Not the Encryption Apocalypse…Yet

“This destroys the RSA cryptosystem.”

That is the last sentence in the abstract of a new, preliminary, dense mathematical paper published by renowned mathematician Claus Peter Schnorr. If this turns out to be true, it will mean bad news for anybody who relies on the underpinnings of encryption – which is everyone!

The paper, posted as a pre-print, meaning it is a draft paper that must undergo academic peer review, claims it has found an algorithm that significantly speeds up a particular kind of mathematical problem called factorization. Factorization is the process of finding two numbers that, when multiplied together, provide the given number. For example, calculating 23 x 29 is easy. (Try it yourself.) But factorizing 437 – finding the two numbers that multiply together to make 437 – will take anybody a bit of time. (It’s 19 x 23 by the way.)

Schnorr claims that he has found a way to significantly speed up the calculation needed to perform factorization – a claim that is currently widely disputed. Supposedly, his method will factor a number with roughly 260 digits about ten trillion times faster than previous methods.

Does Math Matter?

Factorization is the mathematical puzzle Continue reading

Discussion Paper Now Available about the New-IP Proposal

In the run up to the ITU World Telecommunication Standardization Assembly (WTSA-20) later this year there has been some discussion about a proposal called the “New IP.” It is positioned as a top-down architecture to solve a number of use cases that are currently been developed in the ITU-T’s Future Network 2030 Focus Group.

The Internet Society is carefully following the developments in the run-up to WTSA-20. We are trying to understand if and how the New IP works with the Internet as we know it, if it actually solves problems that cannot be solved in the Internet, and, if the ITU-T is developing standards, where other standards development organizations (SDOs) have change control.

In order to get a sense of the environment we commissioned a discussion paper, “An analysis of the ‘New IP’ proposal to the ITU-T.” The paper helps inform us and the broader community whilst the public debate around these proposals shapes up. It also aims to inform and shape the discussion from the Internet’s Society’s perspective. Eventually the debate around it will inform our position and the potential further evolution of the discussion paper itself.

We would like to thank Chip Sharp for authoring the paper, with input Continue reading

‘Major Initiatives in Cybersecurity’ Shows Everyone Can Contribute to Trust

How do we work toward a more secure Internet?

In the Cyber Security discussions that take place in the various policy fora around the world, there is often little appreciation that the security of the Internet is a distributed responsibility, where many stakeholders take action.

By design, the Internet is a distributed system with no central core or point of control. Instead, Internet security is achieved by collaboration where multiple companies, organizations, governments, and individuals take action to improve the security and trustworthiness of the Internet – so that it is open, secure, and available to all.

Today we’ve published Major Initiatives in Cybersecurity: Public & Private Contributions Towards Increasing Internet Security to illustrate, via a handful of examples regarding Internet Infrastructure, there are a great number initiatives working, sometimes together and sometimes independently, in improving the Internet’s security. An approach we call collaborative security.

Major Initiatives in Cybersecurity describes Internet security as the part of cybersecurity that, broadly speaking, relates to the security of Internet infrastructure, the devices connected to it, and the technical building blocks from which applications and platforms are built.

We make no claim to completeness, but we do hope that the paper illustrates the complexity, breath, Continue reading

Claudio Jeker Honored by Internet Security Research Group with Radiant Award

This week another Radiant Award has been awarded by the Internet Security Research Group, the folks behind Let’s Encrypt. The award puts the limelight on the heroes who make the Internet more secure and trustworthy each day.

The newest Radiant Award winner is Claudio Jeker, who receives the prize for his work of a BGP4 implementation on OpenBSD. This makes me horrendously enthusiastic. Why?

OpenBSD is a open-software based operating system that is focused on being secure and feature complete. It comes with a set of tools that make it ideally suited to be deployed, for instance, as a secure route server in an Internet Exchange Point (IXP). A route server is a service that an IXP can host in order to make the participating network service providers lives a little easier. They do not have to get the routing information from each other, but can simply talk to this piece of centralized infrastructure. OpenBSD allows this type of infrastructure to be build from commodity components in a scalable and secure way.

With a route server in place, an IXP can take additional measures to secure the Internet, namely by taking the MANRS actions.

