing A Surveillance-Resistant Net
from the but-that's-the-easy-bit dept
Edward Snowden’s leaks show that the NSA and GCHQ have been systematically subverting key technologies that underlie the Internet. That betrayal of trust has prompted some soul-searching by the Net engineering community, which realizes that it needs to come up with more surveillance-resistant approaches. This story from Radio Netherlands Worldwide (RNW) provides information about the kind of thing they are working on in one key group, the Internet Engineering Task Force (IETF). It reports on a speech given by the IETF’s chair, Jari Arkko, at the recent Internet Governance Forum in Bali, Indonesia.
Firstly, the IETF wants to eventually apply encryption to all web traffic.
“Today, security only gets switched on for certain services like banking,” Arkko explained, referring to IETF-developed standards like SSL — the little lock that appears in the upper left corner of your browser to secure online purchases. “If we work hard, we can make [the entire internet] secure by default.” To this end, the IETF might make encryption mandatory for HTTP 2.0, a new version of the basic web protocol.
Secondly, the IETF plans to remove weak algorithms and strengthen existing algorithms behind encryption. This means that the US National Security Agency and other surveillors will find it harder to crack current forms of encryption.
Putting that in context, Axl Pavlik, the managing director of Europe’s Internet Registry (RIPE NCC), notes that you can never stop surveillance completely, but you can make it more expensive:
“You and I have limited resources, and the surveillor has limited resources — maybe more than we have — but if millions of users of the internet raise the bar a little bit, the requirements to surveil every little bit of internet traffic would be much higher,” he explained to RNW.
Mandatory use of encryption helps do that. And here’s another good reason for adopting it:
The IETF’s plans also benefit people who are already encrypting their online activities themselves, argued Marco Hogewoning, technical adviser to RIPE NCC. According to him, these people currently stick out like a sore thumb to the very surveillors they hope to evade.
He has a great analogy:
“If you see an armoured car now on the street, you know there must be something valuable inside,” Hogewoning explained. “If everybody drives around in an armoured car, I can go around and put a lot of effort into breaking into each and every car, and hope I get lucky and find something valuable inside, but it might be empty. If everybody encrypts everything, all you can see is armoured cars.”
However, valuable as these moves will be in raising the cost of surveillance, there is always the problem of the endpoints:
While the IETF might be able to secure the pipes through which users’ data travel, users must also be able to trust the parties where their data is stored: software, hardware and services such as Cisco, Gmail and Facebook. These parties can hand over user data directly to government agencies.
To address that, technical improvements aren’t enough — we need political solutions, too. Unfortunately, those are rather more difficult to engineer.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Filed Under: ietf, nsa, privacy, surveillance, surveillance-resistance
Comments on “IETF Begins To Work On Designing A Surveillance-Resistant Net”
The right direction
The IETF is clearly thinking about the right things and heading the right way. It appears to be intent on ensuring the Internet is available for people first.
I expect that in the next few years “safe” countries will emerge, that are happy to treat your private data as private. Those countries will end up housing a lot of data that to date, and through no ability for the user to choose, has been stored quite insecurely.
Government agencies, on the other hand, are going to find this new world quite frustrating. Swiss banks have in the last few decades finally allowed “law enforcement” agencies to see who owns deposits; I expect that trend to be reversed when it comes to data. Governments will find that companies are not always prepared to just hand over the keys to personal data – and I expect there will be court cases that punish companies for not protecting their customers. At the moment there is no incentive for companies to keep customer data private – but enforcement of existing laws in the EU and elsewhere are likely to create some very strong reasons for protection of personal details.
It will take time, but we are likely to end up not only with a more secure Internet but with more personal freedom and privacy as a result of the Snowden Affair (film rights currently being negotiated).
When even in democracies, people have to work to protect themselves from their governments, then something is wrong; like the lack of candidates that actually support the ideals of democracy.
Re: Re:
Or perhaps that the politicians think of themselves as the masters, instead of the servants of the people they should be.
I have no idea how they plan to implement this. The layers below the application layer need to be sent in the clear, or else you can’t route anything on the internet. So that part will always be open to surveillance (or “metadata collection”, as the NSA likes to call it).
