I don’t think much has changed. The NSA canceled a program here and a program there, and it is now more public about defense. But I don’t think it is any less aggressive about either bulk or targeted surveillance. Certainly its government authorities haven’t been restricted in any way. And surveillance capitalism is still the business model of the Internet.
That quote is from Bruce Schneier. It's not all bad news, though. The Internet did change. Stephen Farrell writes: [...]
That quote is from Bruce Schneier. It's not all bad news, though. The Internet did change. Stephen Farrell writes:
The work to develop TLSv1.3 [...] aimed to encrypt more of the handshake so as to expose less information to network observers - a fairly direct result of the Snowden revelations. Work to further improve TLS in this respect continues today [...]
[work on DNS encryption] started as a result of the Snowden revelations. Prior to that, privacy hadn't really been considered when it came to DNS data or (more importantly) the act of accessing DNS data. The trend towards encrypting DNS traffic represents a significant change for the Internet, both in terms of reducing cleartext, but also in terms of moving points-of-control. The latter aspect was, and remains, controversial [...] Work on HTTP version 2 [RFC7540] and QUIC [RFC9000] further demonstrates the trend in the IETF towards always-encrypting protocols as the new norm, at least at and above the transport layer.
[...]
In 2013, the web was largely unencrypted despite HTTPS being relatively usable and that was partly due to problems using the WebPKI at scale. The Let's Encrypt [LE] initiative was established in 2015 to try move the web towards being fully encryted and has been extremely successful in helping achieve that goal. Subsequently, the automation protocols developed for Let's Encrypt were standardised in the IETF's ACME [ACME] working group.
In 2013, most email transport between mail servers was cleartext, directly enabling some of the attacks documented in the Snowden documents. Significant effort by major mail services and MTA software developers since then have resulted in more than 90% of email being encrypted between mail servers and various IETF protocols have been defined in order to improve that situation, e.g., SMTP MTA Strict Transport Security (MTA-STS). [RFC8461]
On the other hand, there's only so much that can be solved by technology. Quote also from Stephen Farrell:
On the other hand, there's only so much that can be solved by technology. Quote also from Stephen Farrell:
Looking back on all the above from a 2023 vantage point, I think that, as a community of Internet engineers, we got a lot right, but that today there's way more that needs to be done to better protect the security and privacy of people who use the Internet. In particular, we (the technical community) haven't done nearly as good a job at countering surveillance capitalism which has exploded in the last decade. In part, that's because many of the problems are outside of the scope of bodies such as the IETF. For example, intrusive back-end sharing of people's data for advertising purposes can't really be mitigated via Internet protocols.
Quote from Bruce Schneier's part:
That quote is from Bruce Schneier. It's not all bad news, though. The Internet did change. Stephen Farrell writes:
[...]
On the other hand, there's only so much that can be solved by technology. Quote also from Stephen Farrell: