New IETF Group to Tackle TLS Implementation in Applications

The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP.

The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP.

The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it’s deployed properly, reducing the errors that could make surveillance and other attacks easier.

“There is a renewed and urgent interest in the IETF to increase the security of transmissions over the Internet. Many application protocols have defined methods for using TLS to authenticate the server (and sometimes the client), and to encrypt the connection between the client and server. However, there is a diversity of definitions and requirements, and that diversity has caused confusion for application developers and also has led to lack of interoperability or lack of deployment. Implementers and deployers are faced with multiple security issues in real-world usage of TLS, which currently does not preclude insecure ciphers and modes of operation,” the description in the working group’s charter says.

There have been a number of attacks developed against SSL and TLS in recent years, and there have been reports that the NSA has some unspecified capabilities to defeat SSL, as well. On the Web, there are plenty of ways that encryption can be implemented incorrectly by site owners, but the Web isn’t the only focus of the new working group. The group also will consider ways to improve the usage of TLS in other applications, specifically email.

As part of its work, the group plans to update the definition for using TLS to communicate with proxies, as well as sever-to-server traffic and peer-to-peer traffic. The working group also plans to develop a set of best practices for using TLS, which may include the usage of forward secrecy and which versions of TLS developers should implement.

“The initial set of representative application protocols is SMTP, POP, IMAP,XMPP, and HTTP 1.1. It is expected that other protocols that use TLS might later be updated using the guidelines from this WG, and that those updates will happen through other WGs or through individual submissions. The WG will make the fewest changes needed to achieve good interoperable security for the applications using TLS,” the group’s charter says.

Suggested articles