The STRINT workshop concluded with some preliminary recommendations:

  • Encryption works and needs to be used more, despite its cost (which is steadily going down anyway).
  • Data minimization is worthwhile, too, but difficult: Traffic analysis research and protocol development need to work together.
  • The threat models discussed in the workshop should be written up in an RFC (either separately or as an update to BCP 72)
  • “Opportunistic Encryption” could benefit from a cookbook-like explanation for developers. (The term itself may also be confusing. Best effort encryption or opportunistic keying were suggested as alternatives.)
  • The technical community can do better in explaining the issues of Pervasive Monitoring to policy makers.
  • Similarly, user interfaces could be better. (Some people even argue that certain dangerous choices should simply not be offered anymore. But that requires concertation among software makers, otherwise some will be considered “broken” by users.) How to integrate UI issues into the processes of IETF and W3C needs further discussion.
  • Examples of good software configurations, guidelines for developers, cut-and-paste configurations for popular software, etc., can help. This is not standards work, but maybe the standards organizations can still help.
  • Software makers can do more to make the default (“out-of-the-box”) settings better for protecting privacy.
  • Captive portals, (and some firewalls, too) can and should be distinguished from real man-in-the-middle attacks. Maybe this just needs establishing common conventions with makers of such proxies, but maybe also new protocols.

There will be a full report later, but the slides, the minutes (day 1 and day 2), and the submitted papers are already available.