animind - Fotolia
Are you ready for a new security standard? Welcome, then, to opportunistic security. The standard is a new IETF specification, also known as RFC 7435. It even has a title tagline: "Some protection most of the time."
Despite the implications of a standard that promises less than 100% protection, opportunistic encryption -- a key part of the opportunistic security specification -- is a change in paradigm. Indeed, it's a fresh new look at security over the Internet; one that makes a lot of sense in our modern age.
Protection in current communications protocols
To understand why we need opportunistic security, we first need to understand the current state of our communications protocols. To date, there have been two options for securing communications: all or nothing, as the diagram below illustrates:
Here's the problem. When the "best security possible" isn’t available, we downgrade to no security at all. In this scenario, when you browse the Internet, you either look at websites where everything is authenticated and encrypted (the lock icon at the navigation bar indicates that) or you look at websites where nothing is authenticated or encrypted.
The end result? Bank and ecommerce transactions work under their strict "best security possible" policy -- as it should be -- but almost anything else is unsecured.
While we all want the best security, it may not always be possible. And instead of settling for "best security possible," why can't we just settle for "best security available?"
That is the substance of opportunistic security: The IETF is aiming to create a set of guidelines and principles for designers of future communications protocols in order to define those protocols in a way that has more flexibility in user protection.
In a nutshell, opportunistic security splits protection into two separate tasks: encryption and authentication. Encryption offers the user passive security -- making sure no third party can eavesdrop on the communications just by looking into the line. Authentication adds active security -- trying to protect against man-in-the-middle attacks where someone intercepts all communications and replays them to both sides, in the process making himself privy to the exchange.
Why do we need opportunistic security?
There are several forces that make opportunistic security so important:
- The introduction of services such as Apple Pay, which provides another option to the way business is transacted inside physical retail stores.
- The rapid growth of mobile e-commerce, which has grown in five years from 5% to 50% of all online shopping traffic, according to statistics compiled by IBM.
- Large, high-profile enterprise data breaches, such as those affecting Sony and Anthem Inc.
- Massive scale government snooping of networks.
Simply, as we move more and more of our lives onto the Internet, we need better protection.
The underlying assumption of today's all-or-nothing approach will not do. It assumes a world where a transaction either requires the best security or is not worth the effort. The world has a lot more shades of gray to it.
Communications protocols supporting opportunistic security will be designed differently than they are today. For one thing, they will start off by assuming basic communication is never encrypted or authenticated, and is always sent in the clear: anything better is a welcome -- but optional --improvement.
This approach means any interaction will attempt to negotiate for better security at the onset, making sure the best security available at that given moment is used.
To that end, if authentication cannot be guaranteed for a given session or transaction, then encryption without authentication will get negotiated and used -- thus providing the means to thwart eavesdroppers from the interaction.
If encryption isn't available -- due to the capabilities of the peers -- and authentication is possible, then this approach will be taken.
If both encryption and authentication are possible -- or if an underlying security policy enforces the use of both (a financial transaction for example), then the best security possible will be used (or mandated).
Why is this important?
As concerns about data and Internet privacy continue to grow, the IETF is working to ensure all of our digital communications benefit from the best security available.
Data encryption is on the rise. Whether it's 20% or 30% of Internet traffic is less important than the actual trend. Initiatives at the IETF-- such as encrypting HTTP/2 by default and introducing a paradigm shift such as opportunistic security -- means steps to secure and encode content will continue to gain traction in the years to come.