Ultimately this would not be Continue reading

Rachel Player Honored by Internet Security Research Group with Radiant Award

Internet security is accomplished by many unsung heroes. People who put their talent and passion into improving the Internet, making it secure and trustworthy. This is a feature of the Internet: security isn’t achieved through a central mandate but through the hard work and tenacity of individuals working across the globe.

Rachel Player, a cryptographic researcher, is one of those unsung heroes. She’s just been awarded the Radiant Award from the Internet Security Research Group, the folks behind Let’s Encrypt, for her work in post-quantum cryptography and homomorphic encryption. Homomorphic encryption allows people to do computations on encrypted data, so that information can remain private and still be worked with. This is a highly-relevant field in any area that deals with sensitive and personal data, such as medicine and finance. Player is also interested in lowering the barriers for young people – young women, especially – to work professionally on topics like cryptography.

To learn more, read the announcement by the Internet Security Research Group and Rachel Player’s blog post about her work and her interest in making the profession more accessible.

Want to know more about Let’s Encrypt? Read a comprehensive overview of the initiative – from inspiration to Continue reading

Peace and Cyber Hygiene

It doesn’t immediately make sense, does it: the terms peace and cyber hygiene in the same breath. Still, there is a reason why these two come together at the Paris Peace forum this week. That reason is simple though. Cyber hygiene – taking basic and common measures to secure software, devices, and networks – reduces the attack vectors that can be used by criminals and state actors alike. Cyber hygiene will reduce the odds that your network is seen as a belligerent actor just because it has been hacked by others. Cyber hygiene helps to create a more trustworthy and secure environment where people can go about their daily business in confidence that nothing dreadful will happen to them. It is one of the tools in the toolbox of confidence-building measures that enable peace.

Supporters of the Paris Peace Call, which was launched at the Peace Forum last year, are committed to working together to, among other things, “improve the security of digital products and services as well as everybody’s ‘cyber hygiene.’” The Internet Society has joined with a significant number of states, companies, and organizations to sign the Paris Call.

The topic of cyber hygiene is not Continue reading

WhatsApp: How a Bug Relates to the G7

On 13 May, more than a billion users saw the messaging application WhatsApp being updated. At the same time reports appeared that a vulnerability had been used in attacks that targeted an unknown but select number of users and was orchestrated by an advanced cyber actor.

Facebook, the owner of WhatsApp, reported it fixed a vulnerability – a buffer overflow, a fairly well known type of vulnerability – that was, according to media (see references  below), used in the spyware product Pegasus from the NSO Group, an Israeli company that sells spyware to governments and intelligence agencies all around the world.

Two observations:

• Despite best efforts, bugs in software exist – if critical bugs in global communication systems are found they can have a global impact. There are two additional observations that come with that:
  • WhatsApp is a valuable target, if bugs exist they will be found and exploited.
  • A process that allows for bugs to be reported, promptly fixed, and automatically rolled out are crucial elements to maintain (or restore) trust in this sort of software. There are sectors of the industry (anybody listening in IoT land?) that can learn from how this is handled by Facebook.
• The Continue reading

What Is the Internet Model of Networking?

Fundamentally, the Internet model is that independent networks connect to one another and, all together, provide the global Internet.

The independent networks may be enterprises with business services and employees connected to them, they may be cloud service providers or residential Internet service providers. They are independent in the way that they choose their business models, build and manage their networks, and compete with their neighbors;  they offer, however, global connectivity by adhering (voluntarily) to a set of open Internet standards that enable interoperability. To connect on the Internet is inherently to do so voluntarily via open protocols.  A different architecture might use different choices, but these are the ones the Internet uses.

All these independent networks interoperate and form an Internet by participating in a global routing system, subject only to technical standards and agreements with neighbors (the technical terms here are peering and transit). The magic of the Internet is that in order to communicate between a mobile phone connected to a broadband provider in the Netherlands and a server in a data center in Kenya, the two networks at either end of the connection do not need a relationship with each other. The magic of the Continue reading

Jason Donenfeld Honored with the ISRG’s Radiant Award

Earlier this week Jason Donenfeld received the Radiant Award from the Internet Security Research Group. Jason is an accomplished engineer and a creative thinker, which makes his work clean, simple, and takes it a step beyond – most notably in WireGuard, an open-source secure VPN tunnel.

We are proud to have enabled this award. Let me explain why.

At the Internet Society we care a great deal about the technologies that help to establish trust between people around the globe, while those people may have never interacted before.

One of the groups we proudly partner with is the Internet Security Research Group, the non-profit behind the Let’s Encrypt initiative. In the 4 years since Let’s Encrypt was launched, it has changed the landscape of web traffic encryption. Whereas in 2014 around 30% of pages loaded by Firefox where loaded over a secure channel, that number has increased to over 75% by now. I believe that rise in secure web traffic is in large part the result of the work by Let’s Encrypt.

Before 2014 it was somewhat costly to get a web certificate, a critical piece of authentication material that is the basis of establishing global trust. Both Continue reading

Global Cybersecurity and the Internet Conundrum

Today marks the 100th anniversary of the armistice that ended the first World War. The 1918 ceasefire re-introduced a fragile peace that had collapsed when the world failed to defend common rules and international cooperation. International security and stability are as important now as they were a century ago.

That’s why French President Emmanuel Macron and leaders from around the world are about to gather in Paris for the first Paris Peace Forum. The forum will attempt to pave a way forward for a world that is shifting and changing faster than most of us can keep up with. That change and shift, and the speed of it is enabled by the Internet.

That is why the Internet Society is participating in the Forum.

I will be in Paris to speak on a panel about creating peace in cyberspace. Cybersecurity concerns across the world are real and justified and need to be addressed. We believe that the collaborative approach that helped to drive the growth of the Internet and allows it to thrive is essential for establishing cybersecurity.

The essence of a collaborative approach is that it allows stakeholders to create a shared vision for security.

The Shared Vision

At the Continue reading

Rough Guide to IETF 103

Starting next weekend, the Internet Engineering Task Force will be in Bangkok for IETF 103, where around 1,000 engineers will discuss open Internet standards and protocols. The week begins on Saturday, 3 November, with a Hackathon and Code Sprint. The IETF meeting itself begins on Sunday and goes through Friday. We’ll be providing our rough guides on topics of mutual interest to both the IETF and the Internet Society as follows:

• Overview of ISOC @ IETF (this post)
• Internet Infrastructure Resilience
• Internet of Things
• IPv6
• DNSSEC, DNS Security and Privacy
• Identity, Privacy, and Encryption

For more general information about IETF 103 see:

• IETF 103 main page
• Remote participation & live stream information

Here are some of the activities that the Internet Society is involved in during the week.

Applied Networking Research Prize (ANRP)

Through the Applied Networking Research Prize (ANRP), supported by the Internet Society, the Internet Research Task Force (IRTF) recognizes the best new ideas in networking and brings them to the IETF, especially in cases where the ideas are relevant for transitioning into shipping Internet products and related standardization efforts. Out of 55 submissions in 2018, six submissions will be awarded prizes. Two winners will present their Continue reading

The Facebook Breach: Some Lessons for the Internet

Last week Facebook found itself at the heart of a security breach that put at risk the personal information of millions of users of the social network.

On September 28, news broke that an attacker exploited a technical vulnerability in Facebook’s code that would allow them to log into about 50 million people’s accounts.

While Facebook was quick to address the exploit and fix it, they say they don’t know if anyone’s accounts actually were breached.

This breach follows the Cambridge Analytica scandal earlier this year that resulted in the serious mishandling of the data of millions of people who use Facebook.

Both of these events illustrate that we cannot be complacent about data security. Companies that hold personal and sensitive data need to be extra vigilant about protecting their users’ data.

Yet even the most vigilant are also vulnerable. Even a single security bug can affect millions of users, as we can see.

There are a few things we can learn from this that applies to the other security conversations: Doing security well is notoriously hard, and persistent attackers will find bugs to exploit, in this case a combination of three apparently unrelated ones on the Facebook platform.

This Continue reading

Strengthening Foundations for Creating Open Internet Standards

The Internet Engineering Task Force has reached a significant milestone in the process of evolving its own administrative structure to best suit the current requirements of its work. After nearly two years of discussion about various options, the IETF community has created the IETF Administrative LLC (IETF LLC), a new legal entity. Both the Internet Society’s CEO & President Kathy Brown and the Internet Society’s Board of Trustees Chair Gonzalo Camarillo have expressed strong support for the process that has led to this point, and for the direction the IETF has decided to take. Continuing its long-standing positions, the Internet Society also made financial commitments to support the process, and to the IETF going forward.

All of us at the Internet Society who work closely with the IETF believe this new administrative structure strengthens the the foundation for an Internet built on open standards. The new structure will not change any aspect of the IETF’s technical work or the Internet standards process, and clarifies the relationship between ISOC and the IETF. Importantly, the IETF and ISOC continue to be strongly aligned on key principles. ISOC initiatives related to the IETF, such as the Technical Fellows to the IETF and the Continue reading

TLS 1.3 – Internet Security Gets a Boost

Today marks the formal publication of an overhaul of the Transport Layer Security (TLS) protocol. TLS is an Internet standard used to prevent eavesdropping, tampering, and message forgery for various Internet applications. It is probably the most widely deployed network security standard in the world. Often indicated by the small green padlock in a web browser’s address bar¹, TLS  is used in financial transactions, by medical institutions, and to ensure secure connections in a wide variety of other applications.

We believe the new version of this protocol, TLS 1.3, published as RFC 8446, is a significant step forward towards an Internet that is safer and more trusted.

Under development for the past four years and approved by the Internet Engineering Task Force (IETF) in March 2018, TLS 1.3 addresses known issues with the previous versions and improves security and performance, in particular it is able to establish a session more quickly than its predecessors. Because it is more efficient, TLS 1.3 promises better performance for the billions of users and organizations that use TLS every day. As with every IETF standard, TLS 1.3 was developed through open processes and participation, and included contributions from scores of individuals.

Continue reading

Rough Guide to IETF 102

Starting next weekend, the Internet Engineering Task Force will be in Montreal for IETF 102, where over 1,000 engineers will discuss open Internet standards and protocols. The week begins on Saturday, 14 July, with a Hackathon and Code Sprint. The IETF meeting itself begins on Sunday and goes through Friday. We’ll be providing our rough guides on topics of mutual interest to both the IETF and the Internet Society as follows:

• Overview of ISOC @ IETF (this post)
• Internet Infrastructure Resilience
• Internet of Things
• IPv6
• DNSSEC, DANE and DNS Security
• Identity, Privacy, and Encryption

For more general information about IETF 102 see:

• IETF 102 main page
• Remote participation & live stream information

Immediately prior to the IETF meeting, ICANN are hosting a DNS Symposium on the theme “Attention, Domain Name System: Your 30-year scheduled maintenance is overdue.” The ICANN DNS Symposium will take place in the same venue as the IETF 102 meeting on Friday 13th July.

Here are some of the activities that the Internet Society is involved in during the week.

Applied Networking Research Workshop (ANRW 2018)

The ACM, IRTF and ISOC Applied Networking Research Workshop will take place on the Monday of IETF week, Continue reading

To Tackle the VPNFilter Botnet, It’s Going to Take Help from You and Me

If you’ve been reading the news lately, you might have seen headlines like “FBI to America: Reboot Your Routers, Right Now” or “F.B.I.’s Urgent Request: Reboot Your Router to Stop Russia-Linked Malware”. These headlines can be pretty alarming, and you may find yourself thinking, “things must be pretty bad if the FBI is putting out such an urgent warning.”

Cyber threats are not uncommon, but the good news is that the security community is working around the clock to tackle these threats as early and quickly as possible. Most of the time we do not see all this hard work, nor are we often asked to play a large part in taking down a botnet. But this time, by rebooting our routers, we can help the law enforcement and information security communities to identify infected routers so they can be cleaned up, moving us closer to a permanent fix for a particular kind of malware – VPNFilter.

