Dr Phillip Hallam-Baker, a vice president and principal scientist in charge of web security software development at security software vendor Comodo, has published a paper calling for a more robust internet architecture that can combat web spying by governments.
The Internet Engineering Taskforce (IETF) draft paper, called "Prism-Proof Security Considerations", explores "the security controls that may be employed to mitigate the risk of pervasive intercept capabilities regardless of source".
Further reading Zuckerberg and Mayer hit back at Prism critics PRISM could cost US cloud firms $35bn but benefit European providers PRISM and beyond: Is the government's capture of public data spiralling out of control? Prism and GCHQ: 'Nothing to see here' says Intelligence and Security Committee
It follows a call by IETF chairman Jari Arkko, who works for Ericsson, and IETF security area director Stephen Farrell, for improvements to internet protocols and architecture in a bid to combat government spying.
In a blog posting, the two influential IETF members called for a debate on how best to combat the threat of state-sponsored spying on the internet.
Items under consideration by the IETF, according to the jointly authored blog post, include:
How to ensure the next generation of the hyper text transfer protocol is better secured by transport layer security cryptographic protocols; for example, by enabling clients to require it by default; How to combat the threat of pervasive monitoring demonstrated by whistleblower Edward Snowden's leaked documents; How to make better use of existing protocol features that protect against the capture of private encryption keys, such as use of the "Perfect Forward Secrecy" in transport-layer security, which protects private encryption keys; Updating specifications to help retire weaker cryptographic algorithms.
However, the US National Security Agency (NSA) in the past has infiltrated IETF standards-setting committees with agents in a bid to subvert and undermine global computer security standards.
Having set standards that are both complicated and weak, it has subsequently sought to exploit those weaknesses in mass information-gathering campaigns.
Writing about how the IPSec security standard was drawn up, Electronic Freedom Frontier co-founder John Gilmore wrote in a recent blog posting:
"NSA employees participated throughout, and occupied leadership roles in the committee and among the editors of the documents...
"Every once in a while, someone not an NSA employee, but who had long-standing ties to NSA, would make a suggestion that reduced privacy or security, but which seemed to make sense when viewed by people who didn't know much about crypto...
"The resulting standard was incredibly complicated - so complex that every real cryptographer who tried to analyse it threw up their hands and said, 'We can't even begin to evaluate its security unless you simplify it radically'."
He continued: "I also found situations where NSA employees explicitly lied to standards committees, such as that for cellphone encryption, telling them that if they merely debated an actually-secure protocol, they would be violating [US] export control laws unless they excluded all foreigners from the room (in an international standards committee!)."
The revelation that the NSA attempted to subvert standards directly on the bodies of global organisations established to specify them has hardened opinion in favour of more secure internet protocols - and has also damaged the idea of US leadership of internet design and security.
Prism-proof by design
Hallam-Baker's paper is the first officially published that begins to explore how the threat to web privacy and security can be tackled.
"The term 'Prism-proof' is used in this series of documents to describe a communications architecture that is designed to resist or prevent all forms of covert intercept capability.
"The concerns to be addressed are not restricted to the specific capabilities known or suspected of being supported by Prism or the NSA or even the US government and its allies," explains Hallam-Baker.
Much of the covert data collection perpetrated by the NSA involves metadata - information about data - making the IETF one of the best fora for devising systems that can stymie its efforts and similar initiatives in the UK, France, Germany, the Netherlands, Australia and New Zealand.
The IETF can, for example, redesign email standards to obscure email headers or require transport layer security connections between email servers to make it more difficult to eavesdrop on online communications, for example.
While the paper is somewhat light on concrete suggestions, it is intended to instigate contributions from other IETF members in order to develop workable technologies and specifications.
