So Who Wants to Break the Internet ... Governments, Law Enforcement ... and Banks?

So Who Wants to Break the Internet ... Governments, Law Enforcement ... and Banks?

Prof Bill Buchanan OBE FRSE Prof Bill Buchanan OBE FRSE

Prof Bill Buchanan OBE FRSE

Old World Breaker, New World Creator

发布日期: 2018年3月8日
+ 关注

Our digital world has very little trust, and many of the problems that we have relate to the complete lack of trust in anything that we see on-line.

Very few emails that we receive can ever be properly trusted.

At one time it was fairly easy of intruders to listen to our communications, but, then SSL/TLS came along to fix a problem of the sniffing of network traffic, but it is merely a sticking plaster. Many modern day firewalls, though, break these communications, as they have the required private keys which are able to break the tunnel. But TLS 1.3 will make it a whole lot more difficult, as digital certificates will not be used for the keys.

The nightmare for governments and law enforcement is end-to-end encryption, and where data is encrypted at its source. Then it doesn't matter if you use a tunnel or not, the data will not be cracked and only the hosts on either end will know the key. If the Internet was created now, it would implement end-to-end encryption, and would adopted the Tor network infrastructure. But for governments and law enforcement agencies, a world of end-to-end encryption leads to the nightmare scenarios that it will not be possible to listen to communications. The term "responsible" encryption has been termed, but in practice it is almost impossible to create a system which allows for good, but block bad.

A back door?

Now TLS 1.3 is being proposed, and it is not just governments and law enforcement that are calling for a backdoor, it is BITS [here], which represents over 100 of the top US financial organizations. In [here] we see a draft of a back-door around the TLS connection and which is being proposed as an option for TLS 1.3:

It thus allows a server to take control of a connection on behalf of a client, and thus insert a backdoor into the communications. A risk thus exists of malicious man-in-the-middle attacks against connections from within data centres and ISPs. While the banking industry obviously wants this, so that they can scan for malicious leaking of data, the wider ramification is that it could be used by any advisory to spy on communications. The Internet would thus be a much less secure infrastructure.

With TLS we have a static key exchange between the client and the server, and where the client creates the key and then encrypts with the public key of the server. This is defined as "non-forward secrecy", where the key could only be determined with the private key of the server. Unfortunately it is possible to proxy the operation and decrypt the key, and this is the method that many banks use to break the tunnel. With TSL 1.3 the key exchange would be with a ephemeral Diffie-Hellman handshake, where it will not be possible to use the private key from the server, and only the end devices would have the required keys.

Here is how SSL/TLS works:

Conclusions

For many in the technology industry, this approach would be a complete non-starter as an idea. The line has been crossed, and the freedom of the Internet could be at stake. If you think we have problems with security, just imagine we go back to the time of WEP and non-encrypted traffic, and where anyone could listen to your communications.

要查看或添加评论,请登录

Prof Bill Buchanan OBE FRSE的更多文章

社区洞察

其他会员也浏览了