Here is what happened …

From Discovery to Takedown

On 23 May, 2018, researchers at Cisco’s Talos publicly shared their findings about a large botnet of infected networking devices (home routers) they called “VPNFilter” because of concerns that the Continue reading

Encryption Isn’t Perfect, That’s Why Choices Are Important

Encryption is a critical building block for online trust, but it’s never perfect. Any encryption you use is the product of many steps. Encryption methods have to be defined; protocols for implementation have to be specified; and then the protocols have to be implemented. Each step is handled by different people and potentially introduces vulnerabilities along the way. Even with the best lock design in the world, if someone builds the lock with variations in the design (either intentionally or accidentally), it might be easily picked.

When you own a broken lock, you have it fixed or use a different one – encryption is no different.

Yesterday (14 May 2018), the Internet security community was alerted to newly discovered vulnerabilities in the secure email ecosystem, dubbed “EFAIL”. EFAIL can make the content of emails encrypted with PGP and S/MIME readable to an attacker. While there are some fixes users and companies can make to mitigate EFAIL, cases like this underscore the importance of choice when it comes to secure communications.

How does the EFAIL attack work?

EFAIL abuses a combination of vulnerabilities in the OpenPGP and S/MIME specifications and the way that many email clients render remote content in Continue reading

The Cybersecurity Tech Accord Fits Squarely in the Collaborative Security Approach

Last week at RSA, more than 30 global companies came together to sign the Cybersecurity Tech Accord “to protect and empower civilians online and to improve the security, stability and resilience of cyberspace.”  It is an example of collaboration, which demonstrates the commitment and focus of the signatory companies to take action in order to tackle the significant security threats we are currently facing. It is this type of collective action we have promoted as part of our collaborative security

The Tech Accord is a positive step by large corporations across the globe involved in security to come together in the name of collaboration and make security commitments that resonate with the demands of Internet users everywhere. Per the Accord’s website, there are four main tenets of the Tech Accord:

• Stronger defense
  The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.
• No offense
  The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design Continue reading

Continuing Support for the Work of the IETF

The Internet Engineering Task Force (IETF) has been working recently to update its administrative arrangements to match the changing requirements it faces as the premiere Internet standards organization.

It has been more than a decade since the IETF became an organized activity of the Internet Society. Given the changes in the world and the Internet in the intervening time, it is natural to reconsider how to most effectively organize and implement its administrative structure. The Internet Society Board of Trustees supports the IETF in this work, and has set aside funding for this purpose. Internet Society staff are prepared to help implement the changes required.

Aspects of the mutual relationship between the Internet Society and the IETF, such as the role of the Internet Society in the standards appeal process, the confirmation of the Internet Architecture Board (IAB) members by the Internet Society’s Board of Trustees, and four members of the Internet Society’s Board of Trustees being appointed by the IAB on the IETF’s behalf, are not subject to change.

Both the Internet Society and IETF will benefit from an updated administrative structure for the IETF that continues to provide a solid foundation for the development of open standards for the global Internet.

The post Continuing Support for the Work of the IETF appeared first on Internet Society.

Rough Guide to IETF 101: Back to London

Starting next weekend, the Internet Engineering Task Force will be in London for IETF 101, where about 1000 engineers will discuss open internet standards and protocols. The week begins on Saturday, 17 March, with a Hackathon and Code Sprint. The IETF meeting itself begins on Sunday and goes through Friday.

As usual, we’ll write our ‘Rough Guide to the IETF’ blog posts on topics of mutual interest to both the IETF and the Internet Society:

• Overview of ISOC @ IETF
• Routing Infrastructure Security Resilience
• Internet of Things
• IPv6
• DNSSEC, DANE and DNS Security
• Identity, Privacy, and Encryption
• Community Networks

More information about IETF 101:

• IETF 101 main page
• Remote participation & live stream information

Here are some of the activities that the Internet Society is involved in during the week.

IETF Journal

Catch up on the world of the IETF and open Internet standards by reading the IETF Journal. The November issue marked the final printed version; now we plan to share longer-form articles online and via our Twitter and Facebook channels. Our two most recent articles are “Big Changes Ahead for Core Internet Protocols” by Mark Nottingham and “QUIC: Bringing flexibility to the Internet” Continue reading