It’s safe to say that no security expert wants to create a haven for online opium trading or make texting apps safe for organized crime. It’s also safe to say that no legislator wants to open a pandora’s box that will syphon out all available credit card numbers. However, the issue thickens with WhatsApp being secured on specialty phones encrypted for the Sinaloan cartel. Data-defenders and privacy activists have been holding a staunch line against encryption backdoors, but recent government rumblings indicate the line might be giving way. The complicated tangle that is the ensuing debate for privacy, protection and the pursuit of encryption, in this week’s Digest.
For those needing an end-to-end binge reel of the Going Dark encryption debate, Stewart Baker of Lawfare did an excellent job of chronicling the schism. We’ve summarized his points here, and it appears the conclusion may be in plaintext:
- France and Germany call for regulations in 2016 that would stretch across the EU and require mandated decryption at the behest of law enforcement
- France implements anti-terrorism legislation, requiring “technical assistance” from messaging companies and fines for failure to comply
- France’s Emmanuel Macron campaigned on transparency with internet companies, declaring them “complicit” to terrorist acts if they refused to decrypt
- Responding to a European Council questionnaire, Hungary, Croatia, Latvia and Italy all lent their support to “lawful access mandates” throughout Europe
- Poland gives an ultimatum: install a backdoor or weaken your encryption. Some argue that there may not be a difference.
- In 2018, the European Electronic Communications Code will require companies to “enabl[e] legal interception by competent national authorities.” Nations in Europe have until 2020 to get on board.
- The Five Eyes Alliance (Australia, Canada, New Zealand, UK, US) issued a memo calling for “customized solutions” that would allow encryption backdoor access by law enforcement
- Just this year, Ralphe Goodale, Canadian Public Safety Minister called for a policy to “ensure privacy” while not allowing safe harbor for nefarious exploits like child trafficking. Open-endedly, this implies softened encryption or government accessible backdoors.
It’s hard to become very good at one thing
That’s why we have the term “career politician” - because to get elected, it often takes a career. That’s one less career that can be spent understanding the intricacies of cybersecurity. And that’s one more generalist that unfortunately is being asked to make the decisions of a specialist.
Bruce Schneier encourages the existence of a national cybersecurity regulating body that can inform these decisions and provide expert counsel in a world where rapid tech is par for the course. Times are changing. Policy needs to change too. The problem is, do policy makers know how?Survey says when it comes to encryption: they may not.
- FiveEyes Calls For Encryption Backdoors But It Won’t Change The Math
- Overheard In The Press: Encryption Backdoor Debate
- Why are Government Officials Who Know Next to Nothing About Encryption So Eager to Mandate Encryption Backdoors?
Richmond, CAN resident Vincent Ramos was a successful CEO by all measures. He ran the cyberfirm Phantom Secure that specialized in specialty encrypted devices, for a niche clientele. The only problem was his niche. He allegedly catered to a Sinaloan organized crime gang that created a WhatsApp chat on his encrypted phones to organize the murders of hundreds of Mexican law enforcement agents.
However, one thing Phantom Secure’s CEO can’t be blamed for is allowing investigators an encrypted backdoor into their secure phone network, because he never did. "He was given the opportunity to do significantly less time if he identified users or built in/gave backdoor access," said a source close to Ramos. According to another source, "He never gave law enforcement a backdoor into Phantom Secure. He did not do that."
"He respected the privacy of clients whoever it was."
Encryption backdoors widen the game of cat and mouse. The problem is, in this scenario the mouse is just as big and formidable as the cat. Opening encryption backdoors would allow more good guys to catch bad guys. It would allow more bad guys to catch good guys.
It widens the arena and grows the game. The question is—do we want to play?
With all the cards being stacked in favor of government access, it may be too late to ask.
- What Apple vs. FBI Means for the Global 5000
- Encryption Backdoors and Federal Cybersecurity Posture
- Huawei Trains African Surveillance, African Government Officials Spied On [Encryption Digest 9]
“Your connection is not private.”
If you were looking to save a dime with Her Majesty's Revenue and Customs tax care portal, last Sunday would not have been the day. Parents log on to take advantage of the credit that allows you to pay some of your childcare bill before tax. However, on that day the UK tax authority let a TLS certificate lapse, rendering their payment portal unarmed and dangerous.
Even without a decent certificate management platform, an enterprise should still be able to renew a certificate fairly quickly. Right?
I asked Venafi’s Mark Miller, Sr. Director of Support, how long this type of TLS certificate renewal should take in a usual scenario. Here is a Slack transcript, minus the GIFs:
Me: How long should this have taken
MarkM: with [Venafi] TPP, seconds
Me: Cool. How about without?
MarkM: problem is though that you only do this manually every 1-2 years
By the time renewal comes around, you may have different staff and finding all of the right addresses, credentials, and info needed can really extend this to a day or more of work
That might have been what happened at HMRC, as well into the next workday, they were still running for a solve. The TLS certificate has now been updated, but hopefully when full awareness of automated certificate management tools becomes ubiquitous, scares like this certificate outage will be as ancient as HTTP.
- British Conservative Party Learns A Tough Lesson About Controlling Encryption
- Murphy’s Law for Certificate Outages
- Certificate Lifespan Controversy Sparks Concerns
TalkTalk, quadruple play provider of telecom and broadband services in the UK, was temporarily offline last week. Why? Their certificate had been revoked. Why? Wrong address.
In Scott Helme’s twitter feed, he chronicles his minute-by-minute unearthing of the paper trail leading to what appears to be an 11-hour mishap.
Apparently, the address—yes, just the physical locale—of the British ISP was originally mistyped with Comapanies House, the UK’s business registration authority. Two days later the address was amended. The CA issued the offending EV certificate 6 months later (a separate issue) and unfortunately did so with the wrong address. Consequently, the certificate had been null since its origination and managed to stay sequestered until just 2 weeks before it was set to expire.
In this case, the problem was uncanny. You could even blame the CA. But with certificate related outages leading to breaches averaging $3.4 billion dollars apiece, no major entity can afford to take chances.