Forgot your password?
Security Encryption

IETF To Change TLS Implementation In Applications 80

Posted by timothy
from the nice-orderly-scramble dept.
Trailrunner7 writes "The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it's deployed properly, reducing the errors that could make surveillance and other attacks easier."
This discussion has been archived. No new comments can be posted.

IETF To Change TLS Implementation In Applications

Comments Filter:
  • Ok (Score:5, Insightful)

    by trifish (826353) on Sunday December 15, 2013 @05:09AM (#45693727)

    Just, please, this time, try to be more careful about who joins your working groups. And especially what their true intentions are.

    Sometimes when someone tries to "simplify deployment" or "offers insight to prevent user confusion", etc., you may want to think twice. History repeats itself, you know.

  • by Anonymous Coward on Sunday December 15, 2013 @06:14AM (#45693917)

    Does this mean that we'll finally give up on this sick certificate-based trust scheme?

    No. There are many people and institutions that are fine with the existing scheme and are not interested in adopting new techniques to thwart the NSA or whomever. The US government, for instance, will not be adopting an anti-NSA mentality any time soon, so they're not going to walk away from traditional CAs. Many businesses see no jeopardy to their business model if they continue to use cryptographic techniques that are vulnerable to the NSA or other national governments; as long as those techniques are sufficient to avoid legal jeopardy (disclosure laws, etc.) in the nations they operate in they won't concern themselves with the issue. In fact, they will almost certainly conclude that pursuing new techniques specifically to overcome these vulnerabilities will draw unwanted attention.

    Sorry but there it is.

He keeps differentiating, flying off on a tangent.