IETF discusses new security measures at Berlin meeting

Security Technology

"Not having encryption on the web today is a matter of life and death," is how one member of the Internet Engineering Task Force - IETF (the so-called architects of the web) described the current situation. As the FT reports [5], the IETF have started to fight back against US and UK snooping programs by drawing up an ambitious plan to defend traffic over the world wide web against mass surveillance. The proposal is a system in which all communication between websites and browsers would be shielded by encryption. While the plan is at an early stage, it has the potential to transform a large part of the internet and make it more difficult for governments, companies and criminals to eavesdrop on people as they browse the web. "There has been a complete change in how people perceive the world," since Snowden exposed the NSA's massive surveillance efforts, and while "not a silver bullet," the chief technologist at security firm RSA notes, "anything that improves trust in this digital world is a noble aim."

Via The FT [5],

Key architects of the internet have started to fight back against US and UK snooping programmes by drawing up an ambitious plan to defend traffic over the world wide web against mass surveillance.

The Internet Engineering Task Force, a body that develops internet standards, has proposed a system in which all communication between websites and browsers would be shielded by encryption.

While the plan is at an early stage, it has the potential to transform a large part of the internet and make it more difficult for governments, companies and criminals to eavesdrop on people as they browse the web.

“There has been a complete change in how people perceive the world” since whistleblower Edward Snowden disclosed the extent of US surveillance programmes earlier this summer,

The IETF push for greater use of encryption comes alongside calls from top internet and privacy groups for fundamental reforms of the laws governing the web. In a letter to the FT published this weekend, top groups including web founder Tim Berners Lee’s World Wide Web Foundation call for a “reform of the status quo” online.

Online privacy is being eroded at a breakneck speed by blanket surveillance, and unless steps to reform are taken immediately, the notion of free and secure online communications will be relegated to the annals of history,” they write. “Blanket government surveillance by default, with laws enforced in secret, will always be unacceptable.”

at its conference in Berlin this month, IETF members reached “nearly unanimous consensus” on the need to build encryption into the heart of the web

Further Reading:

IETF – Berlin meeting did not overlook mass surveillance

06 Aug 2013 by Monika Ermert on surveillance

When the Internet Engineering Task Force (IETF) decided to go to Berlin for its 87th meeting, Edward Snowden still was an employee of Booz Allen Hamilton working for the National Security Agency. But while close to 1,600 internet engineers and researchers were gathered there last week, The Guardian just published one more slide deck on how mass surveillance à la US is organised. Will there be an influence on the IETF's work by the revelations? Listening to debates and individual engineers, you can say, yes and no.

For the first four days, the Berlin IETF meeting worked just like it has worked before, dozens of working groups discussing the latest additions to the basic protocols that made the IETF one guardian of the internet, the Internet Protocol (IP) and the Transport Control Protocol (TCP).


For years some observers warned that ever more fancy new knobs built on top of existing protocols only added complexity. The regular lunch briefing of the Internet Society, organisational cover and to a big extent also financial back-end of the IETF, touched on that very issue: complexity step-by-step starts to beat bandwidth as the number one limiting factor for good user experience.

Updates  to the ‘http’ web protocol (together with the World Wide Web consortium) or the seamless integration of services into the one stop shop internet browser in the Web Real Time Communication Working group (WebRTC) are supposed to “make the internet better” - that is the motto of the organisation. WebRTC for example has pushed for a new potent open source audio codec (OPUS) where other codecs are mostly proprietary, and hopes to do the same for video. The WebRTC in Berlin also did push back the adding of a technical specification to allow easier, but albeit less privacy friendly key exchange for browser to browser calls.

Crypto expert (and an author of the stronger crypted variant DTLS-SRTP) Eric Rescorla warned that adding that “private keys could be stored by the providers themselves, especially for enabling of “out”-calls to fixed network or mobile phones from the browsers (like Skype out calls)” would allow for easy passive, and retractive snooping.

Rescorla, also an author of Transport Layer Security technology that allows to secure packets going over the wire against surveillance, in his presentations included extracts from the NSA's Xkeyscore surveillance programme, illustrating the need for the strongest possible cryptography.


At its Danvers, Massachusetts, meeting some ten years ago, the IETF had pushed for cryptography, said the Chair of the Internet Architecture Board, Russ Housely in one of the rare press conferences of the standardisation body, during the Berlin meeting. “We also said, it would be strong, not weak cryptography.”


A Request for Comments (RFC) is a publication of the Internet Engineering Task Force (IETF) and theInternet Society, the principal technical development and standards-setting bodies for the internet. A RFC is authored by engineers and computer scientists in the form of a memorandum describing methods, behaviours, research, or innovations applicable to the working of the internet. It is submitted either for peer review or simply to convey new concepts and information. Some of the proposals published as RFCs are adopted by the IETF as internet standards.

Source: Wikipedia.

