End to end encryption under threat

A judge requiring data stored by a company is not the same thing as a back door into an encryption scheme.

Either this bill is targeted at intercepting email and Facebook messenger like you said, and will therefore be useless at catching the terrorists and the paedophiles, or it wants to be able to intercept all encrypted traffic and then decrypt it, in which case I don't think anyone claiming a huge impact to UK businesses is overreacting.

The link in the OP states what this bill is about - messaging systems like Apple's iMessage where not even Apple staff have access to your messages. Personally I'd like to think that if a group of terrorists in the UK are plotting a mass-murder then they shouldn't be completely safe to use a messaging system that's so easy my Gran can use it. Email, whatsapp, facebook etc aren't affected because they don't have that sort of encryption.

Also - how can you possibly claim that you're not overreacting when you think the bill is about intercepting all encrypted traffic and decrypting it? :rolleyes:
 
I don't have a problem with it as long as there is a proper authority e.g. a judge, to authorise the use of the backdoor. It shouldn't be any different to a phone tap (used to catch fly-tippers) or a hidden camera in someone's home (used to catch Stephen Lawrence's killers).

First they came for the socialists...
 
Also - how can you possibly claim that you're not overreacting when you think the bill is about intercepting all encrypted traffic and decrypting it? :rolleyes:

If you put a backdoor in for one, you put a backdoor in for all. For example, there are indications that the NSA altered the structure of the DES algorithm, presumably to make it easier for them to access. That permanently undermined trust in that algorithm to the point where AES was created as an open standard to replace it - not necessarily because the NSA specifically had (or might have) access, but that the algorithm had that built-in weakness that somebody could exploit.

Once that backdoor exists, there's nothing to stop criminals, or the Chinese, from exploiting it. It's not possible to put a 'UK government only' backdoor in there - anyone who understands the mathematics sufficiently can use the same exploit. If nothing else, this leaves the government open to massive legal costs when their gimped cipher inevitably gets hacked by the Chinese.

Email, whatsapp, facebook etc aren't affected because they don't have that sort of encryption.

Actually they do use the same sort of encryption, the only difference is where the endpoints lie. For iMessage the endpoints are the sender and receiver, for Facebook messaging the endpoints are the user clients and Facebook's servers - hence why a Facebook employee with access to those servers can read the decrypted messages. They both use industry standard algorithms for the encryption.
 
Last edited:
If you're going to throw rolleyes around you should really make sure you know what you're taking about. If legislation targets putting a back door into iMessage then terrorists will just use something else, so the proposals will at best be ineffective. If it targets all encryption then it affects the security of all sensitive Internet traffic. Sorry if you're struggling with this.
 
The link in the OP states what this bill is about - messaging systems like Apple's iMessage where not even Apple staff have access to your messages. Personally I'd like to think that if a group of terrorists in the UK are plotting a mass-murder then they shouldn't be completely safe to use a messaging system that's so easy my Gran can use it. Email, whatsapp, facebook etc aren't affected because they don't have that sort of encryption.

Also - how can you possibly claim that you're not overreacting when you think the bill is about intercepting all encrypted traffic and decrypting it? :rolleyes:

Why do you think this bill would affect terrorists? They aren't going to continue to use a compromised services, they'll use something else - something which is secure still. Even if they have to code it themselves.

They only people this will affect are law abiding people.
 
Shall we expect to see a rise in the take-up of encrypted messaging apps on Google Pay like the Snowden endorsed Signal messaging service ;)
 
If you put a backdoor in for one, you put a backdoor in for all. For example, there are indications that the NSA altered the structure of the DES algorithm, presumably to make it easier for them to access. That permanently undermined trust in that algorithm to the point where AES was created as an open standard to replace it - not necessarily because the NSA specifically had (or might have) access, but that the algorithm had that built-in weakness that somebody could exploit.

Once that backdoor exists, there's nothing to stop criminals, or the Chinese, from exploiting it. It's not possible to put a 'UK government only' backdoor in there - anyone who understands the mathematics sufficiently can use the same exploit. If nothing else, this leaves the government open to massive legal costs when their gimped cipher inevitably gets hacked by the Chinese.



Actually they do use the same sort of encryption, the only difference is where the endpoints lie. For iMessage the endpoints are the sender and receiver, for Facebook messaging the endpoints are the user clients and Facebook's servers - hence why a Facebook employee with access to those servers can read the decrypted messages. They both use industry standard algorithms for the encryption.

Exactly this.

And large companies don't rely on Facebook etc to actually run their business, sure they use them to have an online social presence. Same reason for not opting to let Google run their mail servers, so everything has to be internal. I was even made aware of a policy the other day at my company where you're not allowed to use Google Translate for anything work related as Google will store the text.

At the end of the day, financial institutions for one would have a field day if the encryption algorithms currently in use were broken, fraud would go through the roof. You make a key for a special "back door", it'll just get broken by someone else. You either have encryption or you don't have encryption.
 
Snowden endorsed.....

Did you also cringe heavily at that when you seen it banded about? :p

I actually found a potential bug in it and have submitted it to them on Git. It essentially left me believing I was communicating securely when I was 100% not.... Other than that, Signal is good and I do believe uptake of such apps will rise pending the BS that comes from May's clown show that's currently ongoing.
 
Even the US have given up on legislating this. That should tell you something about how unrealistic is if the worlds biggest snooper has woken up to facts.
 
No it wouldn't lol - see what I mean about hysterical over-reactions?



But everyone's communications aren't being decrypted.

Interesting that Facebook messaging isn't affected by this discussion because Facebook staff can read the messages you send. Interesting that the sky hasn't fallen in because of this.

I'm not actually that bothered if people read messages as such, it's more the premise of the law. I know Google is profiling me with my searches, I know Facebook has data on me but I consent to this as part of the terms of service for the use of that companies services.

What I am bothered about is what these laws and legislation stand for and what they mean in the present and in the future. I don't trust politicians and many people in power. Time and time again they show they cannot be trusted to do or stand up for the right thing, they are in it for their own greed, little else. That snake May is also one reason to disagree with everything that comes out at the moment as well. That and the justification they are using (as discussed above).

They could be honest, but they know to wouldn't pass if they were, so they use underhand methods and emotive words instead.
 
Because fundamentally communications would still be secure enough to do business. Companies aren't worried about the British security services monitoring their comms, they're worried about hackers gaining their customer's data, staff data or their IP etc, or the effects of a terror attack on their business. Having a strong, stable state where the rule of law is in place creates a good environment for business.

Actually many are. Its not just the UK though, many companies wipe devices before going through US immigration just in case their devices we confiscated and highly sensitive information is taken by the U.S. Government. Companies building/designing things for other countries or companies in other countries would be very worried about this. Industrial espionage is big business and you would be a fool to think it's only China that spies on British/US companies, it happens the other way round as well.
 
The only way its ever useful (and we will have all sold ourselves digitally into slavery if we let it pass) is if the only way you can ever transmit data online is via "authorised" applications only on a trusted hardware platform using biometric security to identify the logged in user (aside from the fact people upto no good would avoiding using it for those purposes) at which point the potential for corruption is massive - just for instance can you imagine the edge the ruling political party would have from being able to snoop on everything the opposition might be doing.

Sadly I can see the Tories try and progressively push down this road as far as people will let them.
 
If you put a backdoor in for one, you put a backdoor in for all. For example, there are indications that the NSA altered the structure of the DES algorithm, presumably to make it easier for them to access. That permanently undermined trust in that algorithm to the point where AES was created as an open standard to replace it - not necessarily because the NSA specifically had (or might have) access, but that the algorithm had that built-in weakness that somebody could exploit.

Once that backdoor exists, there's nothing to stop criminals, or the Chinese, from exploiting it. It's not possible to put a 'UK government only' backdoor in there - anyone who understands the mathematics sufficiently can use the same exploit. If nothing else, this leaves the government open to massive legal costs when their gimped cipher inevitably gets hacked by the Chinese.

