I saw an
article on Reddit about members of The Pirate Bay wanting to encrypt all traffic on the Internet, end-to-end. This is an interesting idea on a number of levels that I'd like to explore: the practical, the legal, and the information security.
From a practical perspective, such an endeavor would require hurculean effort, to say the least. At a minimum, you're talking about adding a layer to every IP stack on every server and workstation on the planet (or at least those that "need" to participate in the encrypted Interweb.) This poses a number of challenges, to say the least. Not the least significant of which is how many other applications shim into the IP stack already, e.g. antivirus, intrusion detection, spyware, performance monitoring tools, etc. Interacting with all of these pre-existing shims will likely be hideously problematic. Supposing these obstacles can be navigated successfully, there remains the performance overhead that such a shim would invariably introduce and in turn the end-user satisfaction issue. This, of course, says nothing about the additional hurdles that Vista represents, but that's another matter altogether.
From a legal perspective, there are two-sides: those who want to protect their privacy and those who have a legal RIGHT to infringe on a persons privacy. Now, let me be clear: I'm in the camp of Believers who think that the right to infringe on a persons privacy is both necessary but HORRIBLY abused on a ROUTINE basis... so, my ramblings on this matter may need to be taken with a block of salt. That said, as for those who wish to protect their privacy I have two thoughts: if what you're doing is secretive there are already mechanisms in place to protect you, but if your secretive because what you're doing is illegal (e.g. kiddie pr0n) then you don't deserve privacy. Long-story short, encrypting the transport of data across the interweb will set law enforcement back a DECADE (and its already lagging horribly behind criminals.) I foresee any technology that prohibits law enforcement like this would as being legislated into oblivion, around the globe.
The perspectives from the information security world are slightly different, but they overlap somewhat with those of the perspective from the legal world. The basic issue is parallel to that of the LE world -- we can't do packet captures anymore. That makes our job harder. More than that though, it adds an element to the mix: non-repudiation. That is, if we DO get a capture (i.e. through a backdoor on the host from which we're trying to sniff traffic from), we can prove, with a high degree of certainty, that the traffic did come from the targeted host and that it could not ahve come from any other host -- because the cryptographic private keys would be unique (this is, mathematically, a misnomer, but it plays out in practical terms because of probability. I.e. if you take an infinite set -- all numbers -- and try to represent them in a finite set -- a cryptographic key -- you will have collisions, or instances of duplicate keys.) There is also the matter of "trust", i.e. can you trust a network shim conceived- and implemented-by people who's primary livelihood is on the "other side"? "Nay nay," as the great Jimmy Pardo would say.