Still requires government officials to intercept the handshake between two devices to gain access to the session key.
On a side note, The media is starting to publicly report this a bit more, though I wonder how long before it’s quietly forgotten.
I get that anyone who talks about it is technically at risk in the future if the worst came to pass #MakeOrwellFictionAgain but if no one stands in front of the metaphorical tank that is the government, then no one can complain when the tank drives over everything they love.
This is far more important than the Net Neutrality issues America has been having.
I wonder if John Oliver will do an episode on it. He did Snowden after all.
Yes, agreed, I am sure I read something about a compromised CA being used by one of the teams involved in Stuxnet. I can’t find it now but the implication that western intelligence agency messed about with a CA in NATO country should mean whoever authorised it should have been fired… I will have to see if I can remember what the book was.
Even better is if you can influence the OS vendor to just include whatever dodgy government CA you like. I’m sure there are government CAs included in most modern platforms.
Look at the root CA list on a typical modern platform.
Do YOU trust all of those companies/governments? Because essentially they have the authority to issue certificates to impersonate any server on the internet, if your system is configured to trust them.
I suppose for an agency hacking a foriegn state or terrorist cell and whatever platforms they use, they might need to be more sneaky - unless whoever they are hacking hasn’t got anyone technically compotent on their team.
the system trusted CA list can’t be modified (don’t think it can any more on macOS at least- you can’t add or remove system CA roots - as this would likely enable you to do your own dodgy code signing certs via your own CA to possibly subvert the OS chain of trust). You can change preferences for a given root CA in the system keychain, but who knows if the UI knob matches reality for everything in the OS
who knows whether or not other hidden root CAs are embedded into the OS elsewhere?
They’re speculating on how the backdoor could actually be implemented. So lets talk through it.
Every government would need their own cert, and if any of those certs were leaked, without perfect forward security everybody’s communications for the past X years would be exposed.
So then to ensure forward security you would need the governments, meaning all the governments on the planet, to work as third-parties in generating and exchanging ephemeral session keys with both parties engaged in the transaction. What happens if the key broker for any of those governments is unreachable? What if your government’s key exchange service is unreachable? In order for this to work every government would need to not only store keys but take part in every encrypted transaction on the internet.
Is that possible? Yeah, probably. It’s certainly cumbersome, and would have severe performance implications, aside from the obvious privacy ones. Assumedly if you can’t reach your government’s key broker, the transaction will fail. That would, in a very real sense, break the internet.
There’s nothing in the news about using a government made CA in browsers to implement access to data that is encrypted.
You wouldn’t implement this via a CA it’s impractical, doesn’t work, it also violates the principles set out in the publication if those certs were deployed by default. So that won’t happen.
Could you break a CA? Sure, that would be ligitimate with the correct warrants etc.
Could you put a CA cert on a target machine? Sure but could be impractical because of how CAs work. Not to mention if you already have access to the target machine you don’t need CAs.
If we are talking about implementation, I’m not sure why CAs haven’t already been dismissed, but you talking about it like it’s viable and the option they plan to take.
Yes, and why our perception is being manipulated. In our federal election, the facebook groups I was in, the conservative element used this “terrorism” card to try to sway votes to their side. And some of those that were advocating it honestly believed there was a good chance of being a target of terrorism. I tried to tell them that the chances were miniscule and to fight this “war” we must stand up and not give in, meaning to be able to accept the risks involved. One person in particular was probably indicative of most and said she was scared. I said that was normal and to carry on life as usual would be winning.
I agree we are being brainwashed, spinned, and lied to to further the “corporatocracy” that is the majority of politicians. I also think that the majority of lower level gov. workers are just trying to do the best they can in a large machine that doesn’t allow individuals to make decisions.
We have to convince those close to us that these “backdoor” laws are not a good idea. And if enough are convinced we may win this battle…but probably not the war.
Recently in Canada there was media attention on a person that was extradited to {IIRC} France on Terrorism charges. 2 or 3 years later the charges were found baseless. His life was upended for no good reason. There are too many instances like this to trust gov.
So where would you draw the line? Your OK with abuse of non-digital surveillance? What about open source intelligence gathering?
Isn’t abuse of power abuse regardless?
If its the abuse of the power then isnt it more that you want stricter governance than anything else? Abuse of power doesn’t really mean that your against digital surveillance, only that your against the abuse of it?
Abuse of non digital surveillance is a non issue as at the time of those corresponding laws being implemented, it was not viable to log, record and search every conversation made on the network. non digital communication is not ripe for mass abuse. The effort required to abuse these networks is too great to be considered an issue. Once in a while it will be abused, but that’s not at the scale that would be possible with digital surveillance.
Mass surveillance has already proven to be happening with the NSA and it’s suspected that Britain, Australia and New Zealand are doing the same. They do not have the tools to conduct mass surveillance on communications with regards to phone lines and postal services. The amount of work to record every phone call or letter, add to a database and make it searchable is impossibly great. But it’s not with digital services. That’s the difference.
The tools to wiretap phones and look through mail, was given to police with the explicit understanding that it could only be used on a case by case bases due to the difficulty to scaling surveillance. With the internet, that process can and is automated.
We know governments are already abusing data. Giving the government everything by providing a back door in one form or another is arguably a terrible idea. We know they abuse data and you want to give them encrypted, sensitive data?
And all of this doesn’t matter because any kind of back door is a weak point in security, making any form of encrypted data, susceptible to attack from hackers.
The only comment on how this would be implemented is by the Australia government with their bill to try to enforce a client side backdoor (More like a data stream of all data to the government) But as stated after the five eyes conference, these governments have decided that it’s best for the individual governments to decide the best method to approach this. This means that the method our governments want to implement this is up for debate. Which means it’s on topic to discuss different methods of gaining unauthorized access to encrypted data.
That’s like saying that people know crime is bad so they won’t do crime. Just because it goes against the principles of something, doesn’t mean those principles can’t be broken. We are talking about governments wanting to punish organisations for not putting a back door into software of which goes against the principles of encryption in the first place.
Can the process be automated? Yes? then it’s plausible that the government could abuse it with regards to mass surveillance.
Or invest money into TPM’s that make use of government CA certs. Lobby hardware manufacturers into using it. Or force OS companies to add their CA certs to the OS by default. Might take a bit of time with Linux but Windows and OSX would be big targets.
You’re acting as if you have an abundance of answers but you aren’t disproving arguments mentioned, so far it’s been opinions and an attempt to railroad the conversation in a direction you see fit.
