A coalition led by Reddit, Imgur, the American Civil Liberties Union, the Electronic Frontier Foundation and Amnesty International are participating in an online protest called “Reset the Net” that aims to make it harder for the NSA and other local or foreign government agencies to conduct mass surveillance over the Internet.
Reset The Net is calling on mobile apps makers and website developers to implement tighter security measures. It is hoping to convince people behind popular websites and apps to adopt security tools like Secure Sockets Layer (SSL) and HTTP Strict Transport Security (HSTS). The campaign, which goes live on June 5, also aims to spread the “Reset The Net” splash screen across the Internet as a sign of protest.
“The NSA is exploiting weak links in Internet security to spy on the entire world, twisting the Internet we love into something it was never meant to be: a panopticon,” the campaign’s website read.
“We can’t stop targeted attacks, but we can stop mass surveillance, by building proven security into the everyday Internet.”
The campaign is imploring mobile app makers to use SSL and cert pinning. SSL is used to send data securely over the Internet. Without it, the police, the FBI, and even people who share the same Wi-Fi connection with you can gain access to your information, according to Reset The Net.
“Some apps keep all your data safe on your phone. But if a mobile app talks to a server—to send a message to a friend, post a photo, or share your high score—that data gets sent over the open Internet. If the app doesn’t use SSL to protect that connection, anyone can spy on that data … One thing is certain: mobile apps must use SSL to protect the data they send from prying eyes,” a campaign blog post read.
The campaign also advocates cert pinning, saying that the method makes apps more secure than websites. One of the easiest attacks on the Web is the man-in-middle variety, wherein when you type “facebook.com” on your browser, someone else can intercept your request and pose as Facebook.
“On the Web, we trust the certificate authority system to tell us who’s who. If a CA (certificate authority) says “yes, this site is really Facebook” we’ll trust it,” a blog post read. “On the web, we’re a little screwed right now (though good people are working on it and it will get fixed). But on mobile, the outlook is brighter: you can stick the certificate in your app (hence “pinning”). That way, the app only trusts the certificate it’s supposed to.”
For websites, the campaign urged developers to use HTTPS, HSTS and FPS, which are said to make mass spying much more difficult.
Reset The Net is providing what it calls a privacy pack, which is a selection of software and tips that are meant to make common computers, phones and tablets “NSA-proof.” All the software in the collection is free and can run on iPhone, Android, Mac, Windows and GNU/Linux. You can check out the list of software, which includes private communications software like TextSecure and Redphone. You can get the privacy by making a pledge at the Reset The Net website.
