Slashdot Mirror
Snowden's NSA Leaks Gave IETF a Needed Security Wake-up Call
alphadogg writes "Security and how to protect users from pervasive monitoring will dominate the proceedings when members of Internet Engineering Task Force meet in London starting Sunday. For an organization that develops the standards we all depend on for the Internet to work, the continued revelations made by NSA whistleblower Edward Snowden have had wide-ranging repercussions. 'It wasn't a surprise that some activities like this are going on. I think that the scale and some of the tactics surprised the community a little bit. ... You could also argue that maybe we needed the wake-up call,' said IETF Chairman Jari Arkko. Part of that work will also be to make security features easier to use and for the standards organization to think of security from day one when developing new protocols."
This article is an example of poor technology journalism. The article offered a pathetic excuse as to why security has not been implemented: it's too complex and difficult. No one ever bothered to write a good user interface for the security mechanisms. Most of the security tools are written to be used by engineers. Why not make a user interface that glues together these tools so that every Tom, Dick, and Harry can use them? It isn't necessary to use such complex tetminology either. I'm not saying dumb it down completely but make some tools for the less computer savvy.
If you care about Internet security, especially what we call "end-to-end" security free from easy snooping by ISPs, carriers, or other intermediaries, heads up! You'll want to pay attention to this.
You'd think that with so many concerns these days about whether the likes of AT&T, Verizon, and other telecom companies can be trusted not to turn our data over to third parties whom we haven't authorized, that a plan to formalize a mechanism for ISP and other "man-in-the-middle" snooping would be laughed off the Net.
But apparently the authors of IETF (Internet Engineering Task Force) Internet-Draft "Explicit Trusted Proxy in HTTP/2.0" (14 Feb 2014) haven't gotten the message.
What they propose for the new HTTP/2.0 protocol is nothing short of officially sanctioned snooping.
What I meant was more along the lines of preventing someone like, say, an IT shop at a big company from being able to install a "trusted client certificate" from one of those SSL proxy server things (websense etc) and MITM SSL that way.
(cue IT guys saying "but we have to do that because xyz stupid law requires we monitor everything going in and out and if we cant monitor SSL traffic, we would have to block it and break half the internet")
Yes your back to one time pad and number station, your family, village, tribe, faith, cult, community, country vs the Tempora http://en.wikipedia.org/wiki/T...
Domestic spying is now "Benign Information Gathering"
We need to replace both SSL/TLS AND the broken CA cert model with a new security system
I think care is needed in understanding the difference between failures of technology vs. failure in implementation.
For example the technology to enable PKI may be sound however deploying SSL CA's in the manner they have with hundreds of redundant, global, overlapping CAs may prove to be unreasonably difficult to secure or trust.
specifically designed so its NOT possible to build such a "trusted proxy" or otherwise MITM the connection even if you control the client
Every possible security protocol which will ever exist requires a useful source of trust as the basis for useful operation. Without trust security is ALWAYS a useless illusion.
If an untrustworthy source controls all the inputs and all the outputs there is no trust in that system, no sophisticated cryptographic concept or any amount of wishful thinking will ever change this.
If it is not an untrusted cert it will be manipulation of the browsers security stack or rendering system. About as pointless as implementing RFC 3514.