The so called Danvers Doctrine was explained in an informational Request for Comment (RFC), which noted that “although the immediate issue before the IETF was whether or not to support "export" grade security (which is to say weak security) in standards, the question raised the generic issue of security in general. The overwhelming consensus was that the IETF should standardise on the use of the best security available, regardless of national policies.“ The RFC also underlined, that confidentiality might not be a must for every communication – or protocol – and everybody should be able to use it – without being an expert.

The rejection of “weak cryptography” for the potential adversaries (or competitors ) outside of the US was not welcomed by all US agencies, Housely said. Despite that doctrine, US agencies clearly still have strong ties to the IETF. Housely himself, a security expert, has been sponsored for his terms as IETF Chair by the NSA.

So the tension between the interests of individual users – including the grown privacy interests - and those law enforcement agencies, especially in the US, have always been there. Only in post-Snowden times, the attention might be bigger. “People might start to think more carefully about the designs and also about their employers or institutional customers,” W3C privacy expert Wendy Seltzer said in Berlin.


“We know they can get virtually everything. The question is what do we do?,” was the conclusion of Randy Bush, a long-time IETF participant, routing expert at the Internet Initiative Japan, in a discussion of IETF security people with Tor developer Jacob Appelbaum.

Bush recommended to raise the bar for spying on communication by just making it more difficult and thereby much more expensive. Hard encryption in as many spaces as possible on the net certainly did help, said Appelbaum, who for the first time came to the IETF to present the work of the Tor project, a multi-million dollar project that is devoted to that very aim.

The Tor browser bundle for example allows for anonymising one's surfing on the net. Tails is a free operating system that routes traffic over the Tor network. The use of the privacy friendly free and open source tools would also be a first step to get away from those services and providers (like Microsoft, Google and others) that are compromised for the so called state security reasons or for just the plain commercial profiling reasons.

One problem for the Tor network certainly is that the more people will use it, the more distributed Tor servers are needed, in order to help blur the traces and also stem a potential attack from agencies that could consider infiltrating the network. To promote Tor and call for support in the technical community certainly was one reason for Appelbaum to come to the IETF. In several sessions, including the open session of the IETF's Security Area, the Tor representatives and IETF participants discussed the next steps to take in order to offer an alternative to mass surveillance.

Appelbaum's call to the technical community to make strong – using eliptic curve algorithms - and ephemeral encryption is in fact a must for traffic on the net.

Other things are on the way. For example, a much stronger inclusion of privacy considerations – as an aspect of security considerations - into technical design work at the IETF, or a draft document that calls for certificate transparency. Baby steps, these efforts are called by some.

Mandating strict security for just about every http-connection recently failed- It is still only an option which leaves it to operators and users to implement it. To pave the way for more security and confidentiality on the net the IETF should, not only consider privacy by design, but privacy by default, Bush said. The Tor team at the same time recommended to make surveillance more visible, by analysing the mechanics and the instances of spying on communication. Tor campaigner Linus Nordberg said: “When all the pizzas are going to the Pentagon, you know you are at war.”

According to the publication, the Engineering Council of the Internet (Internet Engineering Task Force, IETF) - the body that develops networking standards - suggested encrypt the communication channel between the site and the browser. In fact it is the universal implementation of the security system, similar to that used banks and online retailers, vrodeAmazon, for the protection of its customers around the world.

In the case of the introduction of the initiative IETF can relate to most of the Internet and make personal data available to users more difficult for governments, companies, and criminals. Currently, only a small part of the site (as a rule, those who deal with financial information) encrypt data when working with browsers.

The newspaper also quoted a software engineer Mike Belshé, who argues that Edward Snowden after the disclosure of information about the programs of the U.S. intelligence agencies to spy on Internet users are people perceive the world differently. Now, he said, the presence of encryption on the web has become a matter of life and death. According to representatives of the IETF, the Internet because of the surveillance concept of privacy in the network disappears "at breakneck speed."

IETF was established in 1986 and has played an important role in the formation of the technical infrastructure of the Internet. It includes employees of the world's largest Internet companies, such as: Google, Microsoft and Apple.

At a conference in Berlin this month, members of the IETF << almost unanimously reached a consensus on the need to create >> encryption "in the heart of the Internet," quotes the edition of Mark Nottingham, developer, chairman of the working group of the IETF HTTP - data transfer protocol used to obtain information from websites. "A lot of people want it to happen," - he said.

Nottingham also noted that the proposal would have to pass a broad discussion in the Internet community, before it is implemented. In particular, it is still not resolved, as proposed plan will be used in practice.

Discussions are also the idea of ​​mandatory use of TLS (Transport Layer Security), a cryptographic protocol that provides secure, encrypted communications between nodes on the Internet. Its implementation is scheduled for 2014.

A number of major companies, including Google and Twitter, is not the first advocate for encrypting Internet traffic. Chrome - the browser of Google - already allows users to encrypt their activity when viewing websites.

However, to achieve complete privacy on the Internet with the introduction of encryption will hardly be possible. The newspaper quoted Sam Curry, chief technologist specializing in computer security company RSA, which is sure that hackers will still find a way to break or circumvent encryption of data using network vulnerability.
Читайте подробнее на

Print Friendly, PDF & Email
0 0 votes
Article Rating
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments