[ PRIVACY Forum ] http: Must Die! (and The Encryption
privacy at vortex.com
privacy at vortex.com
Mon Dec 10 11:12:45 PST 2007
Reply-To: PRIVACY Forum Digest mailing list <privacy at vortex.com>
http: Must Die! (and The Encryption Solution)
It's been fun http:, but a man's gotta move on and there's no
place for you on the back of my bike anymore. You were fun
once but you're a drag now, and I just can't trust you
anymore. It's not your fault but that's the way it is.
Sorry, kid. Hey, https:! C'mon over here!
Greetings. Sometimes you just have to bite the bullet when it comes
to significant technological changes, and I believe that such a time
has come for the basic http: unencrypted Web protocol.
When we first started discussing Network Neutrality some years ago,
we mostly talked in terms of trying to make sure that data streams
would be handled in a fair and nondiscriminatory manner. Then with
the Comcast BitTorrent case, it became clearer that it was
appropriate to worry about whether underlying protocols might be
manipulated by ISPs, resulting in delays or outright blocking.
But now it's increasingly obvious that we're dealing with a
triple-whammy, with ISPs apparently gearing up to treat our data
like a 1960s draft board physical. That is (to quote Arlo Guthrie's
"Alice's Restaurant"): "... injected, inspected, detected,
infected, neglected and selected."
More specifically, as noted in "Google Hijacked -- Major ISP to
Intercept and Modify Web Pages"
( http://lauren.vortex.com/archive/000337.html )
and "ISPs Spying On and Modifying Web Traffic"
( http://lauren.vortex.com/archive/000336.html ), ISPs are
increasingly taking the stance that our data is subject to ISP-based
manipulation of all sorts.
We're not talking about just traffic shaping -- though that's
problematic enough in many cases. We're now looking at outright
alteration of traffic contents -- the very payload of our Internet
ISPs have argued that such techniques allow for transparent removal
of viruses, pop-ups, and so on. But now, feeling empowered by the
capabilities of new TCP/IP mangling machines, the situation seems
poised for consumers and businesses -- except perhaps those able to
pay significant premiums -- to be relegated to serf (no pun
intended) status in the ISP kingdoms.
While public policy and legislative changes may eventually address
some of these issues, there's something that we can do *right now*
to start assuring that we can control our own Internet communications.
That first, key action is to begin phasing out, as rapidly as
possible and in as many application contexts as practicable, the use
of unencrypted http: Web communications, and move rapidly to the
*routine* use of SSL/https: whenever possible.
This is of course but an initial step in a rather long path toward
pervasive Internet encryption, but it would be an immensely
SSL is not a total panacea by any means. In the absence of
prearranged user security certificates, SSL is still vulnerable to
man-in-the-middle attacks, but any entity attempting to exploit that
approach would likely find themselves in significant legal
difficulty in short order.
Also, while SSL/https: would normally deprive ISPs (or other
intermediaries along the communications path) of the ability to
observe or modify data traffic contents, various transactional
information, such as which Web sites subscribers were visiting,
would still be available to ISPs (at least in the absence of
encrypted proxy systems).
Another potential issue is the additional computational cost
associated with setting up and maintaining SSL communication paths,
which could become significant for busy server sites. However,
thanks to system speed improvements and a choice of encryption
algorithms, the additional overhead, while not trivial, is likely to
at least be manageable.
The associated security and privacy benefits make this transition
essentially a no-brainer from a cost/benefit standpoint -- at least
if we're really concerned about maintaining the integrity of the
carefully crafted Web experience that we present to users.
We've gotten a good run from http:, but all good things come to an
end. A graceful retirement for virtually all unencrypted Web
communications, and a brisk move to routine SSL/https: use, are both
honorable and justified -- and practical now.
lauren at vortex.com or lauren at pfir.org
Tel: +1 (818) 225-2800
- People For Internet Responsibility - http://www.pfir.org
- Network Neutrality Squad - http://www.nnsquad.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
privacy mailing list
More information about the cypherpunks-legacy