As mentioned above any backdoor type functionality just weakens the overall encryption mechanism and gives potential attackers a discoverable attack vector - often due to the nature of this kind of purposeful weakness an exploit of it can leave less of a trace than other breaches as well.
End to end encryption under threat
- Thread starter Mynight
- Start date
As mentioned above any backdoor type functionality just weakens the overall encryption mechanism and gives potential attackers a discoverable attack vector - often due to the nature of this kind of purposeful weakness an exploit of it can leave less of a trace than other breaches as well.
But that's not what happened in this case.
I respectfully disagree. This is an example of an unmanaged, unauthorised back door - completely different situation to a managed back-door.
To be honest we don't know for what reason it was placed. Could be part of the dragnet.
I wonder if anyone else found it before they did. I'm sure someone was working on them.
We don't know exactly what sort of backdoor was in place whether it merely required a key or was open to a certain kind of attack.
Heck even if I saw the source code of it it's probably well beyond my abilities to even recognise it.
I wonder if anyone else found it before they did. I'm sure someone was working on them.
We don't know exactly what sort of backdoor was in place whether it merely required a key or was open to a certain kind of attack.
Heck even if I saw the source code of it it's probably well beyond my abilities to even recognise it.
I don't really understand how "if you weaken your product on purpose based on the demands of a state, it makes it easier for everyone to exploit" is a contentious statement to make.
Yes, with what is known at the moment about the Juniper vulnerability it's a large jump to make to assume it was the NSA or equivalent, but the validity of the statement is still there.
Yes, with what is known at the moment about the Juniper vulnerability it's a large jump to make to assume it was the NSA or equivalent, but the validity of the statement is still there.
This is a decent overview:
https://www.imperialviolet.org/2015/12/19/juniper.html
The SSH vulnerability isn't a huge deal (your management interfaces won't be in-band ideally) and could be some debug code that got left behind. The VPN issue seems to come down to random numbers not being as random as they should be.
https://www.imperialviolet.org/2015/12/19/juniper.html
The SSH vulnerability isn't a huge deal (your management interfaces won't be in-band ideally) and could be some debug code that got left behind. The VPN issue seems to come down to random numbers not being as random as they should be.
Yes they do. Email commonly uses TLS encryption for communication with mail servers, and anytime you have to enter a password on a website the connection needs to be encrypted as it is on Facebook.
Last edited:
Cheers I'll have a look tomorrow after some sleep. Cursory glance merely tells me that I'm too tired to even attempt to comprehend that
.Just to clarify I'm not suggesting it was put in by the NSA etc., rather just using it as an example of the trouble with back doors, "authorised" or not. How do you police it and know no one is misusing it once they discover it.
The reality is you will probably never know if someone has discovered it and used it for their own purposes, just like this "backdoor".
https://community.rapid7.com/commun...7755-juniper-screenos-authentication-backdoor
SSH master password found, with write up.
SSH master password found, with write up.
Largely irrelevant if its managed or unmanaged - if there is any backdoor that is weaker to attack than the encryption algorithm itself (which is pretty much going to be the case) it makes the strength of the algorithm pointless - and that is going to be the case whether the backdoor is managed or unmanaged.
The fact that you think this is possible is hilarious.
Unfortunately, you seem to have as much technical knowledge as the people making the laws.
Last edited:
Soldato
- Joined
- 20 Jul 2004
- Posts
- 3,648
- Location
- Dublin, Ireland
A managed backdoor? What sort of idiocy is this?
It would be as safe as just handing the Admin Passwords to GCHQ.
Nate
It would be as safe as just handing the Admin Passwords to GCHQ.
Nate
Man of Honour
- Joined
- 17 Nov 2003
- Posts
- 36,747
- Location
- Southampton, UK
Indeed, the whole concept of a "managed backdoor" is a fallacy.
Fallacy is probably too strong a word. Managed back doors have existed, such as the Clipper chip:
https://en.wikipedia.org/wiki/Clipper_chip
Ultimately it failed because no-one wanted to use it. All of the arguments against Clipper and the reasons for its failure are directly applicable to the arguments going on today.
It's only managed as far as the government's ability to keep the keys safe, and the systems in place to ensure that the various agencies are making legitimate requests for private keys.
Also it can't be re-locked - once the FBI has concluded an investigation there is no way to change those keys, at least from the information in that article. So if a mass leak of keys occurred then the only fix would be hardware replacement of any affected device.
Seeing as the current climate is to mistrust your own government as much as a foreign one, I can't see any system of key escrow being workable. For a start I assume it would have a massive impact on international trade if a customer in China had to assume that all communications carried out with a US supplier were being eavesdropped by a US government agency.
The biggest problem with any system that the government control is that you might feel that the current government is trustworthy and there are enough checks and balances to prevent any abuses, but you can't guarantee that position for eternity.
Also it can't be re-locked - once the FBI has concluded an investigation there is no way to change those keys, at least from the information in that article. So if a mass leak of keys occurred then the only fix would be hardware replacement of any affected device.
Seeing as the current climate is to mistrust your own government as much as a foreign one, I can't see any system of key escrow being workable. For a start I assume it would have a massive impact on international trade if a customer in China had to assume that all communications carried out with a US supplier were being eavesdropped by a US government agency.
The biggest problem with any system that the government control is that you might feel that the current government is trustworthy and there are enough checks and balances to prevent any abuses, but you can't guarantee that position for eternity.
Last edited:
would you accept this for phsycial security by any chance?
like the TSA luggage locks.
say if they made it law every house in the uk had to be fitted with a door lock, that as well as its normal unique key could also be opened by a singular master key for all locks that would be supplied to police and other authorities (no more smashing in doors with battering rams!).
and no other lock could be fitted.
would you be satisfied with this? or would be thinking "eventually someone is going to get a copy of that master key"