NakedSecurity, August 24, 2013
Did you know that yesterday, 23 August 2013, was the World Wide Web’s birthday? It is 22 years and one day since the official Internaut Day – the day when Sir Tim Berners-Lee opened up the web to new users and kicked off a global communications revolution.
How fitting then that it was in the web’s 21st year, the year that traditionally signals the final transition from innocence to maturity, in which the scales fell from our eyes and we began to understand the vast scope and ambition of government internet surveillance.
If the Internet Engineering Task Force has its way then it may also become known as the year when we began to toughen up and make a web that’s fit for a grown-up world.
The IETF are a highly respected group of engineers who produce recommendations and standards for how various aspects of the internet should work.
One of those standards is the Hyper Text Transfer Protocol (HTTP) that defines how web browsers and web servers should communicate with each other.
A working group from the IETF recently met in Berlin to talk about the design of HTTP 2.0, the first update to the web’s fundamental protocol since 1999, and dealing with surveillance was at the top of their agenda.
Their minutes attest to the new reality – “There is new information; there are widespread deployments of sniffers”.
Speaking to the Financial Times, IETF member Mike Belshe reflected the sober mood:
There has been a complete change in how people perceive the world ... not having encryption on the web today is a matter of life and death
As you would expect from Belshe’s comments the discussion on how to deal with government surveillance centers on the use of encryption. That’s because anything that isn’t encrypted can be intercepted and read.
The version of HTTP that’s in use today, version 1.1, puts the power to decide what does and does not need to be encrypted at the behest of whatever website you are using (and of course the organisation behind it).
Encrypted HTTP, known as HTTPS, requires more computing power, is slower and is more complex to set up than plain vanilla HTTP.
Organisations generally limit its use to pages dealing with sensitive data like passwords and credit card numbers.
That approach is an acceptable trade off when you’re trying to protect yourself from thieves but, it’s of little use in guarding against all-pervasive snooping.
The IETF’s response to the threat of surveilance is simple; there should be ‘equal power’ between you and the website you are using so that either party can require that encryption is used.
The recommendation appears to have wide support in the working group so there is every reason to expect that this is indeed how HTTP 2.0 will be implemented.
If it is, then it will fundamentally change the relationship between browsers and websites.
In the future all websites would have to be capable of offering encryption and you would be able to use it whenever and wherever you like.
There are limits to the reach of this scheme, of course.
The first and most serious is that this proposal concerns the privacy of your information while in transit, not once it gets there.
There is nothing that the IETF or their protocol can do to stop a website from offering up your data to the NSA after it has received and decrypted it.
And of course this elegant solution won’t appear overnight.
The specification for HTTP 2.0 won’t be finalised until the end of 2014 and there are serious technical obstacles that will need to be overcome between now and then.
We may have to wait until the web is in its late twenties or older before we see HTTP 2.0 widely deployed and we can expect that both websites and web browsers will offer fall-backs to HTTP 1.1 for a long time yet.
But every revolution starts somewhere and it’s not just Sir Tim’s baby that’s growing up fast; browser vendors now compete based on their privacy features.
Web giants like Google, Facebook and Twitter are leading a charge towards increased use of HTTPS so there’s every reason to hope that the next version of the web will find itself in mature company.