Internet Architecture Board Calls For Net Encryption By Default

The Internet Architecture Board (IAB) urges encryption across the protocol stack to usher in an era where encrypted traffic is the norm. But there are possible security tradeoffs.

The Internet Architecture Board (IAB) is calling for encryption to become the norm across the Internet in a move to lock down the privacy and security of information exchange.

"The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic," IAB chairman Russ Housley wrote late last week in the IAB Statement on Internet Confidentiality. "Newly designed protocols should prefer encryption to cleartext operation."

Housley's declaration signaled a major strategic move for the Internet. The IAB, which oversees the Internet's architecture, protocol, and standards efforts, is now encouraging a new era of Internet protocols -- as well as products and services -- that are created with security in mind, security experts say. "We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected," Housley wrote.

Richard Bejtlich, chief security strategist at FireEye and a nonresident senior fellow for the Brookings Institution, says the IAB's stance "represents the progression of trying to introduce some real security into the [Internet] standards-making process."

This is obviously not the Internet architecture community's first effort to secure the core Internet protocols and infrastructure better. The Internet Engineering Task Force (IETF) has issued security protocol specifications such as Transport Layer Service (TLS), DNSSEC, and the next-generation IP protocol, IPv6, which includes the IPSec encryption protocol, for example. This wasn't the IAB's first proclamation about encryption, either. In 1996, it issued RFC 1984, which basically covered the need for encryption to protect users' private information. "Since that time, we have seen evidence that the capabilities and activities of attackers are greater and more pervasive than previously known," Housley said in the recent IAB statement.

Calls for more widespread encryption have intensified in the wake of the leak of controversial NSA spying programs by former NSA contractor Edward Snowden, and the IAB's position coincides with a wave of more mainstream encryption acceptance. Yesterday the Electronic Frontier Foundation (EFF) announced Let's Encrypt, a project in which the EFF has teamed up with Mozilla, Cisco, and Akamai via a nonprofit to help roll out free HTTPS server certificates and make encrypting web traffic easier. And the maker of the widely adopted WhatsApp messaging app plans to provide end-to-end encryption by default.

Privacy advocates and security experts welcome the renewed emphasis on encryption, but there are potential security tradeoffs when enterprises adopt encryption. Monitoring and scanning for malicious activity can be challenging when enterprise traffic is encrypted.

"Encryption is always better," Bejtlich says. "But with my monitoring hat on, encryption can be difficult. If you're trying to monitor an encrypted resource, you can't quite see what's happening."

Unintended consequences
Security vendor Blue Coat warns that attackers could wage relatively simple malware attacks under the cloak of encrypted connections and steal information without the victim organization able to detect it. Attackers can wage a combination of temporary websites with encryption to steal information via SSL connections.

Encryption is key to securing the Internet, according to Hugh Thompson, chief security strategist for Blue Coat, which published a report about this "visibility void" yesterday. "But there are consequences: If you think about the security infrastructure [enterprises] have built up over the last 10 years, network antivirus, data leakage prevention, scanning network traffic... When you suddenly encrypt that traffic, these tools cannot operate on an encrypted network," he says. "The side effect is a growing [blind spot] to malicious traffic going through those channels."

But businesses don't have to trade privacy for security or vice versa, he says. It's a matter of establishing policy-based encryption, decrypting only some traffic that needs security scanning. "Not personal banking, not healthcare information. You don't want to interfere with personal interactions on the web."

Encryption, meanwhile, is on the rise in organizations. Thompson estimates that 10% of traffic volume at a typical business was encrypted 2-3 years ago. Now it's closer to 40%, much of that thanks to the top websites -- such as Google, Amazon, and Facebook -- operating with HTTPS by default today.

The bad guys also are capitalizing on encryption. Gartner predicts that, by 2017, more than half of all cyberattacks will use some form of encryption to sneak malicious traffic by security systems.

Housley addressed the challenges full-scale encryption poses for security monitoring. He wrote that the IAB will help promote the development of balancing enterprise security and more secure and private Internet communications.

"We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload," Housley wrote in the IAB statement. "For many of these activities there are no solutions yet, but the IAB will work with those affected to foster development of new approaches for these activities which allow us to move to an Internet where traffic is confidential by default."

Recommended Reading: