1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News GCHQ, NCSC call for end-to-end encryption back door

Discussion in 'Article Discussion' started by bit-tech, 30 Nov 2018.

  1. bit-tech

    bit-tech Supreme Overlord Lover of bit-tech Administrator

    Joined:
    12 Mar 2001
    Posts:
    3,676
    Likes Received:
    138
    Read more
     
  2. Mr_Mistoffelees

    Mr_Mistoffelees The Bit-Tech Cat. New Improved Version.

    Joined:
    26 Aug 2014
    Posts:
    5,207
    Likes Received:
    2,446
    I don't do anything illegal online, GCHQ won't be interested in me, I have nothing to hide so, I have nothing to worry about, errr, don't I?

    Given HM Government's history with regard to anything to do with computers, how could I possibly trust them to do this in a way that CANNOT be compromised for criminal gain?
     
  3. IanW

    IanW Grumpy Old Git

    Joined:
    2 Aug 2003
    Posts:
    9,151
    Likes Received:
    2,656
    One agency's backdoor will quickly become every 1337 h4xx0r'5 catflap.
     
    adidan and Mr_Mistoffelees like this.
  4. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    So they're asking us to trust that they won't abuse their powers when it comes to encryption that's only become so prevalent because a whistle blower spilled the bean on how they'd been abusing their powers.

    If they hadn't spent years illegally eavesdropping on everyone, and still continue to do so, we'd probably feel less inclined to use encryption.
     
    MLyons and enbydee like this.
  5. fix-the-spade

    fix-the-spade Multimodder

    Joined:
    4 Jul 2011
    Posts:
    5,489
    Likes Received:
    1,275
    Nothing to hide, nothing to fear, until we change the rules.

    No doubt the DVLA is slavering over the chance to use mass surveillance to make sure everyone gets a fine for the three hours they didn't have insurance in 2015 when they didn't quite time the two policies correctly.

    Of course the silliest part of this is that if/when they get their 'crocodile clips' all that will happen is third parties based in non-complying countries will offer software to add a layer of encryption over the encryption and they'll be back to square one.
     
  6. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,953
    Likes Received:
    270
    I still don't see how it is technically possible to do without a single worldwide government. Chinese intelligence sends a court order signed by a Chinese judge to Whatsapp and asks to listen for chat between an UK and US person. Will they do it ? Will they breach US or UK law by allowing the Chinese to do so? Or for Turkish to listen in to some talk between Kurds in Iraq and Syria ? This is something they never consider when bringing up these ideas.
     
  7. loftie

    loftie Multimodder

    Joined:
    14 Feb 2009
    Posts:
    3,173
    Likes Received:
    262
    So it'll work up to the point that the encrypted message, sent through whatsapp that will have an extra recipient, becomes encrypted itself then back to square one? Bsf hdir tnpljoh tpnfuijoh?

    1
     
  8. yuusou

    yuusou Multimodder

    Joined:
    5 Nov 2006
    Posts:
    2,852
    Likes Received:
    916
    If the five eyes (you must be full of yourself to give yourself a name like that) can look at my communication, then why can't China? Russia? North Korea?

    What makes these countries and their governments any more entitled or trustworthy than those? Sure their human rights track record may be a bit better, but their privacy track records certainly are not any better.

    And as if the countries mentioned above won't find a way to use these back doors. Get real.
     
  9. Anfield

    Anfield Multimodder

    Joined:
    15 Jan 2010
    Posts:
    7,059
    Likes Received:
    970
    What are the qualifications required to become Technical Director of the National Cyber Security Centre? Able to turn on an ipad? Can tell a rock from a monkey? Remembers to breath? because it evidently doesn't involve any knowledge about the most basic concepts behind encryption.
     
  10. adidan

    adidan Guesswork is still work

    Joined:
    25 Mar 2009
    Posts:
    19,737
    Likes Received:
    5,502
    I have nothing to hide, I just have plenty I don't want them knowing. Big difference.

    And there's this:
    The best way to stay safe online is for as few people to know as little as is possible about you and we're always advised to stay safe online.
     
  11. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    I guess it would only apply to communications taking place into or out of the five eyes countries.
    Haven't you heard we're special. :)

    Seriously though they'd have to make their own arrangements, once we've set a precedence it should be easy enough, although I'm not sure they'd exercise the same 'oversight' or pay much heed to basic human rights as we *supposedly do.

    I say supposedly as Human Rights Watch has recently sent a letter to the US Justice Department asking it not to share information with us because of our human rights violations.
     
  12. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,953
    Likes Received:
    270
    Easy problem to solve.
    https://citizenlab.ca/2012/12/chara...s-a-case-study-of-the-china-telecom-incident/
    https://www.theregister.co.uk/2018/...agree_china_telecom_is_a_repeat_bgp_offender/
    https://arstechnica.com/information...oogle-as-traffic-improperly-travels-to-china/

    A BGP misconfiguration, now the data from US to US goes through China Telecom. Can Chinese spying agency now request those data ?

    Also to and from ? Uhm, you can bet once they identify their suspect/target, they will require ALL communication of that person. They will not care that that person is in 5 eyes country or not. Jurisdiction on Internet is a very vague concept.
     
