EVERYTHING needs crypto says Internet Architecture Board

Calls for all new protocols to protect privacy, all the time, everywhere

The Internet Architecture Board (IAB) has called for encryption to become the norm for all internet traffic.

Last Friday, the IAB issued a statement saying that since there is no single place in the Internet protocol stack that offers the chance to protect “all kinds of communication”, encryption must be adopted throughout the protocol stack.

The statement reflects earlier, more piecemeal moves in the Internet Engineering Task Force (IETF) to start “spook-proofing” the Internet.

Rather than looking at a particular protocol proposal, the IAB statement is designed to lay down a fundamental principle for designers: encryption, the board says, should be “the norm for Internet traffic.”

“Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance”.

The statement strengthens a long-held view within the Internet Engineering Task Force articulated in 1986 in RFC 1984, which stated that government policies to monitor the Internet “are against the interests of consumers and the business community, are largely irrelevant to issues of military security, and provide only marginal or illusory benefit to law enforcement agencies”.

This year, RFC 7258, described pervasive monitoring as an attack.

Even where a protocol's own operation doesn't need encryption, the IAB wants protocol designers to think beyond their immediate problem, because “information leaked by one protocol can be made part of a more substantial body of information by cross-correlation”.

In other worlds, even if a protocol doesn't particularly deal with user traffic, such as one handling negotiations between routers, its designers should adopt encryption to ensure it doesn't reveal information that does somehow compromise privacy.

“We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic”, the statement continues.

And in an acknowledgement of the challenges that lie in front of the industry, the statement adds: “We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload.” The IAB says it will “work with those affected to foster development of new approaches”.

The call from the IAB won't be welcomed by the world's spooks. Both the GCHQ and the NSA have accused tech companies like Google, Apple and Facebook of supporting terrorists by encrypting more of their customers' traffic. ®

Broader topics

Other stories you might like

  • Why should I pay for that security option? Hijacking only happens to planes

    But if I give him my bank details, I'll be rich!

    On Call Friday is here. We'd suggest an adult beverage or two to celebrate, but only if you BYOB. While you fill your suitcase, may we present an episode of On Call in which a reader saves his boss from a dunking.

    Our tale comes from a reader Regomised as "Ed" and is set earlier this century. Ed was working as a developer in a biotech lab. He rarely spoke to the director, but did speak to the director's personal assistant a lot.

    This PA was very much a jack of all trades (and master of... well, you get the drift). HR? He was in charge of that. Ops? That too. Anything technical? Of course. Heck, even though the firm had its very own bean counter, one had to go through the PA to get anything paid or budgets approved.

    Continue reading
  • UK, Australia, to build 'network of liberty that will deter cyber attacks before they happen'

    Enhanced 'Cyber and Critical Technology Partnership' will transport crime to harsh penal regime on the other side of the world

    The United Kingdom and Australia have signed a Cyber and Critical Technology Partnership that will, among other things, transport criminals to a harsh penal regime on the other side of the world.

    Australian foreign minister Marise Payne and UK foreign secretary Liz Truss yesterday inked the document in Sydney but haven't revealed the text of the pact.

    What we do know is that the two nations have pledged to "Increase deterrence by raising the costs for hostile state activity in cyberspace – including through strategic co-ordination of our cyber sanctions regimes." That's code for both nations adopting the same deterrents and punishments for online malfeasance so that malfeasants can't shop jurisdictions to find more lenient penalties.

    Continue reading
  • Japan's Supreme Court rules cryptojacking scripts are not malware

    Coinhive-slinger wins on appeal

    A man found guilty of using the Coinhive cryptojacking script to mine Monero on users' PCs while they browsed the web has been cleared by Japan's Supreme Court on the grounds that crypto mining software is not malware.

    Tokyo High Court ruled against the defendant, 34-year-old Seiya Moroi, on charges of keeping electromagnetic records of an unjust program. That unjust program was Coinhive, a "cryptojacking" script that mines for Monero by pinching some CPU cycles when users visit a web page that includes the code. Moroi ran the code on his website.

    Coinhive has been blocked by malware and antivirus vendors as it slows down other processes, increases utility bills, and creates wear and tear on your device. But in many ways Coinhive's Javascript code acts no differently to advertisements.

    Continue reading

Biting the hand that feeds IT © 1998–2022