Ongoing disclosures about the pervasive monitoring of email, voice and other network traffic remain an industry concern and major companies in the online ecosystem have been publicly identified as specific targets for non-consensual eavesdropping activity. As a result, both the general public and various technical communities have a heightened interest in implementing measures that could protect operational security and customer privacy. A continued industry-coordinated response to this threat is necessary due to interoperability considerations and deployment issues. The M3AAWG Pervasive Monitoring Special Interest Group strives to provide technically sound yet approachable advice on these complex topics, while maintaining a balanced perspective and coordinating our efforts with other organizations.
The Pervasive Monitoring SIG, early on, drove industry awareness via M3AAWG events and videos about the importance of adopting opportunistic TLS as a first-line defense against eavesdropping on user messaging. Our initial paper, TLS for Mail: Some Initial M3AAWG Recommendations, was published in 2014 and the industry has seen a significant increase in TLS adoption since then, up from approximately 30 percent to approximately 80 percent. This increase in adoption is noted by both Facebook (Massive Growth in SMTP STARTTLS Deployment) and Google (New Research: Encouraging trends and emerging threats in email security) .
This October during the M3AAWG 35th General Meeting in Atlanta we held an open round table discussion with our colleagues to better understand the impediments around adopting encryption, as improving the adoption of opportunistic TLS is still a concern. The outcome was that we decided as a SIG to spend time over the coming year reaching out to industry email providers and encouraging them to turn on opportunistic TLS in their products by default to improve the overall security of email in transit.
In parallel with continuing to drive industry adoption of opportunistic TLS, we have been working to address the more aggressive Man-in-the Middle (MITM) attack scenarios against messaging. We published basic industry guidance in the paper M3AAWG Initial Recommendations for Addressing a Potential Man-in-the-Middle Threat earlier this year and have been heavily focusing on this during M3AAWG meetings. The Pervasive Monitoring SIG has been evaluating IEFT, DNSSEC and DANE technologies as well as working to create the draft of a new protocol, SMTP Strict Transport Security (STS), to improve email security and guard against Man-in-the-Middle attacks. To increase our industry outreach, we hosted Curt Barker and Scott Rose* of the National Institute of Standards and Technology (NIST)/National Cybersecurity Center of Excellence and Viktor Dukhovni*, IETF DANE working group owner, to provide their feedback and hear industry concerns during the recent M3AAWG meeting. We will continue evaluating existing technologies and investing efforts in reviewing other technological options so we will be able to provide the industry with proper guidance, as appropriate.
In Atlanta, the Keys Under Doormats authors received the M3AAWG J.D. Falk Award for clarifying the insecurity of government-mandated access to documents. The Pervasive Monitoring SIG also held a tutorial session* with one of the co-authors, Josh Benaloh, to provide M3AAWG participants with an overview of the report and its long-term significance. We encourage the industry to read the Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications report.
Our scope is not limited to email only; we will also be working to address other crypto concerns with respect to protecting users against pervasive monitoring. In the coming months, we will be publishing our next wave of best common practices, targeting the completion of the drafts of Crypto Isn’t Free, Traffic Analysis and SMTP Strict Transport Security (STS) by the end of April 2016.
If you are not a M3AAWG member, you can reach us via the Contact Us form on the M3AAWG website. M3AAWG members can sign up to participate in the Pervasive Monitoring SIG on the Committees/SIGs page of the members' website. We welcome and look forward to your feedback as we continue to work to help the industry protect against pervasive monitoring.
By Alexander Brotman and Janet Jones, M3AAWG Pervasive Monitoring SIG Co-Chairs
*Presentations from the M3AAWG 35th General Meeting in Atlanta have been made public with the authors' permission.