  13. Pliqu3011

    Pliqu3011 all flowers in time bend towards the sun

    Joined:
    8 Aug 2009
    Posts:
    2,736
    Likes Received:
    257
    How would a backdoor even work? There's no such thing as a skeleton key for cryptographic algorithms, at least not for any that I've heard of. There's no shortcut to prime factorization; it would break maths, P would be NP, pigs would soar the skies.

    Or do they just want your set of private keys to be accessible behind another key "only they" can get past?

    Also pretty much obligatory every time this subject comes up:
     
  14. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,085
    Likes Received:
    6,635
    There's really no way to say this without sounding like a dick, but I'mma take one for the team: did you read the article?
     
    jb0 and adidan like this.
  15. Pliqu3011

    Pliqu3011 all flowers in time bend towards the sun

    Joined:
    8 Aug 2009
    Posts:
    2,736
    Likes Received:
    257
    Ok, guilty as charged. I skimmed it, my apologies Gareth (I usually try not to be that guy) :blush:

    I read the article and the one on lawfareblog and wrote a whole bunch about how I still don't see how they would do it "silently" (i.e. no packets from or to whitevan_server01 noticeable on either end), but then I re-read this paragraph:
    So with "silent" they basically just mean that on an application level it won't explicitly tell you anything (right?). While anyone with Wireshark could clearly see a three-way key exchange happening... and log off.

    (not trying to be a smartass here, just interested in how this would work)
     
  16. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    That's my understanding, although it would probably be easier to use an open source chat client, write your own basic client, or just use a one-time pad, than it would be digging through Wireshark logs looking for a three-way.
     
  17. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,085
    Likes Received:
    6,635
    So, let's use WhatsApp as an example. It uses public-key cryptography: I have a key, you have a key. When I send you a message, it's encrypted with both of our keys so I can read it and you can read it, but nobody else. End-to-end encryption.

    The message doesn't go straight to you, though: it's end-to-end, but not peer-to-peer. My message goes to the WhatsApp server (status: one grey tick), then to your phone (status: two grey ticks), then you read it (status: ticks go blue.) There are three points there where GCHQ can snag a copy: at my ISP, at WhatsApp, at your ISP. The copy won't do them any good, though, because it's encrypted.

    So, GCHQ's solution: force WhatsApp to add a hidden, third key belonging to GCHQ. Now I can read it, you can read it, and GCHQ can read it. (Specifically, and here's where the real concerns begin, anyone with a copy of GCHQ's key can read it.)

    WhatsApp - and any other crypto program worth its salt - has protections against this. If you try to add a third key, we'll get a notification saying there's a third party in the chat. If you try to perform a man-in-the-middle attack, by replacing our keys with some else's and decrypting and reencrypting at the WhatsApp server, we'll receive notification that the keys have changed - or, if it's the first time we've talked, the keys will fail verification.

    GCHQ's answer to those is in two parts: the first is that they'd compel WhatsApp to *not* alert users when the special GCHQ key is added as a recipient. The second is more interesting: GCHQ can either force WhatsApp to lie about the key verification, or it can simply rely on the fact that nobody ever bothers to verify the keys anyway. When was the last time you got in touch with a WhatsApp contact out-of-band and read out the verification checksum?

    In either case, Wireshark wouldn't help, because it's not peer-to-peer: all it will see is encrypted traffic between your phone and WhatsApp's servers, nothing so obvious as connections to GCHQ IPs.
     
    Pliqu3011 likes this.
  18. Pliqu3011

    Pliqu3011 all flowers in time bend towards the sun

    Joined:
    8 Aug 2009
    Posts:
    2,736
    Likes Received:
    257
    Thanks for the explanation.
    I'll have to think about it a bit but that does seem to make sense.
     
  19. jb0

    jb0 Minimodder

    Joined:
    8 Apr 2012
    Posts:
    555
    Likes Received:
    93
    Man, remember when we made fun of the Soviet Union for things like this? Those were the days.
     
  20. leexgx

    leexgx CPC hang out zone (i Fix pcs i do )

    Joined:
    28 Jun 2006
    Posts:
    1,356
    Likes Received:
    8
    Not that I agree with having backdoor in chat

    but I have to agree people care less if it is encrypted or not if they did something as basic as like what BlackBerry was doing with their messaging where the ID of the phone it's been sent and received to is the actual encryption key so you only need to know the actual ID to decrypt the message, as at the moment anybody with bad intentions can just simply use WhatsApp as it's fully encrypted end-to-end they have to physically have the phone to actually read the messages and it's passive as well

    as it is passive they cannot tell the difference between somebody who's going out of their way to use encrypted messaging or just a normal person who's just sending a message where as before if you used in encryption message/email it's very likely they would actually store it to try and break it at a later point if needed or at least use the metadata to work out where you are and person receiving it

    The easy solution is Just make the encryption optional or crack able (as why encryption in web browsers were so low but level to start off with it was so the government could crack it as they had a lot of CPU power to play with) now its at the point its just easier to compromise the device or computer but if people are using everyday apps to plot say a bombing they won't be able to pick up on it Like they would over sms ( I wouldn't be surprised if this message I posted gets flagged up by them because of the magic b word)
     
Tags: Add Tags

Share This Page