Skip to content
Easter Eggs
Naked Security Naked Security

The next version of the web has a message for the NSA

HTTP/2, the latest version of the language of the web introduces itself by invoking the name of the NSA’s internet-gobbling surveillance programme; PRISM.

The language of the web is the Hypertext Transfer Protocol (HTTP) and like a lot of really important technology it’s actually more than a little, um, unexciting.

HTTP is maintained by the IETF (The Internet Engineering Task Force) and it’s so sensible and unexciting that it’s remained almost unchanged for about 25 years. In technology terms it’s a time capsule from the same era as Windows 3.1 (ask your Dad.)

Now, after a quarter of a century, it is finally going through its first significant upgrade, as 1997’s minor update (version 1.1) gives way to 2015’s twenty first century revamp – version 2.

Version 2 is faster, sexier, more efficient and, like many young things, mildly rebellious.

HTTP/2’s youthful exuberance was spotted by programmer John Graham-Cunningham who noticed that when the protocol introduces itself during a phase called the connection preface, it does it with the name of the NSA’s internet-gobbling surveillance programme; PRISM.

Thanks to some line breaks the message is broken in two, making it more snarky back chat than full-throated yawp:

PRI * HTTP2.0

SM

The IETF’s HTTP working group Chair Mark Nottingham took to the comments on Graham-Cunningham’s blog to confirm that yes, the change dates from 2013 and was made shortly after Snowden told the world about PRISM.

We needed two pseudo-HTTP requests for the “magic” to assure it wasn’t being interpreted as HTTP/1 … we were looking at “STA” and “RT .

However, PRISM had just broken, and it was all that was being discussed in the hallway. People were pissed. It didn’t get into the minutes, but it came up as an idea to replace START since it had five letters, and people were unlikely to ever want a “PRI” or “SM” method.

Take that NSA.

Personally I’m not much of a fan of these digital micro-protests. This is just a geek version of changing your Twitter avatar and, while I suppose it does no harm, I’d hate to think that anyone laboured under the illusion that this was doing something either.

A far more meaningful protest would have been to enshrine a dependency on TLS in the HTTP/2 specification so that anything sent using the new protocol would be encrypted.

The NSA and its ilk couldn’t care less about snarky easter eggs but they’d surely notice if absolutely everything was under lock and key instead of out in the open.

Indeed, in the heady days after Snowden revealed the existence of PRISM, that was actually the plan. As IETF member Mike Belshe put it when talking to the FT:

There has been a complete change in how people perceive the world … not having encryption on the web today is a matter of life and death

The sentiment didn’t last though. Unable to agree among themselves, the IETF’s HTTP working group climbed down from the barricades and left a note in the FAQ:

After extensive discussion, the Working Group did not have consensus to require the use of encryption (e.g., TLS) for the new protocol.

The idea of a web that is encrypted by default didn’t die though.

For good or ill the web’s quarter century of progress has not been driven by standards but by the dominant browser vendors’ selective interpretation of them. The situation on the ground is described by Nottingham in his own blog:

Apple is joining Firefox and Chrome in requiring HTTP/2 to be used over an encrypted connection … Microsoft’s HTTP/2 implementation will also only support encrypted HTTP/2, and Blink-based browsers (such as Yandex and Opera) are also supporting HTTP/2 over TLS.

…the upshot is that HTTP/2 is (or will be soon) supported by all of the “major” browsers, and if you want them to use it with your web site, you’ll need to have HTTPS URLs. If that’s too difficult for you, you can use Opportunistic Security, but know that it’ll probably only work with Firefox for the foreseeable future.

In other words, HTTP/2 works without encryption in theory but you’ll have to hunt high and low to find a web browser that doesn’t encrypt it in practice.

Now that’s what I call sending a message about surveillance.


Image of Easter Eggs courtesy of Shutterstock.

4 Comments

Let’s see. I can get a domain name for less than $10 per year. And I can get substantial hosting for under $60 per year. But if I need a TLS certificate, it’s at least another $70 per year–just for some photographs and maybe a little blogging. Not accepting any PII or credit cards. In fact, not soliciting anything.

Seems like a pretty hefty penalty to me.

It’s that train of thought that lead the people at the Internet Security Research Group to create let’s encrypt. https://letsencrypt.org/isrg/

I imagine free or very cheap TLS will be well established before your browser and your favourite websites give up on HTTP/1.1 and in the meantime you’ll find certificates at $49 if you shop around.

Since no one in here apparently reads the comments on Sophos’s Facebook feed, I repeat:

You could at least get jgc’s name right, given that it’s in large letters at the top of his blog that you’ve linked to…

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?