Encryption, I believe, can only be done in the application layer…which means that applications themselves (read: application developers) are the ones that need to set-up an encrypted channel.
Most developers don’t bother: Security isn’t a sexy feature.
Any way, implementing encryption in any other layer seems improbable, especially in light of the issues with IPv6 adoption.
Re: Re:
Do not underestimate the power of defaults.
As far as I know, HTTP 1.x can be silently upgraded to HTTP 2.x. If HTTP 2.x has encryption by default, given how much of the total Internet traffic is HTTP, a lot more of the Internet traffic can be encrypted without bothering the user.
Re: Re:
Nope. It can be done at the Transport level, too. The genius Dan Bernstein even has a working protocol since a few years ago:
http://curvecp.org/
He’s also talking about it here:
http://www.youtube.com/watch?v=K8EGA834Nok
It can be done with virtually no effect on performance on the web (basically like ECDHE works now, which only adds 15 percent performance overhead, which is nothing considering the HUGE benefit of encrypting every web session with a NEW KEY).
I think he talks about IPv6 in the video, too, and it’s only because they screwed up its design, the reason why it’s so needlessly complex. But I’m sure a new one could be designed to work much better, and be more secure.
But that shouldn’t be the goal right now. First we need to replace TCP with something like CurveCP, and then we can see about the IP layer, too.
So the goals should be like this:
1) 1-2 years – everyone adopts HTTP 2.0, ECDHE, DarkMail, OTR, and other such protocols that can even be implemented “tomorrow”, if there’s the will
2) 5-7 years replace TCP with CurveCP or similar protocol that encrypts all packets on the web with ephemeral keys
3) 10-15 years replace IPv6 with a new encrypted IP level protocol
The certificate authority mess will also need to be fixed, but I don’t have readily available solutions, other than adopting certificate pinning immediately in all browsers. But we’ll need to rethink that whole model, too, in the net 5-10 years, and the whole model for DNS, too, to prevent censorship (maybe something like Dan Bernstein’s DNSCurve – http://dnscurve.org/)
Re: Re: Re:
2. You clearly haven’t got the slightest idea how long it takes to actually deploy things in the real world.
Re: Re: Re:
1) 1-2 years – everyone adopts HTTP 2.0, ECDHE, DarkMail, OTR, and other such protocols that can even be implemented “tomorrow”, if there’s the will
2) 5-7 years replace TCP with CurveCP or similar protocol that encrypts all packets on the web with ephemeral keys
3) 10-15 years replace IPv6 with a new encrypted IP level protocol
I like where this is going, but the danger in all of this is that the network itself will still exist physically in the realm where the bad guy (be they government, corporation, or rogue party,) has access to the backbone and can store data from or deny service to.
Of course, to fix this, there will be a hell of a lot more latency (putting the infrastructure on a satellite or blimp will take it out of the hands of bad actors, but will increase the latency to painful levels.
Then again, putting the infrastructure on satellites may make it easier for us to move to the eventual (hopefully) network infrastructure that covers the solar system.
Re: Re: Re:
I was not aware of that protocol.
I’ll read up on that, thanks.
But you will still have a problem.
IPv6 is being adopted because it solves a real, catastrophic problem: the exhaustion of IP addresses. But even here, the problem is being patched up with NAT (and NAT over NAT, over NAT, ad nauseum), not because adopting IPv6 is a particularly complicated problem but because it is cheaper this way.
NAT is handled at the OS (more precisely, kernel) level. I’ve managed a few networks with NAT in Linux, and setting them up is just a matter of configuring IPTables (which translates into to hours of reading the manual and pulling your hair out and about 10 minutes of actually doing it).
In short, why would you spend millions of dollars replacing hardware when you can just get your sysadmin to patch everything to work with NAT? As long as this option is viable, companies will continue to drag their feet.
CurveCP will have exactly the same problem, but worse: there’s no practical (read: profitable) advantage in adopting it.
This is why I believe that encryption will, for many decades to come, by confined to the application layer.
Good move, but not NEARLY enough to make a “surveillance resistant net”.
