Remember when encryption meant scrambling your hard drive and using PGP for your email? It seems so quaint. Nowadays encryption has gotten much more complex, thanks to our friends in government agencies that have tapped into the Internet and made copies of our data out in the Utah desert. Or, make that metadata, sorry, it is hard to get the precise information, even with the NSA giving demos of its software tools to CBS.
The Electronic Frontier Foundation recently compiled a report card of the many faces of encryption that a modern Internet provider needs to operate on. It is a daunting list, but one that you all should read carefully and see how much work needs to be done in this area.
The report lists five different encryption practices that the major cloud players need to take, including:
- Encrypt all of the links between their data centers that traverse the public Internet. Ever since we all found out how the NSA was taping into public peering points, this seems like a good precaution for any provider to do. Microsoft and Facebook are in the process of implementing this; Google, Dropbox and Twitter already have.
- Support Secure HTTP by default for all Web access: this isn’t anything new and something that began several years ago, but Yahoo (always a day late) has only implemented this for its email services.
- Use HTTP Strict Transport Security (HSTS) protocols for all their Web traffic to avoid any of the newer browser-in-the-middle attacks. This protocol has been around for a year, although it is still far from being implemented widely.
- Use forward secrecy to hide encryption keys. Without this, someone who learns of a key can decrypt previously archived messages: does this sound familiar?
- Use the START TLS protocol to encrypt email traffic between different email servers, again to avoid man-in-the-middle attacks. This protocol has also been around for some time, but isn’t implemented universally.
If we look through the EFF list, LinkedIn comes up short on all measures, although promising to get started next year. The same is true for the many connectivity providers, such as Comcast, Verizon, and AT&T. Coincidently, that is where the government taps seem to be located. Harrumph.
One thing the EFF report could do a better job of is showing the major browsers and whether they support all these not-so-newfangled protocols: guess what, they don’t. For example, IE 10 lacks HSTS support. Here is a report from the good folks at OWASP that does show this information, although it is somewhat outdated.