Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/1/2014
02:50 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Q&A: Internet Encryption As The New Normal

Internet Architecture Board chairman Russ Housley explains what the IAB's game-changing statement about encryption means for the future of the Net.

The era of encrypted communications may have finally arrived. The Internet Architecture Board (IAB), which oversees the Internet's architecture, protocols, and standards efforts, officially called last month for encryption to be deployed throughout the protocol stack as a way to lock down the privacy and security of information exchange.

It was a bold and important statement from the IAB, and it likely will be the general blueprint for new protocol efforts by the Internet Engineering Task Force (IETF), which creates the protocol specifications that run the Internet and devices and systems connected to it. "The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic," IAB chairman Russ Housley wrote in its Statement on Internet Confidentiality.

The IAB also urged developers to deploy encryption by default, and it urged network and service providers to add encryption across the board.

In his first interview since issuing the IAB statement Nov. 14, Housley spoke with me about the new normal of widespread, encrypted Internet communications.

Dark Reading: What does it really mean for the IAB to issue this encryption statement?

Housley: The IAB is making a recommendation, and we have no enforcement powers on that. But if we look back historically on IAB statements, the IETF has tended to follow them. What basically happens when people start to go off in a different direction is they say, "Hey, the IAB said this," so what do you think going against that recommendation is going to do? If they have a good answer [for it], they continue.

We think encryption should be the norm. We recognize there are exceptions where encryption is actually not possible. We want to give people that thought that says, "Is there a way we could do this with encryption?"… We felt things were improving, but maybe the pace needs to be picked up to combat pervasive monitoring.

Dark Reading: Will we see an updated TCP/IP stack emerge from all of this?

Housley: Incremental improvement is the only way we are going to see changes. You can't have a flag day [like we did] from NCP [Network Control Program of Arpanet] to TCP/IP. That's just not possible in today's Internet, because of the scope and scale.

The transition from IPv4 to IPv6 is a demonstration of how difficult that transition is… Incremental change is the only [way].

We're seeing significant uptick in IPv6 in cable companies, wireless mobile, leading the way there because they have more devices deployed than they can get IPv4 addresses. The more and more that happens, the more there will be an increase in IPv6 and the ultimate decline of IPv4.

Dark Reading: There are security tradeoffs with encrypted communications, given that many of today's security tools can't perform their tasks if the network flows are encrypted. How do you reconcile that?

Housley: We recognize that, and that's why we added that closing to the statement. Instead of just saying, "Hey, it's clear sailing," let's be honest and say there are some rough spots here and work. We will [likely] form some workshops around these topics to make sure people start talking.

Another example is that network management makes the assumption that it can dive in multiple layers of traffic to see what's going on… We need to give network managers what they need without exposing so much plain text.

Dark Reading: How will vendors and service providers move forward with encryption by default?

Housley: We've already seen some of that. Some of the email providers have done things like move IMAP to IMAP over TLS, so all the traffic between a mail client and the mail server are protected. We're seeing more and more [encryption adoption, including from] content distribution networks.

Personally, I'd like to see greater integration of DNSSEC, as well.

Dark Reading: As we've seen, SSL/TLS is not exactly bulletproof. Heartbleed demonstrated how an SSL/TLS implementation issue can cause big problems. What are the IAB and IETF doing to improve encryption protocols?

Housley: TLS 1.3 is under development in the IETF. TLS 1.3 eliminates lots of stuff that kind of got added on. One of the key questions being asked in development is, "What's in there that no one really needs, and where are possible places for bugs [to be] introduced by developers?"… Remove that and keep it simple as possible, so it's easier for people to look at the code and easier to find and fix bugs. That's one of the design criteria this time around.

That includes not having every crypto algorithm everyone has ever come up with, but figuring out which ones are really needed and putting the focus and review behind those, as opposed to anyone who wants to add one adds one.

Elliptic curve is being embraced very strongly this go-round. Smaller key sizes and stronger security will have a positive effect.

Dark Reading: What other security functions or protocols are in the works?

