GCHQoogle: so much for "Don't be evil"Given what we now know about the mass surveillance, and attack on the infrastructure of the internet, conducted by Britain’s GCHQ and America’s NSA (as well as their Chinese, Russian, German, etc counterparts).

Given that we now know, for a fact, that almost every byte of non-encrypted traffic is recorded and analysed, shouldn’t we now make a concerted effort to finally deprecate vanilla HTTP in favour of HTTP over TLS (HTTPS)?

When you use HTTP, it is a trivial matter for an attacker to see the content of the pages you visit, when, and how often you visit them. When using HTTP, there is also no guarantee that the content of the page hasn’t been modified without your knowledge, exposing you to all kinds of attacks.

Encryption, by and large, removes these problems, as well as massively increasing the cost of mass surveillance. Is it not time for all of us, as well as standards organisation like the IETF, push to make HTTPS the default? Even during my time I’ve seen insecure protocols like telnet and FTP go from widespread use to being almost completely replaced by secure alternatives (ssh and scp), so could we not do the same with HTTP?

Certificate authorities

Ok, there is one big difference between HTTPS and ssh (ok, many many, but one I care about here), and that is that HTTPS relies on certificate authorities. These are necessary in order to distribute trust, so that browsers can know to automatically accept a certificate and verify the server it is connecting to is who it says it is.

This is much nicer for the average user than, say, manually verifying the server’s fingerprint (as you have to do with SSH), but comes with some pretty serious problems if we were to make it default:

  • Every site owner would have to get a certificate, and these can only be obtained by a certificate authority if you don’t want browsers to pop up a big red warning, meaning we further bake these guys in to the Internet’s DNA.
  • Certificate authorities can be directly pressured by governments, so, a government attacker could MITM you on a secure connection and present you with a certificate that your browser accepts as valid, and so will give you no warning (of course, this is much more costly than the blanked mass surveillance that is currently going on).
  • Getting a certificate either costs money, and/or has restrictions placed on their use (for example, no commercial use, in the case of StartCom). This is really bad, since it essentially requires permission from a third party to launch a site.

It is this last causes me most concern, since it essentially provides an easy way of suppressing minority views.

Imagine that we lived in a world where HTTP had been deprecated, and browsers no longer supported unencrypted HTTP, or could, but you had to request it specifically (essentially the reverse of what we currently have). You wanted to launch a site that expressed a minority view – perhaps you were critical of your government, or you wanted to leak some information about crimes being committed, is it not inconceivable that you could have trouble obtaining a certificate? Given that certificate authorities are companies who worry about their bottom line, and are a convenient point for the bad guys to apply pressure?

If you couldn’t get a certificate in this environment, it could dramatically reduce the audience that would see your site.

So, perhaps before we move to deprecate HTTP, we must first find a better way than certificate authorities to distribute trust? How could we accomplish this? Perhaps we could take advantage of the fact that most people’s browsers automatically update, and so we could distribute browsers with expected certificates for sites hard coded into them (giving an added advantage that we could pin certificates)?

Anyway, its complicated, and I’m thinking aloud here… what are your thoughts?

The internet as we know it is under threat as never before. Surveillance, government censorship and secret corporate power plays threaten to destroy the Internet as a free and open platform for communication.

Much of the problem originates from the fact that the Internet has become ever increasingly centralised. In recent years, powerful encumbered players and elites have seen their power threatened, and have systematically attempted to “manage” the internet.

Communication and the free flow of information is too important a thing to allow to be threatened in such a way, so is it time that the citizens took control?

Citizen network

So, here’s a few thoughts on what this might look, and what I would like to see.

What I’d like to see are a range of local mesh networks grow up, providing free local connectivity to users. Initially, these will be highly local, but as the edges of the network expand, they’ll start to see other local networks and automatically negotiate routing between them. For networks further afield, perhaps an edge node which also has internet connectivity could provide a tunnelled link over the wider internet.

Hard encryption should be baked in, rather than added as an afterthought, and the network should aim for a situation where no unencrypted traffic is seen.

It should be possible to construct this sort of network with inexpensive and freely available hardware and software; perhaps, for small areas, a network of wifi repeaters, and for larger links perhaps a mixture of technologies – inter-network radio or microwave links, or even laying of fibre depending on the budget of those involved.

The goals of these networks should be to provide free access to anyone, and freedom for anyone to run a node on the network. With any luck, this will eventually kill the ISP business, and, in the UK at least, break BT’s stranglehold on connectivity.

There are a few local net projects about of course (they’re quite popular in Greece, apparently), but so far I don’t think we’ve seen much of an attempt to build them elsewhere, or to connect them together.

It’s a big job, but we built the Internet once, could we do it again?

Today is The day we fight back.

The day we fight back” is a international day of activism, held on the anniversary of Aaron Swartz‘s death. Swartz was an American computer programmer, writer and political activist who was driven to suicide by bullying from the US government, after he attempted to make public a number of scientific journals (the copyright wars now have a body count, read more, it’s horrific.)

On this day we commemorate Swartz’s death by holding an international day of protest against the illegal mass surveillance programs, conducted by the NSA and GCHQ (as well as others), that are used to invade the private lives of everyone on the planet, as revealed by whistle blower Edward Snowden.

The NSA and GCHQ, among other things, have attempted to subvert the technologies that we all use – to keep our medical records safe, to communicate in private about sensitive matters, to shop and bank securely online. In short, they have conspired (and succeeded) in making the internet a less safe place for you and your family, so it is fitting that today is also Safer Internet day.

So, today, do something to make the Internet a safe place for you and your family to work and play. Fight back.