Today's Question:  What does your personal desk look like?        GIVE A SHOUT

Why isn't all internet traffic encrypted?

  haimg        2011-10-15 15:03:37       2,618        0    

The biggest problem is that you must be able to verify that you're encrypting to the correct key. Without it, encryption would be practically useless, as anyone could perform a man-in-the-middle attack on the connection and remain undetected.

In typical SSL/TLS, as well as other protocols using X.509, this verification is performed by "certification authorities", which are explicitly marked as "trusted" by web browsers and operating systems. Unfortunately, these CAs usually charge a decent amount of money even for the simplest, automatedchecks. They also get hacked often (see also: DigiNotar, Comodo). You can make a self-signed certificate, of course, but then others cannot verify it against any trust anchor.

Some browsers already support verifying self-signed certificates against information published in DNSSEC, but in some ways it is even worse than the current PKI – would you rather trust VeriSign or... GoDaddy?

The "Web-of-trust" model of PGP and TLS-PGP has other problems: getting one's key1 signed by enough people is often tricky, [especially for those living in a small town in Europe...] Without those signatures, again, it's relatively easy for an attacker to substitute his own keys.

Another problem is that not all programs and protocols were designed with encryption in mind. While many of them have had TLS retrofitted (HTTP, SMTP, IMAP, ...), it's not always possible to update the programs themselves. Even though SMTP can enable encryption for server-server links, very few servers advertise or request it. (Out of the major email providers, Gmail is probably the only one which supports this.)

This issue can be solved somewhat by using encryption on lower layers, using protocols such as IPsec, but then you hit the verification issue again. For example, IPsec can use pre-shared keys (obviously infeasible for any larger network), Kerberos (better, but still doesn't scale to a global Internet), and X.509 certificates (which were already discussed). Hence, even if IPsec weren't so tricky to configure and use, it wouldn't work well for securing "all internet traffic".

Finally, we have political issues. Some companies insist on logging all traffic generated by employees (or at least all websites browsed), and potentially blocking "bad" websites. Since they can't see through HTTPS, often they break HTTPS. There already are commercial devices which act as filtering proxy servers for HTTPS, performing an officially-sanctioned MITM attack. (You don't even notice it, since the device issues certificates using a locally managed CA, which is pre-installed on all company's computers.)

Governments are not much different: there have been many attempts to regulate secure crypto (especially the USA export regulations), to introduce crypto algorithms or devices which the gov't could bypass (the most widely known is probably the Clipper chip), to block encrypted data (Iran), or, even, to outlaw it partially (Russia) or entirely.

Source:http://superuser.com/questions/346856/why-isnt-all-internet-traffic-encrypted

SECURITY  INTERNET  TRAFFIC  ENCRYPTION  DECRYPTION 

Share on Facebook  Share on Twitter  Share on Weibo  Share on Reddit 

  RELATED


  0 COMMENT


No comment for this article.