They need to start working on a new Transport layer protocol, that encrypts every packed on the web automatically (not just at the application level like HTTP, but the Transport level). Something like CurveCP, although I wouldn’t mind if they develop something even better. It should definitely contain “very” ephemeral keys, too.
http://curvecp.org/
Then after they do that (which could take a few years), start working a new highly encrypted IP protocol, too, to replace IPv6, although I know this one will be even slower to be adopted, but it would still be good to start thinking about it now, finish it in about 10 years, and then adopt it in 10 years more.
Just make sure they are both quantum-proof, too, because we might get quantum computers to break asymmetric cryptography any day now.
The only possible route is Populist: anti-corporatist and anti-Rich.
“To address that, technical improvements aren’t enough — we need political solutions, too.”
Political solutions must entirely oppose the wrong morality of The Rich and their corporations, else ALL fixes are complete non-starters. They’ve designed the current Internet exactly for control and aren’t going to change the basics: it’s THE 1984 telescreen system, monitoring you constantly.
But you all seem so steeped in corporate myths that you believe Google and Facebook are your friends, not electronic minders reporting all that you do to Big Brother, while bombarding you with just the “news” and advertising that Big Brother approves you to see.
Why don’t you kids recognize the simple outlines of corporatized tyranny? — Get your minds off playing violent video games and in every way just QUIT participating in the destruction of society. You are NPCs, or red-shirts at best: only role in the plot is to be doomed. — And why do I bother writing here when the only hopeful sign of late here is some alleged ACs (probably regulars not signed in) telling me it’s futile? [Heh, heh. Because I like telling the truth as I know it, and seeing what response it elicits.]
Re: The only possible route is Populist: anti-corporatist and anti-Rich.
So the NSA spies, and somehow corporations are to blame? You are a broken record. Corporations don’t care what you do. They just want to sell you stuff. If you don’t like them, you can “vote them out” by not buying their stuff.
The real problem is governments. We give them too much power, and then we wonder why they abuse it. Only an idiot would claim, “Yes, but if we could just vote the right people in office, everything would be perfect.” It will never happen. Governments must be starved, lest they get out of control. It is almost too late for the US, seeing how useless Obama is in controlling the beast at his feet.
Re: Re: The only possible route is Populist: anti-corporatist and anti-Rich.
@ChrisB,
uh, governments are pretty much owned by the corporations and it’s well nigh impossible to vote with your wallet unless you are rich enough to get around enough to shop around.
When the Walmart workers went on strike all the talk was about how people were afraid the price of their groceries would go up if the minimum wage went up or the workers there were paid better.
Wallet votes are garnered not by principles but by prices, and may I remind you all that Walmart enjoys some unfair advantages, including massive tax breaks and government-granted incentives. How the hell can you beat that?
Do you really think the corporations would simply fade away if governments did? Really?
No, they wouldn’t. And good luck with voting with your wallet when they finally complete their project of eroding our rights, gutting our wealth, and locking us out of the decision-making process over how our resources are used.
Re: The only possible route is Populist: anti-corporatist and anti-Rich.
Because I like telling the truth as I know it….
Yes and we all know that your grasp of what is actually the truth is bit murky at best.
By the way, are you ever going to answer my questions concerning the specifics of your “tax the hell out of the rich” notion?
Or will you keep on yelling your rallying cries that lack any substance?
a democracy is like a racing engine in that it must constantly be kept in tune or it will quickly go afoul.
it’s the finest thing going when it works, but it quickly stinks up the place if left to its own devices.
we’ve never seen that more clearly than what we are seeing right now, and the amazing thing is that, republican or democrat or whatever, virtually all politicians appear to have the same drive to subjugate.? they only disagree on details.
we’re at a crux moment here, and the opportunity for the nation to assert itself or thoroughly submit to the yoke is at hand.? if we, the people, don’t rise up and smite these offenders and usurpers, we damn this democracy to disgrace and ruin.? our forefathers will have been fools to attempt what they so boldly brought to bear, and those americans who opposed our declaration of freedom will have been right.
Wouldn’t it be possible to have a special kind of encryption technology where each individual kind of self-creates their own unique encryption packet for each data transfer? Instead of directly sending/receiving data from Point X to Point Y, X must first request an encryption package from Y. Y creates unique encryption package with its own unique coding which is then sent to X. It gathers the relevant data and encrypts it, kind of like storing a letter or other article in a special envelope, then sends it back off to Y for encryption.