Why does it even need to be hacked?

Once the backdoor is created, to adhere to UK law, the Chinese just need to copy and paste the law and tell Apple they can't sell any products in China unless they give the Chinese government the key to the Backdoor. Then Saudi does the same, follows by Russia, the gulf states, African countries, the U.S. And then the rest of the world.

Suddenly that encryption isn't worth the hard drive it was written on as basically anyone can bypass it.
 
Sadly I can see the Tories try and progressively push down this road as far as people will let them.

This isn't a partisan issue - Labour would do exactly the same. The source of demand for this is the three letter agencies and the civil service/bureaucrats who run this country long term.
 
Why does it even need to be hacked?

Well it depends exactly what they are proposing. They could mandate an artificially weakened algorithm which requires some sort of attack methodology, like how the current NSA/DES situation is thought to work. Presumably that methodology would not be published, but hackers could either attempt to deduce it mathematically or they could simply try to hack whichever government department has the methodology documented and steal it.

The other thing they could mandate is a set of government public/private keys that must be used for each encrypted message along with the keys of the user. Hackers could then attempt to get hold of those keys which would allow them to access any messages encrypted using those keys. Both of these would probably require that current algorithms like DES and AES be banned in favour of a gimped replacement that most people could just refuse to use.

I suspect what the government will try to do is force Apple and the like to change their system so they act as a man-in-the-middle where encrypted messages are decrypted, before being re-encrypted and passed on to the recipient. At which point Apple could basically say 'no', forcing the government to take the unpopular step of banning iMessage in the UK. Which, given the current government's razor thin majority, will be very fun to watch.
 
This isn't a partisan issue - Labour would do exactly the same. The source of demand for this is the three letter agencies and the civil service/bureaucrats who run this country long term.

True, Labour have already signalled they'll pretty much wave it through already.

Some interesting comments here> https://twitter.com/GazTheJourno

And overarching summaries of the draft bill > https://www.gov.uk/government/publications/draft-investigatory-powers-bill-overarching-documents
 
Last edited:
If you put a backdoor in for one, you put a backdoor in for all. For example, there are indications that the NSA altered the structure of the DES algorithm, presumably to make it easier for them to access. That permanently undermined trust in that algorithm to the point where AES was created as an open standard to replace it - not necessarily because the NSA specifically had (or might have) access, but that the algorithm had that built-in weakness that somebody could exploit.

Once that backdoor exists, there's nothing to stop criminals, or the Chinese, from exploiting it. It's not possible to put a 'UK government only' backdoor in there - anyone who understands the mathematics sufficiently can use the same exploit. If nothing else, this leaves the government open to massive legal costs when their gimped cipher inevitably gets hacked by the Chinese.

Well no-ones advocating putting in a "back-door" (a rather simplistic term for what in effect would be a sophisticated solution) and then letting everyone use it. Sure there's a risk that the government's "back-door" key gets compromised and that'll have to be managed, but you know, government's are used to handling sensitive information - a lot more sensitive than this tbh.

Actually they do use the same sort of encryption, the only difference is where the endpoints lie. For iMessage the endpoints are the sender and receiver, for Facebook messaging the endpoints are the user clients and Facebook's servers - hence why a Facebook employee with access to those servers can read the decrypted messages. They both use industry standard algorithms for the encryption.

That fundamentally changes the solution though.
 
They're also used to losing it. It's why wikileaks is what it is...

Another point is hackers getting access to the data. The recent Talk Talk attack just shows how easy it could be to get what is very sensitive data.
 
They're also used to losing it. It's why wikileaks is what it is...

Another point is hackers getting access to the data. The recent Talk Talk attack just shows how easy it could be to get what is very sensitive data.

Well yeah, which is why Manning and Snowden have so much blood on their hands. Nothing to do with the UK government though.

Hacking into TalkTalk (with an SQL injection vector ffs) is one thing, hacking into GCHQ is a rather different prospect.
 
Back
Top Bottom