Reports about pervasive surveillance have been the big discussion topic in the Internet community in the last couple of months. Our commerce, business, and personal communications all depend on the Internet being secure and trusted, so the situation is disturbing.
This week we are meeting at the IETF in Vancouver, British Columbia. Over 1200 engineers and specialists have gathered together from all over the world to work on improving various aspects of Internet technology. Surveillance has been a big discussion topic in our meeting as well. Of course, we care about the overall state of security in the Internet, and do not merely react to specific concerns. And technology is just one aspect of the recent concerns.
Yet, the engineers are taking the security issues very seriously. Every session that we have been to during this week has gone through analysis and discussion of the state of security for their specific piece of the technology, with serious consideration for privacy. In many cases, privacy against pervasive monitoring was considered on an equal footing with other security issues for the first time.
The first meeting that we attended on Monday morning (APPSAWG) went through application after application, considering how those applications make use of Transport Layer Security (TLS) and looking at possibilities to get the TLS-secured versions more widely and consistently deployed. We discussed plans for upgrading the handling of mail, instant messaging and voice-over-IP protocols, in each case with a view to improving the resistance of the deployed base to pervasive monitoring, and we look forward to real progress in offering guidance to those deploying all those applications.
We also discussed the same topic within the transport stack in the multipath TCP working group where the use of opportunistic encryption was discussed. As that work matures, we might be able to expect to improve both efficiency (being able to use multiple paths) and security/privacy (in order to tie those paths together) at once, which could be a compelling prospect.
Today we discussed improving security for web traffic. There are generally no easy solutions for Internet security improvements, but we were struck by how the HTTP working group clearly stated that doing nothing is not an option. We then proceeded to look at the various options for increasing the proportion of protected web traffic. Carefully. Considering that the Internet is not a new project but a live network with many existing components that have to continue to work. Trying to understand the impact of different options on web site adoption, the software that the engineers build for various products, and end-user experience. Being honest about the impacts and difficulties, such as user perception, the feasibility of different attacks, and the role of certification authorities, proxies, and other components.
And this is what to us is best about the IETF community. We are faced with complex challenges, but when the right people are in the room, we can have a real and honest discussion about what is technically possible. Such discussion cannot be had without people who write the code for browsers, servers, proxies, and who understand the world of certification authorities and user experience, and those who have needs or concerns about the broader good that is the Internet. Some of you may have heard the term “multi-stakeholder” and thought about it as an abstract concept. But it is a very real concept, and one that we have to employ when developing any significant Internet technology.
Tomorrow we will continue the discussion with Bruce Schneier and others on a plenary panel session, and an overall analysis session on pervasive monitoring. We will continue reporting as the week continues. And this is not new for the IETF – we have been working on the security of the Internet for a long time. The real mark of our effect will be the specifications that we produce and their adoption in real-world devices that make the Internet work. We have a meeting this week, but the challenge is a long-term one and needs a long-term and continuous response.
Jari Arkko, IETF Chair, Stephen Farrell and Sean Turner, IETF Security Area