Last November in Vancouver, members of W3C resurrected a discussion left suspended over a decade ago, about the idea of incrementally phasing in a next-generation HTTP that encrypts all packets by default.
Mark Nottingham, who chairs the IETF’s HTTPbis Working Group, wrote in a Jan. 4 blog post that some objections remain to the use of Transport Layer Security (TLS) to encrypt packets on the application layer of HTTP/2. “It’s a political decision,” wrote Nottingham, “not because doing so casts governments as attackers, but because HTTP is a deployed protocol with lots of existing stakeholders, like proxy vendors, network operators, corporate firewalls, and so on. Requiring encryption with HTTP/2 means that these stakeholders get disenfranchised.”
At the same time, security engineers said the utilization of session encryption protocols like SSL and TLS on the HTTP layer (HTTPS) actually will do nothing to prevent the practice of metadata collection, by the NSA or even by, say, a marketing firm. The Web is, after all, an application hosted by the Internet’s underlying transport layer.
“By solving the encryption problem we actually do shore up a lot of our security. But what we don’t do is eliminate this cookie-crumb trail of what we’re doing,” Chet Wisniewski, senior security advisor for Sophos, said in an interview.
Intelligence agencies, Wisniewski added, “can still see that you’re making fifty Skype calls a day to so-and-so, who’s believed to be a terrorist. While they may not be able to tell what you said, which could certainly be a deterrent, the metadata is still there.”
But what about going deeper than the top layer? Some proposals to use TLS to encrypt the transport layer (as you may surmise, its original intention) are receiving renewed attention. One such proposal, first unveiled at a security conference in 2010 by Stanford University’s Secure Computer Systems group, is “tcpcrypt,” which would employ TLS at Level 4 by default.
Andrea Bittau, who leads the Stanford tcpcrypt team, told Network Computing in an interview that the IETF has signaled its interest in the protocol.
“The primary goal of tcpcrypt is simplicity: What is the minimum change that we could do to the Internet, to get the maximum benefit? That’s why we tackled it at the transport layer, instead of specializing for HTTP," Bittau said. "The beauty about doing it at the transport layer is that you’ve got all applications covered. You do not have to modify your application, or modify your browser. You just deploy it in one place in the operating system, and all the applications will benefit.”
[Read about Yahoo's encryption strategy in "Yahoo Encrypts Data After Reports of NSA Snooping."]
Because standard encryption requires certification, and certification requires authentication, any ubiquitous deployment of encryption will involve, to one degree or another, identity. Essentially, each party in an exchange will have to be assured that the other party continues to be the other party for the duration of the session. Yet historically, what has bogged down discussions about mutual authentication by default are doubts and fear over Web users’ potential, or perceived, loss of anonymity. It’s the feeling that we’re all being watched, after all, that has renewed this debate in the first place.
Bittau said tcpcrypt would leave open the question of which encryption, integrity protection, and authentication protocols are in use. That would afford users who wish to stay anonymous the option of creating private and public key pairs that are not tied to any certificate authority, such as Verisign, he said.
“Two users could actually share a password; they don’t even need a certificate,” he adds, “and that password-authenticate key exchange could mutually authenticate each other, without having to reveal anything like a real name.”
Yet that’s only if two people conduct the key exchange. If one of those parties were, say, Facebook, certificates would still need to be involved, at least during the signup process, Bittau said. But from then on, major services like Facebook could theoretically provide their own “blind authentication” mechanisms as cookies to users, enabling anonymous use after that initial contact.
Even tcpcrypt, Bittau concedes, does not completely obscure the details of communications that can, at some point, be reassembled as metadata. “At an IP layer, you could still figure out that information," he said. "That’s why it’s such a hard problem in practice.”