Inside The Box
4:36 pm
Sat February 1, 2014

Toward A Secure Internet

The Internet was not designed with security in mind. It was developed by computer scientists, most who knew one another personally, with the goal of interconnecting computers (at the time, large mainframes) and moving data back and forth. Security adds a layer of complexity and the task before them was complex enough. So they pressed forward, perhaps unaware that they were laying an unsecure foundation for what would decades later become a critical global communications infrastructure that today has more than 8 billion computing devices connected to it.

While this has worked out well for the folks at the NSA, it’s not such a good thing for you and me and the couple billion other folks around the world daily using the Internet. It’s also not good for the millions of companies, non-profit organizations, and social movements who daily rely on the Internet for communication and collaboration.

Let’s start with the World Wide Web that most of us probably use every single day. When you launch a web browser and connect to a website, you’re using the Hypertext Transfer Protocol, or HTTP. That’s what that “http” is that precedes the website address up in your web browser’s address bar. (If you see “https,” no worries, I’ll get to that in just a minute.) HTTP is the protocol that enables your web browser to communicate with a web server, which is where all the web pages that include text, pictures, videos, and hyperlinks to other websites, are stored. Web pages are just files on a computer located somewhere in the world. Your web browser is the “client” making the request for the information stored on that computer, which, in turn, is the “server” serving up the requested information.

All communications protocols like HTTP occur on a designated virtual “port.” In the case of HTTP, all traffic is defined to occur via port 80. So when you open your web browser and go to www.ijpr.org, you are connecting to Jefferson Public Radio’s web server using HTTP over port 80. That connection request originates at your computer, goes to your Internet Service Provider, making hops from router to router until it is received by the web server that hosts all the files that comprise the ijpr.com website.

All of that communication, however, happens “in-the-clear,” so to speak, on the information superhighway. It’s the equivalent of driving to the grocery store with a large sign on top of your car featuring your name, address, and telephone number as well as the name, address, and telephone number of your destination.

None of us would probably want to do that. Even when we are out in public, we have a certain expectation of privacy. We probably don’t want just anyone knowing who we are, where we’re coming from and where we’re going. But this is essentially what you are giving up when you connect to a website using HTTP.

“So what?” you might say.

Yes, so what. Who cares? Who’s watching anyway?

Well, all kinds of folks, including your own government (see my column “Frankenstein, Tinfoil Hats, and The
NSA” http://ijpr.org/post/frankenstein-tinfoil-hats-and-nsa for more information about that).

The secure implementation of the HTTP is a bit better, but also has limitations. Hypertext Transfer Protocol Secure, or HTTPS, creates an encrypted connection between your computer’s web-browser (the “client”) and the computer hosting the website you are connecting to (the “server”).  HTTPS communication occurs on port 443. All communication between the client and server is encrypted as it travels about the network infrastructure of the Internet. HTTPS accomplishes this by utilizing another protocol called Transport Layer Security (TLS).

Currently, however, only 25 percent of websites utilize HTTPS, which means that the majority of the web traffic zipping around on the Internet is unencrypted and in-the-clear. This is why the NSA has been able to take the Hoover vacuum cleaner approach to surveillance.

The Internet Engineering Task Force (IETF) is working on an updated implementation of HTTP called “HTTP 2.0” that would be encrypted by default. The goal is to begin rolling out HTTP 2.0 by the end of this year. Wide-spread adoption, however, could take some time as it won’t be mandatory for websites to adopt the new HTTP standard.

Once HTTP 2.0 does become widely adopted, most all of the traffic enroute between clients (that’s you) and servers (the computers serving up content) will no longer be vulnerable to massive surveillance by the NSA.

“Ubiquitous encryption on the Internet backbone will do an enormous amount of good and provide some real security and cover traffic for those who need to use encryption,” said IETF chair Jari Arkko. “The more you can encrypt data as it flows on the Internet, the better we’ll do.”

While implementation of HTTP 2.0 is a good step toward securing the Internet, security guru Bruce Schneier, who has been a vocal critic of the NSA’s massive surveillance efforts, advocates that technical solutions are not going to be enough.

“The Internet has become essential to our lives, and it has been subverted into a gigantic surveillance platform,” Schneier said in an interview last year. “The solutions have to be political. The best advice for the average person is to agitate for political change.”

Scott Dewing is a technologist, teacher, and writer. He lives with his family on a low-tech farm in the State of Jefferson. Archives of his columns and other postings can be found on his blog at: blog.insidethebox.org