Internet firms to be banned from offering unbreakable encryption under new laws

“Unbreakable encryption” in this context is just “encryption that has not been artificially weakened to enable a select few to look into it.”

Let me reiterate the problem with this. The moment you put a backdoor in an encryption, there’s literally no way to limit who can look into it. It’s like putting your key under the door mat, hoping nobody will find it.

“Breakable encryption” is BROKEN encryption, period.

8 Likes

For the most part the public does when they use up-to-date browsers and https.

Those who use VPNs hide their IP address (many do not log).

VPN users in AU are rapidly increasing.

This legislation would not be urgent if the public is not already using encryption that they cannot break.

In any case its a UK proposed law that breaks banking security, so I doubt it will pass.

Its there to allow for political concessions so that the spooks can get what they really want. Over ask and get what one really wants when one concedes ground

1 Like

Millions of criminals? Crikey! (Sounds more like the government.)

3 Likes

This reminds me of the time when Snowden first came out with the NSA stuff, and it turned out the UK was also involved. I already knew crazy things about the UK (“we can send you in jail for 5 years if you don’t tell us your password”) so my first thought was “I hope the Lifestuff guys will know what needs be done!” And, sure enough, when I checked the site, there was the news: Everything got open sourced, practically overnight!

Now that was a time of infinite respect haha.

3 Likes

My assumption is that https is already easily breakable. This is just one possibility: How the NSA can break trillions of encrypted Web and VPN connections

1 Like

That is only true for certain versions and implementations. Well configured servers will not use them, thus won’t be breakable. You can check whether a server is secure here: SSL Server Test (Powered by Qualys SSL Labs)

(I believe modern browsers are also unwilling to downgrade connections, or to use weak encryption, or at least I remember reading that Chrome was planning to turn off default support for them, which by now must be already implemented.)

2 Likes

I believe all https versions are deliberately made easy to break. Sounds like a conspiracy theory almost lol, but one that more and more seems to be validated. And that’s just things that officially have been exposed. Imagine what has not been exposed. It sounds a bit Orwellian, but think of what would happen if people could simply use https for organized crime and terrorism.

Before creating your own problems to get worried about, do some reading on the exploits of https and how the spooks can actually “break” https.

The whole reason the spooks are trying to get governments to break encryption is that they can only do a small amount of breaking. If they could break it all then why the need to legislate for breaking encryption.

Have a read of this page on encryption GRC | SSL TLS HTTPS Web Server Certificate Fingerprints   Its not exactly what you referred to earlier but does give some background while discussing certificate fingerprinting.

Since the revelations (and before) there has been a lot of browser & server patches to overcome the exploits exposed. Obviously there will be future exploits to fix, but as I said before the spooks don’t need legislation if they can break https in general.

3 Likes

[quote=“Anders, post:27, topic:5834, full:true”]
I believe all https versions are deliberately made easy to break. Sounds like a conspiracy theory almost lol, but one that more and more seems to be validated.[/quote]

That’s a rather unfounded assumption. SSL has a track record full of insecurities, but they were bad design or implementation by mistake, not by malicious intent. Yes, RSA was (probably) paid a decent sum to set NSA’s broken RNG as the default in their products, but that only strengthens the argument that other RNGs were secure enough that they posed a problem to NSA. Yes, NSA did use attacks to downgrade connections to a lower security level, but that again nears proof that they couldn’t deal with higher levels of security. The documents revealed by Snowden explicitly mentioned (sorry, I can’t reference them, it’s from memory) that some attacks were so fragile in nature that any details about them were on a strictly need-to-know basis. While this can certainly mean things like Dual EC DRBG, it can also refer to zero-day exploits (including broken default configurations of systems that are otherwise unbreakable) that you simply didn’t want anybody else to notice (and fix.)

Also, Snowden himself trusted encryption (but only good encryption! he was careful to specify the guidelines) to communicate with the journalists who aided him revealing those documents.

Seriously, what is this thing about organized crime and terrorism? They are happily not following the law already. But it’s not even relevant; reality, the laws of logic, can’t be changed by politics or “what would happen” and fear of bad people.

Simple fact: Encryption, by definition, is unbreakable (save brute force). If something has a backdoor, that is not encryption.

You can’t have an “only good guys can read it” kind of setup. Arguing against mathematics based on morals makes no sense.

