Solution) Reply-To: PRIVACY Forum Digest mailing list <privacy@vortex.com> http: Must Die! (and The Encryption Solution) http://lauren.vortex.com/archive/000338.html It's been fun http:, but a man's gotta move on and there's no place for you on the back of my bike anymore. You were fun once but you're a drag now, and I just can't trust you anymore. It's not your fault but that's the way it is. Sorry, kid. Hey, https:! C'mon over here! Greetings. Sometimes you just have to bite the bullet when it comes to significant technological changes, and I believe that such a time has come for the basic http: unencrypted Web protocol. When we first started discussing Network Neutrality some years ago, we mostly talked in terms of trying to make sure that data streams would be handled in a fair and nondiscriminatory manner. Then with the Comcast BitTorrent case, it became clearer that it was appropriate to worry about whether underlying protocols might be manipulated by ISPs, resulting in delays or outright blocking. But now it's increasingly obvious that we're dealing with a triple-whammy, with ISPs apparently gearing up to treat our data like a 1960s draft board physical. That is (to quote Arlo Guthrie's "Alice's Restaurant"): "... injected, inspected, detected, infected, neglected and selected." More specifically, as noted in "Google Hijacked -- Major ISP to Intercept and Modify Web Pages" ( http://lauren.vortex.com/archive/000337.html ) and "ISPs Spying On and Modifying Web Traffic" ( http://lauren.vortex.com/archive/000336.html ), ISPs are increasingly taking the stance that our data is subject to ISP-based manipulation of all sorts. We're not talking about just traffic shaping -- though that's problematic enough in many cases. We're now looking at outright alteration of traffic contents -- the very payload of our Internet communications. ISPs have argued that such techniques allow for transparent removal of viruses, pop-ups, and so on. But now, feeling empowered by the capabilities of new TCP/IP mangling machines, the situation seems poised for consumers and businesses -- except perhaps those able to pay significant premiums -- to be relegated to serf (no pun intended) status in the ISP kingdoms. While public policy and legislative changes may eventually address some of these issues, there's something that we can do *right now* to start assuring that we can control our own Internet communications. That first, key action is to begin phasing out, as rapidly as possible and in as many application contexts as practicable, the use of unencrypted http: Web communications, and move rapidly to the *routine* use of SSL/https: whenever possible. This is of course but an initial step in a rather long path toward pervasive Internet encryption, but it would be an immensely important one. SSL is not a total panacea by any means. In the absence of prearranged user security certificates, SSL is still vulnerable to man-in-the-middle attacks, but any entity attempting to exploit that approach would likely find themselves in significant legal difficulty in short order. Also, while SSL/https: would normally deprive ISPs (or other intermediaries along the communications path) of the ability to observe or modify data traffic contents, various transactional information, such as which Web sites subscribers were visiting, would still be available to ISPs (at least in the absence of encrypted proxy systems). Another potential issue is the additional computational cost associated with setting up and maintaining SSL communication paths, which could become significant for busy server sites. However, thanks to system speed improvements and a choice of encryption algorithms, the additional overhead, while not trivial, is likely to at least be manageable. The associated security and privacy benefits make this transition essentially a no-brainer from a cost/benefit standpoint -- at least if we're really concerned about maintaining the integrity of the carefully crafted Web experience that we present to users. We've gotten a good run from http:, but all good things come to an end. A graceful retirement for virtually all unencrypted Web communications, and a brisk move to routine SSL/https: use, are both honorable and justified -- and practical now. Let's ride. --Lauren-- Lauren Weinstein lauren@vortex.com or lauren@pfir.org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, NNSquad - Network Neutrality Squad - http://www.nnsquad.org Founder, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com _______________________________________________ privacy mailing list http://lists.vortex.com/mailman/listinfo/privacy