Ten years after Edward Snowden’s revelations, traffic encryption has come a long way. If the concept of “partitioning” prevails, i.e. concealing my network activities from the service providers I have chosen, that might help against surveillance capitalism.
In the first decade after Edward Snowden, developers, Internet companies, and activists (almost) put an end to the observation of data traffic on the arteries of the Internet with a lot of fake encryption. From the basic protection of the web protocol HTTP with TLS to the completely new TCP successor Quic, in which encryption is already integrated, to the different variants of encrypted DNS (DNS over TLS, DoT; DNS over HTTPS, DoH) – unencrypted data streams are now a rarity.
Shutting out prying eyes during packet transmission is only the first step. It is not enough, as the former chairman of the Internet Engineering Task Force (IETF), Jari Arkko, once again recommends to his developer colleagues in a current document. Rather, it can be important to prevent the endpoints involved in the communication process from seeing what a user says and does.
Arkko, who took over as chair of the IETF in the summer of the Snowden revelations from NSA-sponsored Russ Housely and recently resigned from the Internet Architecture Board, emphasizes: “We also face new attackers and risks. For example, the growing data stores of various Internet services to consider.” Especially when a partner specified in the communication protocol is very interested in data collection itself, it is important to provide further security measures – also towards this end of the line.
The “Principle of Least Privilege (PoLP)” must be observed. This means that every program and every user of a system should operate precisely on the basis of the rights that it absolutely needs to do its job. Also with a view to technical effectiveness, it is good if no party has all the information.
Arkko’s colleagues at the IAB no longer need to be convinced of this concept. The current chair of the IAB, Mirja Kühlewind, also an Ericsson researcher, together with two IAB members, dedicated their own draft to the idea of ”divide and rule” over your data. In Partitioning as an architecture for private communication, Kühlewind, Apple developer Tommy Pauly and Cloudflare developer Christopher Wood present many of the protocols for which IETF working groups are currently using the principle.
The recent partitioning trend was started by groups trying to make DNS more confidential. As an excuse for the fact that with DNS over HTTPS (DoH) there is suddenly more centralization of DNS traffic on large platforms – Firefox DoH traffic ends up at Cloudflare, for example – the DoH makers came up with their idea of dividing the DNS requests on different ones proxies. While a first proxy receives the encrypted request from a requesting client, the target server gets the question about the content, but does not know who it originally came from. A basic requirement for Oblivious DNS over HTTPS (ODoH) is that the different proxies do not cooperate.
The various Oblivious specifications are by no means all partitioning protocol drafts. According to Kühlewind, Pauly, and Wood, this also includes the work on Masque (Multiplexed Application Substrate over QUIC Encryption) and PrivacyPass. Older proxies for tunneling IP and UDP traffic through HTTP already ensured such privacy-friendly splitting of traffic.
With HTTP/3 based on QUIC, a user can reach their target server with end-to-end encryption and conceal their path via several Connect UDP tunnels. The IETF PrivacyPass working group aims to help separate the ID of users from the information about their respective access to certain services. The authentication required for the services is carried out using “tokens” that are purchased anonymously in advance from issuing offices. The concept used for this is well known, it is the blind signatures designed by David Chaum.
