Should the Internet Be Secure By Default?

darthcamaro writes: There are lots of tools and different secure protocols that could be used by internet service providers to embed security into the fabric of the internet, making the internet secure by default, but that's not something that Facebook's Chief Security Officer, Alex Stamos wants to happen. Instead of security by default, his view is that carriers should be neutral and let malicious traffic do whatever it wants.

"I believe strongly in the end-to-end principle, I think we should have neutral carriers in the middle and it should not be the responsibility of ISPs to secure the internet," Stamos said in a press conference at the Black Hat USA conference last week.
Slashdot reader Darth Technoid disagrees, calling a lack of security "the Original Sin of the Internet," and speculating that Vint Cerf and Bob Metcalfe "thought that future technology would resolve the issues." What do other Slashdot readers think?

Should the internet be secure by default?

It would never work...

[MikeDataLink]

If they had built encryption in from the beginning it would have been obsoleted long ago. Would you still want to be running WEP? Then we'd all have to upgrade our routers every year to stay on the latest encryption that hasn't been compromised. Having endpoint to endpoint encryption is the right answer.

And if that's not enough, we need an open and free internet and we need carriers to not be messing with any of my bits and bytes.

Yes and no

[hord]

Yes I want an internet that is secure by default. No this does not involve the carriers. I personally think this starts with distributed, federated identity meaning that your presence on the internet can be known to others but only to others you trust. Think BitCoin but for identity.

For example, imagine you made your own authentication realm that was just a presence on the internet. You would create identities within it that represent you and people that you trust along with this trust relationship. It would also store data regarding your interactions with others in some way. This could then be exported by you under your supervision to other entities that would use it to determine if they trusted you or not. With cryptographic protocols and fingerprints you would be building a long-term history of trusted actions much like how we interact face-to-face.

The goal would be to remove identity from places like Facebook or Google. OAuth, X.509, PGP/GPG, and some other technologies either get us close or do parts of this right now. It's just not in an easy-to-use cohesive bundle that you can stand up on a mobile phone. My idea would also be unwelcome at commercial sites unless they are truly willing to negotiate attribute release. Ideally I'd like something like 2-way EULA that allows me to know and alter what data these companies collect on me and how they use it.

Until we start treating the internet like a real place where real people interact in real ways I'm not sure we'll be in the right frame of mind to solve these issues.

More useful

[Anne+Thwacks]

It would be far more useful to have another Internet with no advertising at all even if we had to pay for it. Like Fidonet was.

You can't actually find stuff on the Internet any more, because the first 2,500 search results do not even contain the search terms you used, but things you might conceivably been thinking of buying if you were someone else in a parallel universe.

If you want "secure" as in privacy you might want to write it on paper and carry it there in person. I would suggest you avoid putting it in an electronic format of any kind.

You might also wish to buy a tin foil hat from my Ebay shop - in case the thoughts leak from your brain.