Re: correction to the end
…then sends it back off to Y who then interprets the data.
Re: Re:
Please read up on how modern cryptography works, your terminology is all confused.
If I understood what you meant correctly, that is already done in most online cryptography protocols. The sender negotiates an encryption key and encryption parameters with the receiver first, and then uses the negotiated values to encrypt the data it sends.
And do not forget that encryption is only half of the problem. The other half is authentication, which allows the receiver to be sure that the data came from the sender. Encryption without authentication is vulnerable to several attacks. Again, all good online cryptography protocols include both encryption and authentication.
Re: Re: Re:
In other words, the problem is beyond my comprehension. Oh well, you lose nothing by trying.
Re: Re: Re: Re:
It’s not beyond your comprehension at all. You stated the problem and solution very well. And, as the AC pointed out, this is exactly how public key encryption works.
Re: Re: Re:2 Re:
Still, maybe if the encryption were somehow able to be randomly generated per data tranfer, that might work. That way, even if it’s intercepted, it would take tremendous time, skill and effort to decrypt each individual data transfer.
cracked keys
maybe in the European union but Chase, boa and US bank all changed policies in late 2012 to mid 2013. problems associated with trust encryption are no longer protected by most bank credit cards and online transactions
Wonderful.
Well it’s time someone got to it. The internet has failed to deliver a surveillance-resistant net that can actually be used by a standard user so far.
Something could conceivably be hacked up by now, like by using a web-facing gateway to .bit addresses to sites hosted in node.js servers distributedly.
Of course I expect the IETF to get that standard not only designed, but actually implemented in every net-using device.
Free Mesh Networks.
We’ve had the tech available to us for years now, if not decades.
We’ve become so addicted to the idea of firewalls and isolated WLANs being a necessity that we’ve failed to see the alternative.
Right now our internet is proprietarily routed. Proprietary not in that the protocol is secret, but rather proprietary in that the path between geographical neighbors almost always includes long trips through the infrastructure to centralized datacenters. In other words, an infrastructure-centric network.
We need to turn this paradigm on its head and create a peer routed mesh. NOT as a primary “go to” destination in and of itself as the current internet is, but rather as a new kind of community interconnectivity.
I recognize the obvious utility of firewalls. But we’ve lost some amazing potential technologies by not creating a network which was node-aware and even node-centric instead of infrastructure-centric.
First and foremost, we lack the ability to put up an antenna and connect and network with those nearest us, for free, at whatever data rate such peer routed interconnect could achieve.
Such a paradigm doesnt need to be solely for the purpose of routing or wireless transport. Imagine that youve just moved into a new high rise with ethernet wiring between all apartments. And imagine for simplicitys sake that each floor has its own switch and that all units share a single subnet.
Under the current paradigm, plug in your computer and – security considerations aside – all you get is an internet connection. Whether you have a router or a software firewall, you are protected against exchanging any unwanted traffic with others on the subnet.
But turn this around and think of the possibilities of exposing a few ports. Imagine plugging in your ethernet and suddenly your “network neighborhood” shows an icon for each other apartment, depending on their privacy settings. Each node could have its own profile page, message queue, instant messaging, file transfer, even the ability to coordinate VLAN’s for gaming.
The protocols to create such a user experience for the most part already exist in one form or another, though it might take some rethinking to decentralize functions such as email, profile pages, and instant messaging.
We could even implement a type of community DNS, managed by committee, for such a context.
The one stumbling block I see to all of this is the currently extensive use of private ipv4 subnets and NAT. For such a network architecture to truly be scalable beyond high rises to neighborhoods and cities, we’d need something like ipv6, and lots of MIMO devices. Hackerspaces or other volunteer organizations could handle neighborhood to neighborhood backhauls.
I see a few projects edging their way in this direction. One is the Hyperboria Project. Another is the The Free Network Foundation..
As far as I’m concerned the ultimate goal should be to enable a nationwide or even global networking paradigm where all someone has to do to join the network is to put up an antenna and begin networking with ones neighbors.