In the wake of disclosures about the National Security Agency’s widespread surveillance of online activity, an influential group has proposed a radical solution to enhance privacy: encrypt everything.
At a conference held in Berlin earlier this month, the Internet Engineering Task Force, which has been at the forefront of determining the Internet’s architecture for nearly three decades, reached a “rough consensus” advocating for a system where all information passed between a user’s Web browser and an individual website is subject to encryption.
“There has been a complete change in how people perceive the world [since the revelations of whistleblower Edward Snowden], software engineer Mike Belshe, a task force member who was an early employee at Netscape and helped develop Google’s Chrome browser, told the Financial Times. “Not having encryption on the web today is a matter of life and death.”
Due to the Web’s decentralized nature, it’s impossible for the task force to impose these new standards by fiat; however, the group is not only widely influential across the tech industry, it’s instrumental in the development of an update to the HTTP system, the foundation for all Web-based data communication, slated for roll out next year. This new level of security could be built into “HTTP 2.0” and then be adopted by Web developers shortly thereafter.
At present, the vast majority of data on the Web flows unencrypted between sites and users. The choice of whether to add extra layers of security to that interaction is left up to the administrators of any given website. The minutes of the Berlin meeting labeled it “an asymmetric relationship.”
Under the proposed new system, individual users would be able to turn on data encryption for any website they browse.
Encryption is already utilized by many websites—particularly finance and e-commerce pages—and was adopted by Facebook for all users last year. Nevertheless, the vast majority of sites on the Web lack these protections, leaving their data comparatively vulnerable to both governments and non-state actors interested in taking a peek.
Encrypted sites are currently identified using the “https” prefix at the beginning of the URL.
Since HTTPS is comparatively slower than standard HTTP, some sites that employ encryption only have it in place on the individual pages where users enter their most sensitive information or end up feeding that encrypted info back into the rest of their unencrypted site. One way for current internet users to maximize their safety is to use a program like HTTPS Everywhere, a browser extension developed by the Electronic Frontier Foundation and the Tor Project that fixes some of those security issues.
Even if all sites on the Web suddenly switched over to using encryption, that doesn’t mean every piece of data someone submits will suddenly become secure from prying eyes.
“There are limits to the reach of this scheme, of course,” explains online safety blog Naked Security. “The first and most serious is that this proposal concerns the privacy of your information while in transit, not once it gets there. There is nothing that the IETF or their protocol can do to stop a website from offering up your data to the NSA after it has received and decrypted it.”