3 Likes

I believe as it is today security agencies etc can detect the use of strong encryption and target those sources individually. If everybody would have access to strong encryption then criminal activities would be hidden among all the general and legal traffic. Why the need for keeping track of illegal activities? Because in the information age, nasty activities can spread very quickly, much faster than in the past and potentially with unstoppable growth. Information technology is like a double-edged sword.

First you have to explain what this “strong encryption” is.

Strong encryption is simply encryption that they cannot break without brute force. And they want legislation to prevent people, websites, messaging services using ordinary encryption which is strong.

But really they are not seriously thinking that it will be legislated. Its there so they can concede that to get other invasive powers of surveillance through while everyone complains, blogs, etc etc on breaking encryption and drops the ball on the other measures in the legislation proposal.

2 Likes

Ok, now I have to move into conspiracy theories. :smiley: By strong encryption in this context I mean non-mainstream encryption that potentially governments are unable to decrypt. That would make them very nervous. Edward Snowden is just a limited hangout.

“A limited hangout or partial hangout is, according to Victor Marchetti, former special assistant to the Deputy Director of the Central Intelligence Agency, “spy jargon for a favorite and frequently used gimmick of the clandestine professionals. When their veil of secrecy is shredded and they can no longer rely on a phony cover story to misinform the public, they resort to admitting—sometimes even volunteering—some of the truth while still managing to withhold the key and damaging facts in the case. The public, however, is usually so intrigued by the new information that it never thinks to pursue the matter further.”[1][2]” – Limited hangout - Wikipedia

Anders, the public are already using ordinary (strong by your defn) encryption that they cannot break into. Or are you saying that the public do not use Apple, Google and others. That only criminals use them?

1 Like

The discussion about ‘criminals using this or that’ I think misses the point; ‘Criminals’ don’t do anything that govts don’t allow them. You have to open your eyes to the truth of the system you live in. Criminals work TOGETHER WITH GOVTS. They are part of a triangle with govt and police. At any one time, the triangle is turned so that any of the above groups put pressure on ‘you’. There is no such thing as ‘criminals’ for the most part. All the criminals you see are the result of govt policies. Before govt for example, there was no one to make drugs illegal. Poof 40-50% of your ‘criminals’ just disappear. Not to mention the fact that those ‘criminals’ only arose because they were on the receiving end of the govt tip of that triangle: no work for you if you don’t kiss our boots the right way and step in line.

Look its as simple as this: when you step back, you realize they’re all criminals. The police, the govt and the actual criminals. Drug dealers, for example, where do they get their drugs? They would have you believe its from seedy networks or ‘mules’. But those seedy networks and mules are funded and PROTECTED by law enforcement. Corruption/bribes are not bugs, they are FEATURES of the system. The system is about control. Look at student loans. A completely CRIMINAL enterprise that one is. Yet they operate under full protection of ‘the law’. So we needn’t worry about ‘criminals’ because they will exist as long as govts pay for and protect them from retribution by the people they’ve ripped off. Decentralization will, I hope, remove the incentive people have to become criminal in the first place. Drugs are illegal not because they care about your health (doctors kill 700,000 people a year! An order of magnitude more than car crashes), but because keeping it illegal raises the price. The harder you look, the harder it is to avoid the conclusion that its all a big scam…

2 Likes

I doubt those who flagrantly ignore the law on a regular basis are going to care less about this legislation.

As always, it is the innocent citizen who will be compromised. No doubt they will fear the world that bit more and be susceptible to further suggestions of limiting their liberties too. The state likes meek dependents.

1 Like

So you believe the NSA built their big facility in Utah I think it is, and can’t use it to read any https traffic? I’m pretty convinced that they can read all of the https traffic. Without much effort.

No more discussion then I guess, you’re convinced. Tell me again why they need this legislation then?

Tell me again why they need this?

You equate the desire for privacy with illegal activities, which is exactly the kind of thinking MaidSAFE, the EFF, and other privacy oriented movements are going against.

Omnipresent strong encryption is the only way to assure that my legitimate desire for privacy is not going to be viewed as an anomaly by the authorities.

Does it have a price? Of course it does! My simple question is: So what?

2 Likes

They need the legislation in order to stop stronger encryption. From the article: “He said terrorists, paedophiles and criminals must not be allowed a “safe space” online.”

They are basically admitting that https is too weak to allow a “safe space” for criminals.

Great point, but I’d go a step further and note how only a small minority of voters see that as a problem, and the number of people who read that news and asked themselves “How can there even be a justification for something like that” is probably in hundreds.