In a move to make the internet more secure, the Internet Engineering Task Force, or IETF, have started the discussion on how to encrypt… everything.
It is more imperative than ever since the knowledge of government spying and the ease of which they can do so especially with much of the internet using “plaintext” format to publish their pages in. HTTPbis Working Group have been delegated the task by the IETF to determine the design that HTTP 2.0 will have.
Mark Nottingham is HTTPbis Working Group’s chair and he went on to outline three different ways in which a newer, more secure internet could be encrypted:
“There seems to be strong consensus to increase the use of encryption on the Web, but there is less agreement about how to go about this.
A. Opportunistic encryption for http:// URIs without server authentication—aka “TLS Relaxed” as per draft-nottingham-http2-encryption.
B. Opportunistic encryption for http:// URIs with server authentication—the same mechanism, but not “relaxed,” along with some form of downgrade protection.
C. HTTP/2 to only be used with https:// URIs on the “open” Internet. http:// URIs would continue to use HTTP/1 (and of course it would still be possible for older HTTP/1 clients to still interoperate with https:// URIs).”
He went on to outline how C is potentially the best option because it “provides stronger protection against active attacks”, despite the potential for “limiting deployment of better security” and it also seems to be the more popular option as well.
Whatever is adopted, hopefully it does the job of creating a much more secure internet. We have to wonder, though — if agencies like the American NSA and the British GCHQ easily bypassed current security standards (using a variety of technical and non-technical ways), what will stop them from doing the same on HTTP 2.0?
[via Arstechnica, HTTPbis Letter]