#IETF88: On the costs of pervasive surveillance.

Last week’s IETF meeting in Vancouver was remarkable: I do not recall another IETF meeting over the past decade that was as dominated by a single topic, as this one was by “pervasive passive attacks”: assorted governments’ seemingly successful transformation of the Internet from a globally shared civilian infrastructure into a surveillance tool directed not merely at other governments (we seem to be accepting that game, in all its silliness), but at all of us. A transformation that puts the value of the network (economical and otherwise) at risk, and that runs against the self-interest and core values of open societies.

The engineering community won’t be able to take back the network. That remains a task for the political and societal debate. But the engineering community will be able to change cost balance of surveillance in very significant ways.

The key realization behind much of what was discussed in Vancouver, then, is about the relative cost of pervasive, passive surveillance, and of the defenses against such attacks.

In the traditional analysis, the technical ability to execute a passive attack often (not always) translates into the technical ability to execute an active one. Conversely, once you have the mechanisms in place to defend against active attacks, dealing with a passive attacker becomes pretty simple. As a result, the security community has spent much focus on mechanisms (like TLS) that defend against both. The key management requirements for defenses against active or passive attacks are rather different, however: An anonymous Diffie-Hellman key exchange (or some other similar key exchange mechanism) is enough to defend against passive attacks, and can yield perfect forward secrecy without depending on much additional infrastructure. Yet, establishing that you’re talking to the right party requires sophisticated key management and authentication infrastructures; enter PKI.

In terms of cost: Passive attacks are cheap, mostly undetectable, and seemingly low-risk. They can therefore be executed at scale. Active attacks — where communication isn’t just listened to, but actively manipulated — face a higher risk of exposure, and a much higher risk of collateral damage when executed. Defenses against passive attacks can be deployed incrementally, with very lightweight coordination between the parties. The defenses against active attacks that we have focused on in the past are comparably hard to deploy and actually use — arguably, we have failed deploying them at Internet scale. We have ended up in a situation in which passive attacks remain possible, while we’re waiting for the defenses against active attacks to catch on in the market.

That wait is now over: It looks like the engineering community has (finally!) decided that defending against passive attacks right now is worthwhile, and this is the time to develop and deploy those defenses.