The controversy surrounding surveillance methods used by the National Security Agency (News - Alert) (NSA) has impacted the HTTP Working Group of the Internet Engineering Task Force (IETF). Last year, the HTTPbis Working Group, which is developing the HTTP (Hypertext Transfer Protocol) 2.0 specification, was opposed to large-scale encryption by default. But since the NSA scandal broke, the working group is reconsidering its stand.

 The body wants to see security improvements related to the Internet to prevent the kind of surveillance by the NSA which led to widespread controversy. Now the HTTPbis Working Group wants to see encryption as the “default way” data would be transferred over the "open Internet."

 “A growing number of groups participating in the standards-making process—particularly those who develop Web browsers—support the move, although as is typical in technical deliberations, there's debate about how best to implement the changes,” according to a report from Ars Technica.

 "There seems to be strong consensus to increase the use of encryption on the Web, but there is less agreement about how to go about this," Mark Nottingham, chair of the HTTPbis working group, explained in a letter he sent to participants.

 One proposal that seems to have more benefits than drawbacks is where HTTP 2.0 would only be used with https:// URIs on the open Internet. In addition, http:// URIs would continue to use HTTP 1.0, and older HTTP 1.0 clients would still be able to interoperate with https:// URIs. That is preferable to another option where there is opportunistic encryption for http:// URIs without server authentication. It is also preferable to opportunistic encryption for http:// URIs with server authentication but it is not relaxed – a third option.

 The first option is preferable to the third because the first is “more straightforward, no new mechanism needs to be specified, and HSTS [HTTP Strict Transport Security] can be used for downgrade protection,” the letter said. The first is preferred over the second, as well, because it has more protection against active attacks, the letter adds. In addition, the first has the support from browser vendors, who want to see more use of encryption.

 There are other security issues the working group will likely address. Peer-to-peer caching protocols are being considered. The use of TLS (relaxed transport layer security) is another issue. Still another option relates to proxies in HTTP 1.0 and HTTP 2.0.

Also, the process will take time before a standard is accepted. "None of the solutions in securing the Internet is necessarily easy," IETF chair Jari Arkko was quoted by Dark Reading. "You need backward compatibility, interoperability among different parties, and different components."

 Still, there are more concerns raised by Ars Technica. “With more than 500 certificate authorities located all over the world recognized by major browsers, all it takes is the compromise of one of them for the entire system to fail (although certificate pinning in some cases helps contain the damage). There's nothing in Nottingham's letter indicating that this single point of failure will be addressed,” the report said. “It's unfortunate that the letter didn't propose alternatives to the largely broken TLS system, [as well] such as the one dubbed Trust Assertions for Certificate Keys, which was conceived by researchers Moxie Marlinspike and Trevor Perrin.”