Weekly Edition
Return to the Security page
| |||||||||||||
Feds put heat on Web firms for master encryption keys (CNET)
CNET is reporting that the US government has been requesting the private SSL/TLS keys of major internet firms. Without perfect forward secrecy (which is rarely used on today's internet), that would allow the US to decode HTTPS traffic—even retroactively. It's not clear which, if any, internet companies have turned over those keys. "It's not entirely clear whether federal surveillance law gives the U.S. government the authority to demand master encryption keys from Internet companies.
'That's an unanswered question,' said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. 'We don't know whether you can be compelled to do that or not.'"
(Log in to post comments)
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 24, 2013 20:56 UTC (Wed) by kragil (guest, #34373) [Link]
This has to stop .. why don't Americans care? Has the stupid terror threat worked so well?
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 24, 2013 22:24 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
who says we don't care?
remember that Americans are learning about this for the first time along with the rest of the world.
now, it is a good question if _enough_ Americans care to get this sort of thing changed.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 24, 2013 23:39 UTC (Wed) by fest3er (guest, #60379) [Link]
The answer to this is that most Americans care far more about bread and circuses than they do about limiting government. Look at the communists, fascists and anarchists we keep electing to office; they and their left and right wings have just about achieved their goal.
Not enough of us Americans care to learn about the problems unrestrained government causes. The result is an out-of-control government that largely operates outside the law.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 2:59 UTC (Thu) by wahern (subscriber, #37304) [Link]
I _wish_ we elected communists or anarchists in the United States. Because of 120+ years of brutal repression here, those are the only two groups that would unfailingly oppose the police state.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 13:07 UTC (Thu) by mpr22 (subscriber, #60784) [Link] Anarchists, yes, since the creation of a police state is the establishment of a formal hierarchical power structure and thus directly contrary to anarchism. Communists, maybe not. Socialist and communist political groups were quite vigorously repressed by Imperial Russia after the assassination of Alexander II, yet the RSFSR and the USSR were police states.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 26, 2013 5:16 UTC (Fri) by wahern (subscriber, #37304) [Link]
Fair enough. I wouldn't trust communists if they had any substantial power. I just think that if there were a minority of communists in an American legislature they'd be easy anti-police state votes. And I don't think you could say that about every potential minority party, especially comprised of conservative groups (e.g. fascists), where strong preferences for "law & order" tend to lead to aggressive policing and a proliferation of criminal laws.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 24, 2013 23:45 UTC (Wed) by tialaramex (subscriber, #21167) [Link]
What are Americans "learning about for the first time" ?
The NSA are spooks. They aren't a poetry society, or a dance troupe. Spying on people is what spooks do. When you hire spooks, it goes without saying that you're hiring them to spy on people, and to use dirty tricks to do so.
Americans have spent _decades_ with their fingers firmly in their ears pretending that the NSA isn't spying on them. On those dirty foreigners (aka your allies) sure - but not the people who pay their salaries. Right? But nobody who'd spent more than five minutes thinking about the problem would find that believable. I'm sure it sounded kind of plausible fifty years ago, in an age of limited international communications, if you didn't think about it too hard, but in today's global society, and particularly on the Internet, it's nonsense.
So the claim I'm seeing from so many Americans now is likewise unbelievable. Sure, it feels better to say "I didn't know" than "I guess I knew but I didn't want to think about it". But it's not true, is it.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 0:36 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
the fact that the NSA is a spy organization is not news.
but guess what, there isn't a country in the world that doesn't have it's own version.
And of course it's mission is to spy on foreigners, that's the mission of almost every spy agency in the world (there are a handful that are explicitly created to do internal spying, but far fewer of those)
There are laws explicitly prohibiting the NSA from doing internal spying. No, it's no surprise that these laws have been broken at some point (organizations are made of people, people are not perfect, at some point, someone will abuse their power)
However, what is surprising is the fact that the government has created a secret interpretation of the law that they claim says that they are allowed to do this.
There is a lot of disagreement on if this is really legal or not, and there are a good number of calls to make it explicitly illegal again, overriding these 'secret interpretations' of the law.
Will this stop all abuse? Of course not!
By the way, for proof that other countries have similar problems, just look at the Kim Dotcom case. There it was the New Zealand spy agency, and there are laws prohibiting them from going after permanent residents (like Dotcom), and that has given the government a black eye. Unfortunately, the last I heard is that they are now working to change the law to make such internal spying legal.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 3:11 UTC (Thu) by wahern (subscriber, #37304) [Link]
"it's mission is to spy on foreigners"
That was the case throughout the 1980s and 1990s, after the Church Committee hearings in the 1970s caught them spying on Americans. But it's abundantly clear that President Bush tore down those walls, so we're back at square one.
The NSA absolutely spies internally. Even before the Snowden leaks it was already known that NSA trawling is how the Feds caught Governor Elliot Spitzer paying prostitutes.
And as far as I know there are no laws that prevent the NSA from spying internally. You're thinking of the CIA. The NSA is part of the Department of Defense, which is why it's always headed by a general.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 3:50 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
The military is under it's own set of restrictions against being used for domestic law enforcement
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 4:01 UTC (Thu) by hummassa (subscriber, #307) [Link]
And you don't think it's naïve to imagine that they will break those restrictions, just like the NSA broke its own?
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 4:47 UTC (Thu) by wahern (subscriber, #37304) [Link]
But the NSA doesn't do law enforcement. They do intelligence. They then hand the intelligence off to the FBI to do the enforcement part.
Surprising, really? Posted Jul 27, 2013 11:16 UTC (Sat) by man_ls (guest, #15091) [Link] However, what is surprising is the fact that the government has created a secret interpretation of the law that they claim says that they are allowed to do this.Really? When there are secret laws, secret courts and secret orders, why do you think the secrecy is needed at all? Hint: the terrorists don't really care about the number of FISA orders granted, or about broad orders that request data from telecoms; they know very well that electronic communications can (and will) be intercepted. Proof by reductio ad absurdum: otherwise they would be incarcerated by now. However, the general populace do care about these small details, as seen in the response to Snowden's revelations.
Surprising, really? Posted Jul 28, 2013 15:38 UTC (Sun) by raven667 (subscriber, #5198) [Link]
The high-security world can be quite insane, Dr. Strangelove "no fighting in the war room" levels of insane, with multiple levels of pretending ignorance of things that everyone knows full well, misdirection, etc. The funny thing is that during the cold war, each side had largely penetrated the other with moles so much of the security practice amounted to kabuki theatre because it was all pretend secrecy any way.
I think a lot of secrecy practice is because the participants think they are cool, real operators, the more security they practice and to prevent embarrassment when they screw up. "Saving Lives(tm)" is pretty far down on the list, so are "We The People".
Surprising, really? Posted Jul 29, 2013 16:10 UTC (Mon) by man_ls (guest, #15091) [Link] There must exist some counterpoint to this madness. Usually it lies in the participants' ability to experience shame of themselves, but when it fails there must be some higher court (of the public variety which admittedly is not as cool as a "secret court") that sets things straight.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 1:17 UTC (Thu) by apoelstra (subscriber, #75205) [Link]
> Americans have spent _decades_ with their fingers firmly in their ears pretending that the NSA isn't spying on them. On those dirty foreigners (aka your allies) sure - but not the people who pay their salaries. Right? But nobody who'd spent more than five minutes thinking about the problem would find that believable. I'm sure it sounded kind of plausible fifty years ago, in an age of limited international communications, if you didn't think about it too hard, but in today's global society, and particularly on the Internet, it's nonsense.
As a Canadian, I experience American politics and culture (nearly) first-hand, but have no control over their decisions nor do I fund any of their shenanigans directly. So I have no motivation to stick my fingers in my ears and pretend that nothing is happening -- quite the opposite, really.
