The IESG has updated the IESG Statement on Maximizing Encrypted Access To IETF Information.
20 August 2015, updated 3 October 2025 The IETF has recognised that the act of accessing public information required for routine tasks can be privacy sensitive and can benefit from using a confidentiality service, such as is provided by TLS. [BCP188] The IETF in its normal operation publishes a significant volume of public data (such as Internet-drafts), to which this argument applies. The IETF also handles non-public data (such as comments to NomCom, the IETF's nominating committee) that requires confidentiality due to the nature of the data concerned. The IESG and the broader community [moz-https-only] have further concluded that there can be other harmful effects in continuing to access public data as cleartext. Recent massive-scale man-on-the-side intermediary attackers have been seen to take advantage of the absence of security to mount active attacks that would be more difficult had a transport security mechanism such as TLS been used. [great-cannon, quantum] The IESG has therefore agreed that all IETF information must, by default, be made available in a privacy-friendly form that matches relevant best current practices. Further, all future embedded interactions with the IETF (such as tags in HTML) should default to causing access via that privacy-friendly form. For content currently accessed using the HTTP protocol, using HTTPS URIs and appropriate TLS cipher-suites [BCP195] will be the preferred access mechanism, however this direction encompasses more than HTTP traffic alone. The IESG used to require that all public information continued to be made available in the clear, for example, via HTTP without TLS. This IESG statement was updated on 2025-10-03 to no longer require the availability of IETF services without encryption. The Internet has evolved to deploy most services only using encrypted transports to avoid leaking cookies or tokens to any network observer. Some services, such as the IETF Datatracker, are no longer available without encrypted transports. The changes caused by this statement should only need operational systems work and should be transparent to almost all consumers of IETF information. There are a small number of cases where these changes might cause some issues, e.g., the current Internet-Draft boilerplate text, which uses the http: URI scheme. The IESG will work with the broader community, tools teams, and IETF Secretariat to make these adjustments while minimising disruption to the community. Note that the "secure/privacy-friendly as the default according to best practices" principle set out in this statement applies to all IETF information, regardless of the protocol used to access that information. References [BCP188] https://www.rfc-editor.org/info/bcp188 [great-cannon] https://citizenlab.org/2015/04/chinas-great-cannon/ [moz-https-only] https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ [quantum] https://www.wired.com/2014/03/quantum/ [BCP195] https://www.rfc-editor.org/info/bcp195 Read the full statement: https://datatracker.ietf.org/doc/statement-iesg-iesg-statement-on-maximizing-encrypted-access-to-ietf-information-20150820/ _______________________________________________ IETF-Announce mailing list -- [email protected] To unsubscribe send an email to [email protected]
