Mass Surveillance Prompts IETF Work on SSL Deployment Guidelines
A new IETF working group will develop best practices for deploying and using SSL/TLS with several Internet communication protocols
Tue, December 17, 2013
IDG News Service — A newly created working group within the Internet Engineering Task Force (IETF) has set out to develop best practices for deploying SSL encryption for Internet communications.
The group's creation follows revelations in recent months about mass Internet surveillance programs run by the U.S. National Security Agency, the U.K.'s Government Communications Headquarters (GCHQ) and other intelligence agencies.
IETF's new "Using TLS in Applications" (UTA) group became active last Wednesday when its charter was approved. It will focus on issuing guidance on using TLS (Transport Layer Security), the successor of SSL (Secure Sockets Layer), with several application protocols: SMTP (Simple Mail Transfer Protocol) used for email transmission across the Internet; POP (Post Office Protocol) and IMAP (Internet Message Access Protocol) used by email clients to retrieve emails from servers; XMPP (Extensible Messaging and Presence Protocol) used for instant messaging; and HTTP (Hypertext Transfer Protocol) version 1.1, the foundation of data communication on the World Wide Web.
This working group has its roots in the IETF "perpass" mainling list that was created explicitly to coordinate ideas and discussions on pervasive monitoring and surveillance, Leif Johansson, member of the board of directors at Internet Exchange Point (IXP) operator Netnod and co-chair of the new IETF UTA group, said via email.
IETF joined several other Internet infrastructure groups in October in expressing strong concern over what they called "the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance."
Mass Internet surveillance was the topic that received the most attention at the 88th IETF Meeting in early November, according to IETF chair Jari Arkko. During that meeting's technical plenary, cryptography and security expert Bruce Schneier, who had access to the cache of secret documents leaked by former NSA contractor Edward Snowden, said that the goal of the technical community should be to make eavesdropping expensive and force the NSA to abandon wholesale collection of data in favor of targeted collection.
"Ubiquitous encryption on the Internet backbone will do an enormous amount of good -- provide some real security and cover traffic for those who need to use encryption," he said. "The more you can encrypt data as it flows on the Internet, the better we'll do."
Later in November, the IETF working group responsible for developing the next version of the HTTP protocol -- HTTP 2.0 -- said it's considering making encryption a standard requirement for the protocol.
While this change would be a major improvement for the security of the Web, HTTP 2.0 is at least a year away from becoming a standard and it will probably take a long time for it to become widely adopted. In the meantime, the newly established IETF UTA working group aims to encourage the adoption of SSL/TLS encryption to secure existing Internet data transmissions.