Category: Encryption

Nevada Wants to Reduce Online Protections for Children: All Internet Users Should Benefit from Strong Encryption

A youth engrossed in their phone.

Today we joined an effort to stop the State of Nevada from making it easier for children’s personal information to be obtained by child predators, criminal gangs, foreign nations, and others. The State of Nevada seems to think that children deserve less protection online. Under a misguided view of seeking to “protect” children, the State […]

The post Nevada Wants to Reduce Online Protections for Children: All Internet Users Should Benefit from Strong Encryption appeared first on Internet Society.

Techxit: The UK Declares Its Exit from the High-Tech Startup World

Photograph of London's Big Ben and the Houses of Parliament at night

No one in their right mind would now want to start up a high-tech company in the UK. With a last-minute addition to the Online Safety Bill (OSB), the UK government made it clear that startups are no longer welcome in the UK. Previously, the OSB applied to “regulated services” that had to be above […]

The post Techxit: The UK Declares Its Exit from the High-Tech Startup World appeared first on Internet Society.

Encryption is critical for business communication

Imagine if all your business contracts were sent to customers written on postcards. Everyone who happened to see the postcard could see exactly what you were going to charge the customer, how many of your product the customer is going to order – and all of the information about the customer.

Your competition, naturally, could take that information and send a contract to that customer of yours that undercuts your proposal and offers better terms. They could also share that information with others to let them know that this customer buys from you. (Or, at least, they used to!) Your customer, too, could potentially see what you are charging other customers.

Now… STOP imagining – THIS IS HOW THE INTERNET WORKS TODAY!

In the physical world, of course, we don’t do this. We fold up contracts and we put them in envelopes. We might then put the sealed envelope inside a larger courier envelope. If we are really paranoid we might put them inside “tamper-proof” envelopes – or envelopes that can only be opened with a specific key.

But in the online world we don’t have these same protections by default. Every message you send has historically been broken down into many small packets and sent – unprotected – across the Internet. This is the digital equivalent of sending everything on postcards.

We need to protect our online business communication.

We need digital envelopes

The solution we have is to use encryption to protect our online information. We need to stop sending postcards – and put digital envelopes around all of our data.

We need to encrypt the information when we are sending it between people. We do this today online with technologies such as the HTTPS “lock” we see in our browsers (which is actually Transport Layer Security or “TLS”, formerly called “SSL”).

If we are to have safe, secure, and trusted economic transactions over the Internet we must know that only the people involved with the transaction can see the information.

We need digital envelopes – THAT is why we need encryption.


Learn more:


P.S. Some readers might notice that regular physical envelopes can be opened at the post office, in the company mail room, by customs officials at a border, or by other people who intercept the envelopes. That is true in the online world, too. There are different types of encryption. Some can be intercepted by people in the middle (what we call “hop-by-hop” encryption) and some types of encryption are secure between the sender and receiver (what we call “end-to-end” encryption). But that’s the topic for another blog post…

The post Encryption is critical for business communication appeared first on Internet Society.

Make Encryption The Norm For All Internet Traffic, Says The Internet Architecture Board (IAB)

Internet Architecture Board (IAB)The Internet Architecture Board announced a new “Statement on Internet Confidentiality” yesterday that calls on “protocol designers, developers, and operators to make encryption the norm for Internet traffic“.  The statement, distributed via email by IAB Chair Russ Housely, goes further in urging those who design and develop new protocols “to design for confidential operation by default“.

The strong statement, republished below, represents the continued evolution of the thinking of the wider technical community, as represented by the IAB and the IETF,  that in light of the disclosures of massive pervasive monitoring of the Internet (see RFC 7258) the technical infrastructure of the Internet needs to be strengthened against those attacks.

As the IAB statement notes, such a move to make encryption the default will have impacts on some aspects of current network operations, but the statement represents the very public commitment by the IAB to help create the conditions under which, as it says, we can “move to an Internet where traffic is confidential by default.”

From our perspective here at Deploy360, we definitely welcome this statement as it will help the overall security of the Internet.  Within the topics we cover here, we encourage developers to look at adding TLS to all their applications, and we encourage network operators to do all they can to help their customers use TLS-encrypted applications wherever possible.  We are also looking forward to continued discussions such as those held in the DPRIVE Working Group this week at IETF 91 that will improve the confidentiality and privacy of DNS interactions as well as those within the routing infrastructure.

Here is the full IAB Statement on Internet Confidentiality:

IAB Statement on Internet Confidentiality

In 1996, the IAB and IESG recognized that the growth of the Internet depended on users having confidence that the network would protect their private information. RFC 1984 documented this need. Since that time, we have seen evidence that the capabilities and activities of attackers are greater and more pervasive than previously known. The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic. Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance as described in RFC 7258.

Newly designed protocols should prefer encryption to cleartext operation. There may be exceptions to this default, but it is important to recognize that protocols do not operate in isolation. Information leaked by one protocol can be made part of a more substantial body of information by cross-correlation of traffic observation. There are protocols which may as a result require encryption on the Internet even when it would not be a requirement for that protocol operating in isolation.

We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected.

The IAB urges protocol designers to design for confidential operation by default. We strongly encourage developers to include encryption in their implementations, and to make them encrypted by default. We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.

We believe that each of these changes will help restore the trust users must have in the Internet. We acknowledge that this will take time and trouble, though we believe recent successes in content delivery networks, messaging, and Internet application deployments demonstrate the feasibility of this migration. We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload. For many of these activities there are no solutions yet, but the IAB will work with those affected to foster development of new approaches for these activities which allow us to move to an Internet where traffic is confidential by default.

We’re looking forward to working with all of you there to bring about this Internet where traffic is encrypted by default!