The Internet Engineering Task Force (IETF) has set out a raft of proposals to restore trust and integrity to data transmissions.
The international standards body has done so in response to recent revelations Western spy agencies have been subverting, bypassing and breaking encrypted communications over the Internet in order to conduct mass pervasive surveillance.
The organisation's chairman Jari Arkko and its security area director Stephen Farrell said that while IETF knew about the interception of targeted individuals and other monitoring activities, the scale of it was surprising.
"Such scale was not envisaged during the design of many internet protocols, but we are considering the consequence of these kinds of attacks," Arkko and Farrell wrote.
Encryption is an important tool to protect private communications, the IETF said, and has mandated that its standard protocols should include strong security mechanisms. The organisation also decided in 2000 not to consider requirements for wiretapping when creating and maintaining standards, saying it was the wrong forum for such work.
Furthermore, the IETF believes adding wiretapping capabilities in protocols makes them more complex and prone to security holes, and the organisation has a strongly held belief in privacy on the internet against illegal intrusions.
IETF has already started work to improve internet security, with Arkko and Farrell saying the new revelations provided additional motivation for doing so. Among the things under IETF consideration are:
- How to ensure the next generation of the hyper text transfer protocol or HTTP/2.0 makes better use of the Transport Layer Security (TLS) cryptographic protocol, allowing clients to require it by default instead of simply reacting to either encrypted or unencrypted sessions.
- How to deal with the new pervasive monitoring threat model shown by Snowden's revelations so that future protocol designs can take it in to account.
- How to make better use of existing protocol features such as TLS with Perfect Forward Secrecy, which protects against the capture of private encryption keys.
- Updating specifications to deprecate older and weaker cryptographic algorithms and to allocate code points for strong algorithm choices so that they can be used with internet protocols.
The organisation notes that technology alone isn't the only factor when it comes to building secure and deployable systems for all internet users. Operational practices, laws and other such factors also matter, Arkko and Farrell said.
Publicity about discussions to make the internet more secure and trusted is important, the pair said.
'Perhaps this year’s discussions is a way to motivate the world to move from “by default insecure” communications to “by default secure",' Arkko and Farrell added.