Re: IAB Statement on Internet Confidentiality from Wendy Seltzer on 2014-11-17 (public-web-security@w3.org from November 2014)

From: Wendy Seltzer <wseltzer@w3.org>
Date: Mon, 17 Nov 2014 12:06:38 -0500
To: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <546A2B1E.807@w3.org>
Hi Vijay,

> What would the corresponding W3C statement be? W3C isn't doing a lot of protocols in the IETF sense. If we define a new browser JS API, what does a "prefer encryption" stance look like for that case? How about for say a new version of CSS or HTML?
> 
> I'm all for pervasive security but I'd like to make sure we're completely clear on what we're trying to achieve.


Good questions, which I'd recast to "What should W3C be doing to prepare
for and encourage a confidential Web?"

We could support transport-layer encryption.  For example, in several
groups, the conversation has started on preferring or requiring
secure/authenticated origins for powerful Web features,[1] which would
have the effect of encouraging sites to offer encryption, as well as
giving the user greater assurance that only authenticated endpoints
could access potentially sensitive features.

We could support application-level encryption, as the WebCrypto API[2]
does.

We could look at other threats to security and privacy of Web usage,
such as incomplete isolation of elements with different trust levels
(e.g. WebAppSec's Mixed Content spec[3]). The IAB's reference to
information leakage and unwanted linkage between connections also
suggests that we look deeper for ways to mitigate fingerprinting risks[4].

--Wendy

[1]
http://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features
[2] https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
[3] http://www.w3.org/TR/mixed-content/
[4] https://w3c.github.io/fingerprinting-guidance/

> 
> -----Original Message-----
> From: Wendy Seltzer [mailto:wseltzer@w3.org] 
> Sent: Friday, November 14, 2014 11:51 AM
> To: public-web-security@w3.org
> Subject: Fwd: IAB Statement on Internet Confidentiality
> 
> The IETF IAB issued this statement today:
> ...
>> Newly designed protocols should prefer encryption to cleartext operation.
> ...
>> We recommend that encryption be deployed throughout the protocol stack 
>> since there is not a single place within the stack where all kinds of 
>> communication can be protected.
> ...
> 
> Should W3C make a similar effort to support pervasive encryption?
> (I supported this statement as part of the IAB PrivSec program.)
> 
> --Wendy
> 
> 
> 
> -------- Forwarded Message --------
> Subject: IAB Statement on Internet Confidentiality
> Date: Fri, 14 Nov 2014 04:26:02 -0500
> From: IAB Chair <iab-chair@iab.org>
> To: IETF Announce <ietf-announce@ietf.org>
> CC: IAB <iab@iab.org>, IETF <ietf@ietf.org>
> 
> Please find this statement issued by the IAB today.
> 
> On behalf of the IAB,
>   Russ Housley
>   IAB Chair
> 
> = = = = = = = = = = = = =
> 
> IAB Statement on Internet Confidentiality
> 
> In 1996, the IAB and IESG recognized that the growth of the Internet depended on users having confidence that the network would protect their private information.  RFC 1984 documented this need.  Since that time, we have seen evidence that the capabilities and activities of attackers are greater and more pervasive than previously known.  The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic.  Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance as described in RFC 7258.
> 
> Newly designed protocols should prefer encryption to cleartext operation.
> There may be exceptions to this default, but it is important to recognize that protocols do not operate in isolation.  Information leaked by one protocol can be made part of a more substantial body of information by cross-correlation of traffic observation.  There are protocols which may as a result require encryption on the Internet even when it would not be a requirement for that protocol operating in isolation.
> 
> We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected.
> 
> The IAB urges protocol designers to design for confidential operation by default.  We strongly encourage developers to include encryption in their implementations, and to make them encrypted by default.  We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.
> 
> We believe that each of these changes will help restore the trust users must have in the Internet.  We acknowledge that this will take time and trouble, though we believe recent successes in content delivery networks, messaging, and Internet application deployments demonstrate the feasibility of this migration.  We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload.  For many of these activities there are no solutions yet, but the IAB will work with those affected to foster development of new approaches for these activities which allow us to move to an Internet where traffic is confidential by default.
> 
> 
> 
> 
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Monday, 17 November 2014 17:06:44 UTC