Housley: In the same way with TLS, protocol updates need to be simple and streamlined and only with functionality that's needed. There's some work being explored about security services on your behalf… For example, you can attach to different WiFi hotspots and see what firewall is in that [network] and how it's configured and know what your security posture is. Something that would let mobile devices from laptops to smartphones adapt to different points where they enter the Net.

Dark Reading: What are the challenges for making encrypted communications the norm?

Housley: The challenges will be political and will have to do with firewall policies, IDS, deep packet inspection, [for instance]. Looking for spam and viruses in email messages… all of those things become more difficult. We have to find the right balance and the right places in the stack for encryption to provide security and privacy to the customer, and yet to protect the customer.

I hope we end up in a place where crypto is the norm and not a presumption of, if you encrypt, you have something to hide.

Dark Reading: Do you expect any pushback from government agencies or law enforcement?

Housley: It depends. The IETF is not going to standardize on weakened crypto… We're not going to develop our protocols to include backdoors for law enforcement, because that inevitably will be used by others, as well. We will work with how law enforcement gets access to things they need without the protocols themselves. These are similar kinds of discussions [we had in the 1990s with Clipper Chip and US export policy debate].

[The IAB urges encryption across the protocol stack to usher in an era where encrypted traffic is the norm. But there are possible security tradeoffs. Read Internet Architecture Board Calls For Net Encryption By Default.]

Dark Reading: What will the new encrypted Internet look like versus the Net of today?

Housley: One of the workshops the IAB is looking at is the evolution of messaging. The idea is that spam has gotten so bad, so maybe we can do something in the messaging architecture itself. Right now, anyone can send anyone a message.

Like in instant messaging, where you can [specify] this person is allowed to know I'm online or when I'm not, maybe there's an analogy there for other kinds of messaging, for example.

I'm hoping a bunch of different Internet organizations -- not just the IETF -- will rally around this idea [encryption as the norm] and help bring it to fruition in a way that users are comfortable with it and almost not impacted at all.

The challenge will be to embrace crypto so regular users see very little impact, and it just works.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/4/2014 | 9:24:49 PM
Re: Depth over breadth
What I thought was interesting here is how practical this is in terms of not just throwing in some feature to make someone happy. I don't know if that's always an easy thing to accomplish in standards-land, but the IETF and IAB appear to be setting the tone here for a tight, streamlined protocol, which is cool.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/4/2014 | 12:24:38 AM
Depth over breadth
re: "figuring out which ones are really needed and putting the focus and review behind those, as opposed to anyone who wants to add one adds one."

This.  This is so important.  People are so pleased to contribute their own things -- but less incentivized naturally to improve others' contributions.  Focusing on improving what we have is the key (no pun intended).
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/2/2014 | 1:54:46 PM
Re: Enforcement?
I really think this is a big deal. The IAB carries a lot of weight, and if the Internet infrastructure gets updated with more protocols that make it easier for encryption, the products & services will come. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/2/2014 | 1:51:40 PM
Re: Enforcement?
Definitely seems like a step in the right direction...thanks!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/2/2014 | 1:41:50 PM
Re: Enforcement?
It is technically a recommendation, but when the IAB talks, the IETF (which implements the specs for the technology) usually listens & follows. =) Russ wasn't comfortable providing a timeframe for encryption everywhere it can go. It will be phased in, for sure. And we've already seen an uptick in activity this year (post-NSA revelations), with more  HTTPS sites, the EFF's new free SSL service, etc. The IAB's statement solidifies the trend and should help propel it further.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/2/2014 | 1:37:59 PM
Enforcement?
Kelly, Do I understand this correctly, the "statement" from the IAB is not a requirement, just a recommendation. So how long of a time period would you expect it to be be before encryption will be the norm? And where do you think the resistance will come from?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26890
PUBLISHED: 2020-11-24
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the r...
CVE-2020-28348
PUBLISHED: 2020-11-24
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.
CVE-2020-15928
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters to test-browser/index.cfm allow directory traversal.
CVE-2020-15929
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters passed to system/runners/HTMLRunner.cfm allow an attacker to write an arbitrary CFM file (within the application's context) containing attacker-defined CFML tags, leading to Remote Code Execution.
CVE-2020-28991
PUBLISHED: 2020-11-24
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.