Internet Engineering Task Force debate how to encrypt the whole internet to make it more secure


In a move to make the internet more secure, the Internet Engineering Task Force, or IETF, have started the discussion on how to encrypt… everything.

It is more imperative than ever since the knowledge of government spying and the ease of which they can do so especially with much of the internet using “plaintext” format to publish their pages in. HTTPbis Working Group have been delegated the task by the IETF to determine the design that HTTP 2.0 will have.

Mark Nottingham is HTTPbis Working Group’s chair and he went on to outline three different ways in which a newer, more secure internet could be encrypted:

“There seems to be strong consensus to increase the use of encryption on the Web, but there is less agreement about how to go about this.

A. Opportunistic encryption for http:// URIs without server authentication—aka “TLS Relaxed” as per draft-nottingham-http2-encryption.

B. Opportunistic encryption for http:// URIs with server authentication—the same mechanism, but not “relaxed,” along with some form of downgrade protection.

C. HTTP/2 to only be used with https:// URIs on the “open” Internet. http:// URIs would continue to use HTTP/1 (and of course it would still be possible for older HTTP/1 clients to still interoperate with https:// URIs).”

He went on to outline how C is potentially the best option because it “provides stronger protection against active attacks”, despite the potential for “limiting deployment of better security” and it also seems to be the more popular option as well.

Whatever is adopted, hopefully it does the job of creating a much more secure internet. We have to wonder, though — if agencies like the American NSA and the British GCHQ easily bypassed current security standards (using a variety of technical and non-technical ways), what will stop them from doing the same on HTTP 2.0?

[via Arstechnica, HTTPbis Letter]

Related Posts

  • It’s been said that the perfect security system doesn’t make it off the board before someone’s already found a way around it. That said, there have been some ideas around for a long time on making the Internet safer. Read Earthweb by Mark Steiger, he researched a lot of them for his novel. PPPoE transmission with one time passkeys negotiate by the computers themselves and not stored are probably the most secure method we have at the moment, though I haven’t researched that to find out for sure.

  • J.L.

    Unnecessary overhead on most public content. The governments will get the decryption keys from large corporations anyways, so pointless in that regard. Only makes it harder for the “bad guys”, but far from foolproof in that regard either.