In a direct response to the reported “pervasive surveillance” that is being carried out, the Internet Architecture Board (IAB) said in a statement that protocol designers, developers, and operators should make encryption the norm. Not only should encryption be “deployed throughout the protocol stack”, given that “not a single place within the stack where all kinds of communication can be protected”, but that new protocols should be designed with confidential operation by default.
They go on to say:
Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance.
Their aim of the changes are to “help restore the trust users must have in the Internet”.
Whilst I think this is a good idea and should improve security, it does pose questions for network and security administrators. It will make their jobs a lot harder if everything they see across the network is encrypted. The IAB seem to recognize this and are willing to work cooperatively to provide a solution that will hopefully benefit all.
I also find it encouraging that they are trying to get those developers who don’t even necessarily deal with user information to also use encryption so that they don’t reveal anything that might point to user information. Whilst I am glad the IAB has put this out and they recognize that it will take time, I wonder if it is feasible.