And yet, my reaction to this news was much the same as that of my American friends. The recently-revealed behavior of the NSA is completely beyond the pale, and most any sane person would dismiss such allegations as unjustified paranoia, given that they are flagrantly illegal. At least, six weeks ago they would have. Besides, I have met many Americans of all ages who still speak of the cold war as though it were yesterday, and have a deeply seated repulsion to domestic spying or any "Soviet" behavior.
The kind of insanity we have been informed of recently goes beyond the law and beyond the culture of America, and I certainly don't think that anyone should have known it except that they "didn't want to think about it".
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 8:40 UTC (Thu) by Duncan (guest, #6647) [Link]
I certainly can't say (as a USian) I'm surprised. The signs were there all along, or at least from 9/11 on, from the virtually unanimous approval of the (anti-)Patriot Act, to the congress vote (including Obama) to give the telecoms immunity for rolling over and handing the keys to the spooks, to the very idea of forbidding recipients of national security demand letters from even properly consulting with their lawyers about them, let alone publishing even anonymous statistics about them.
I actually expected Obama to deliver some excuse for that vote at the Democratic convention where his nomination was confirmed, as while I predicted his win[1], there was no way I could even /consider/ voting for him (and certainly no way I could vote for the party that was asking for it all in the first place) without at least /some/ semblance of "apology" for his "mistake", but it wasn't to be, and since then he has demonstrated time and time again that he was the "Bush lite" that he accused McCain of being.[2]
The fact is, after 9/11, both parties handed the spooks pretty much anything they asked for, including immunity for those cooperating with them where it broke the existing law, with the barest hint of limits even for appearance-sake. And the sheeple public lapped it up as they were trained to do.
I'm glad Snowden happened altho I have my doubts it'll ultimately change much except dispel a few myths the sheeple might have had previously, but it's not like anyone who thought about it had any myths dispelled by his revelations in any case.
Meanwhile, this particular additional revelation is only surprising in that they're going /that/ far and that it actually got out. Given the timing it's unlikely that this pressure occurred post-Snowden, however. I guess it's likely that'll encourage them to lower the pressure a notch for the time being, but unless laws changing the status quo get enacted, I expect they'll be back at it pretty quickly.
As for the (anti-)patriot act, etc, I've long held that (as the US Declaration of Independence states, but the US Constitution unfortunately doesn't fully backup) if it's a right, it's a right for everyone, not just US citizens. Other nations may or may not support that right and the US may or may not in practice be able to do anything about that, but the US *CAN* and *SHOULD* control its *OWN* actions in accord with the human rights it asserts for its own citizens, for ALL people, and any hint that it's failing to do so is simply a hint of what it's going to doing to its /own/ citizens in a few years, if it's not doing so secretly already. Once it's not held to be an inalienable right for all people everywhere, the barrier's gone, and it's only a matter of time.
There's nothing recent events have demonstrated better than the truth of the above.
Duncan
[1] As political pundits have pointed out, with very few exceptions at the POTUS level, it's the candidate with the most firmly optimistic message that wins, and from well before the Democratic primaries narrowed to Clinton/Obama, it was apparent Obama had the most optimistic message of any major candidate on either side, so I was predicting he'd take it. Bill Clinton used that too, but Hillary couldn't use it so easily given her gender and that she had to demonstrate sufficient decisiveness, etc. Still, that was far closer than I expected it to be.
[2] FWIW I was so disillusioned with the choices available in 2007 that I didn't bother voting, but then I had to live with the personal guilt and shame of that for four years and vowed never again, so in 2011 I was watching Ron Paul, and when that didn't pan out, I ended up voting Gary Johnson, Libertarian candidate and former governor of New Mexico. Not that I fully agree with the Libertarians either, but they'd hardly be worse than the choices the major parties seem to offer, and given 6-year Senate terms, I figure it'd take more than a 4-year presidential term to reverse the now over a decade old situation even if by some weird fluke it was a Libertarian clean slate win everywhere they ran.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 26, 2013 0:02 UTC (Fri) by khim (subscriber, #9252) [Link] It's funny really. Americans react as if they are shocked are confused, but if you'll take a look on reaction in Russia (which is kinda relevant because that's where Snowden escapes) then you'll find out that people are not surprised (they expected something like this anyway) and government officials are disappointed not because such an awful thing as PRISM is discussed openly but because these same companies refused (and still refuse) to give similar level of access to Russian spooks! Which kind raises the question: what Snowden is really trying to achieve? Why leave country where you can get good money for your [perhaps awful] work and go to the country where similar work is perceived normal?
