Building a Snoop-Resistant Internet (and Pavlov Poke)

The Internet Engineering Task Force has a neat solution to LOVEINT and co: design the next version of the HTTP standard (2.0) so that either client or server can require encryption.

(Right now, only the server can do that. If the web site you’re visiting doesn’t support HTTPS, you can’t do anything to encrypt the connection.)

Client-manded encryption would be a wonderful add-on to all the browser-side “privacy button” features out there. As the article points out, we’ve seen a sea-change of late — browsers are now competing on the basis of their privacy-friendly features.

Now that they mention it, the privacy sea-change does seem to be larger than even Snowden. The browser privacy wars well predate his Hong Kong “epilepsy appointment” with Drs. Greenwald and Poitras.

Pavlov Poke: Delivering electric shocks to people that use Facebook? WHY DIDN’T ANYONE THINK OF THIS EARLIER?! http://www.robertrmorris.org/pavlovpoke

http://nakedsecurity.sophos.com/2013/08/24/next-version-of-the-web-will-have-resistance-to-surveilance-at-its-core/

“The IETF’s response to the threat of surveilance is simple; there should be ‘equal power’ between you and the website you are using so that either party can require that encryption is used.

The recommendation appears to have wide support in the working group so there is every reason to expect that this is indeed how HTTP 2.0 will be implemented.

If it is, then it will fundamentally change the relationship between browsers and websites.

In the future all websites would have to be capable of offering encryption and you would be able to use it whenever and wherever you like.

Prism image courtesy of ShutterstockThere are limits to the reach of this scheme, of course.

The first and most serious is that this proposal concerns the privacy of your information while in transit, not once it gets there.

There is nothing that the IETF or their protocol can do to stop a website from offering up your data to the NSA after it has received and decrypted it.

And of course this elegant solution won’t appear overnight.

The specification for HTTP 2.0 won’t be finalised until the end of 2014 and there are serious technical obstacles that will need to be overcome between now and then.

We may have to wait until the web is in its late twenties or older before we see HTTP 2.0 widely deployed and we can expect that both websites and web browsers will offer fall-backs to HTTP 1.1 for a long time yet.

But every revolution starts somewhere and it’s not just Sir Tim’s baby that’s growing up fast; browser vendors now compete based on their privacy features.

Web giants like Google, Facebook and Twitter are leading a charge towards increased use of HTTPS so there’s every reason to hope that the next version of the web will find itself in mature company.”

Advertisements
%d bloggers like this: