Masters of the Internet. Are standards our last defense?

The previous blog on Mastering the Internet commented on how government intelligence agencies are intercepting Internet communications en masse. And that, perhaps, this would signify the end of the first Internet age, “The Naive Age”, where many social media users are blissfully unaware of their lack of privacy and where phishing scams and identity theft are commonplace. However, the Naive Age is almost done. Enter “The Age of Enlightenment”, where Internet users are aware of the risks, and where Internet and technology providers must do more to protect their visitors and consumers.

In a recent article in the UK’s Financial Times, Internet launches fightback against state snoopers, Robert Cookson comments on the IETF’s intent to introduce encryption at ‘the heart of the web’ by mandating TLS in the next version of HTTP. Essentially, a proposal to extend the encryption technology used by banks and e-commerce retailers to include all web communication. The objective is to make eavesdropping and electronic snooping more difficult.

What is TLS?

TLS has been around since 1999, so why has adoption not been more widespread?  The answer lies in the lack of an operating standard. There is no consistent adoption of both TLS versions (several) and ciphers (multiple, as well) across the many web browser, web sites and application vendors. For example, the OpenSSL website has a long list of different ciphers where the choice of any preferred cipher relies on best practice. Of greater importance is the lack of adoption of TLS1.2, the most recent and only secure version. The key (pun intended) initiative therefore from the IETF is one of standards adoption.

How secure is TLS?

Will it make any difference? The Financial Times’s article focussed on preventing government snooping. Unfortunately secure TLS is likely to be more of an inconvenience than an insurmountable obstacle for most Intelligence Agencies. For example, the secure TLS mode on my Blackberry offers 128 bit encryption which is better than the 56-bit mode, but far from impregnable. A good high school maths student ought to be able to decipher these messages in a few minutes. 1024, 2048 and 3072-bit systems are supported and are increasingly secure, but processing overhead (and cost) increases dramatically with key size. And of course, there are many other attacks other than the sledgehammer of a front door approach, including TLS side channel attacks and website spoofing (for TLS attacks, an Internet take of the classic man-in-the-middle attack on public key systems).

Privacy and Security

That said, the main concerns for most of us using the Internet are privacy and identity assurance- protecting key information from criminals, our credit card and banking details, logins and passwords, and access to online tax, insurance e-Commerce sites. Most of us are awakening from “The Naive Age” having suffered from or had near misses from phishing scams and security theft. We are all hoping for better security and protection. So perhaps this is where the IETF initiative will have most impact.

Real-time Security Intelligence

SQLstream recently announced that InfoArmor has adopted SQLstream as the core real-time data collection and analytics platform for its identity theft monitoring engine, now enabled to collect and analyze in real-time the many different data sources required to detect patterns of identity theft. As we’ve seen in other areas such as cybersecurity, the more advanced the defense, the more sophisticated the attacks, and the better the detection systems need to be- which is where we plan to be of help.