Working with Internet technology often involves details deep inside the technology. But it seems that this week has been a perfect storm of highly visible and important technical developments: A major upgrade to HTTP, the basis of all web communications. Work on future transport protocols, including proposals to add security directly to TCP. Discussing the choice of technology for making video calls directly in Web browsers without plug-ins.
And, of course, mass Internet surveillance. This was clearly the discussion that has received most attention at the IETF-88 meeting. What can we do about improving the situation? And should we? As the end of the meeting draws closer, I wanted to summarise where we are and what we are going to do.
IETF Security Area Director Stephen Farrell said that pervasive surveillance represents an attack on the Internet. And the rest of us agree. Such pervasive surveillance requires the monitoring party to take actions that are indistinguishable from an attack on Internet communications. So we are willing to work to address it, just like any other threat. Many working groups that I went to were addressing this topic in one way or the another, reviewing application by application, doing careful work to understand what options we have to improve security, and weighing the various trade-offs in different designs. As Stephen says: “While there are challenges isolating the specific areas of attack that IETF protocols can mitigate, all of the working groups that considered the topic have started planning to address the threat using IETF tools that can mitigate aspects of the problem.” In many cases, privacy against pervasive monitoring was considered on an equal footing with other security issues for the first time.
What happens next? I want to be clear that this is a long-term effort. Not a reaction to specific revelations, but a wholesale upgrade to our view what the threats in the Internet are and how they need to be addressed. And the updates will be hard work. And technology does not have solutions for all problems. But we will be working on general IETF-wide principles on how to address the new threats, thinking about the ways to use technologies such as TLS or opportunistic encryption. And, we will be working on the specific protocols and application areas (HTTP, XMPP, etc). Of course, all this work will be done in an open manner, with broad participation and review, which is the way we work at the IETF. I would like to invite everyone to join the effort!
I was also very glad to see a lot of attention in the press for our efforts, including beyond the technical media (e.g., Economist). This underscores the broad visibility of this issue, and the importance Internet users place on our efforts to address it. Not to mention social media. For the first time we have had more people watch our meeting remotely on YouTube than onsite. Countless tweets went out on the #IETF88 hashtag.
Finally, I would claim that if there is a one video about Internet security that you watch this year, I think it should be this one: the IETF-88 technical plenary video. Do share the video with your friends and colleagues!