The Internet Architecture Board, the body in charge of overseeing the structure of many of the Internet’s key standards, has recommended that encryption be the default traffic option for protocols. The recommendation comes after more than 18 months of revelations about the pervasive surveillance activities online by intelligence agencies.
The IAB is part of the Internet Engineering Task Force, the body that sets technical standards for the global network. It’s responsible for overseeing the architecture of the IETF’s process and the board said in a statement that it has become evident that attackers’ capabilities have grown dramatically in the last decade and a half, making ubiquitous encryption a necessity.
“The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic,” the statement says. “We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected.
“The IAB urges protocol designers to design for confidential operation by default. We strongly encourage developers to include encryption in their implementations, and to make them encrypted by default. We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.”
The statement by the IAB is a direct response to the events of the last couple of years and the revelations by Edward Snowden of the NSA’s massive surveillance on the Internet. Internet companies and technology vendors have responded to the NSA revelations by increasing their use of encryption, especially on links between data centers. But the Internet itself was not designed with security in mind. Rather, openness and interoperability were the main goals of the network’s designers.
The IAB believes that ubiquitous encryption can help address the shortcomings of the original design and protect users from attackers and surveillance.
“We believe that each of these changes will help restore the trust users must have in the Internet. We acknowledge that this will take time and trouble, though we believe recent successes in content delivery networks, messaging, and Internet application deployments demonstrate the feasibility of this migration. We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload. For many of these activities there are no solutions yet, but the IAB will work with those affected to foster development of new approaches for these activities which allow us to move to an Internet where traffic is confidential by default,” the IAB statement says.