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 26, 2013 9:34 UTC (Fri) by deepfire (subscriber, #26138) [Link]
The use of "democracy" to scare the rest of the world into resource serfdowm -- I guess that stinks.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 29, 2013 11:53 UTC (Mon) by njwhite (subscriber, #51848) [Link]
> Which kind raises the question: what Snowden is really trying to achieve? Why leave country where you can get good money for your [perhaps awful] work and go to the country where similar work is perceived normal?
Well I don't think Snowden became a whistleblower for the lifestyle implications. He was trying to achieve an improvement in the USA. I doubt being somewhat on the run the current USA government (and seeking refuge in other countries which have plenty of issues themselves) was something he would have preferred.
Is there an implication to your question? That he is a Russian agent or something?
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 6:08 UTC (Thu) by dakas (guest, #88146) [Link]
Well, there was a vote in congress just now on a law trying to keep the NSA from spiralling further out of control.
It actually failed with a rather small margin. Unfortunately, that's probably the peak of what to expect. Now that the NSA knows the names of their opponents, they can start blackmailing them with what they "legally" know of their private lives and communications.
Expect a few "discoveries" of high-level anti-government "conspiracies" that are thwarted by the virtuous work of the NSA soonish. Putting one or two on the block should be enough to get a few dozen back into line.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 6:56 UTC (Thu) by jezuch (subscriber, #52988) [Link]
I'm afraid you're right with that prediction. The USA is sliding towards a totalitarian police state at an alarming pace. Looks like the Cold War was won by the Soviet Union, after all... From the perspective of a resident of a post-communist country it's actually fun to watch... except that in today's global world and with USA controlling the majority of (and, as this article suggests, quite literally the keys to) the Internet, it's very, very unpleasant - and dangerous.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 22:56 UTC (Thu) by wahern (subscriber, #37304) [Link]
bzzz, you lose: slippery slope arguments are invariably histrionic.. and wrong.
The USA has been in far worse straits. We used to mow down protestors handing out leaflets. Once upon a time (e.g. before 1950) our free speech rights were regularly, and legally, suppressed, often with sanctioned violence and murder at all levels of government. Once upon a time government could suppress speech based only on a rational government interest--the very least restrictive judicial scrutiny. But it got better.
There's no reason to think that privacy protections cannot get better. But if history is any guide, if it does get better it'll be a long hard slog, and hyperbole isn't going to help. It will take a committed and sustained effort, and we need to tirelessly propose and test various philosophical arguments for why privacy matters. It wasn't until Justices Holmes and Brandeis proposed the "marketplace of ideas" concept did the country really see a role and function of free speech which could rightfully withstand government intrusions.
* FWIW, "marketplace of ideas" had a social darwinism aspect. It intimated that without being subject to vigorous public debate, the "good" ideas like capitalism and patriotism would become weak and wither away, and so the way to protect the good ideas was to prevent the government from coddling them. This is what united conservative and liberal thought behind the idea of strong free speech protections. We need a similar meme which persuasively explains why privacy should be respected.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 29, 2013 14:04 UTC (Mon) by njwhite (subscriber, #51848) [Link]
> Expect a few "discoveries" of high-level anti-government "conspiracies" that are thwarted by the virtuous work of the NSA soonish. Putting one or two on the block should be enough to get a few dozen back into line.
There has been an interestingly sharp rise in news stories about paedophiles / terrorists / other unsavouries using tor and similar in the UK press since the Snowden leaks. They are largely news-free scare stories, and I doubt their timing is mere coincidence. The government here have also started pushing for lots more censorship of the Internet. Scary times ahead.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 26, 2013 3:34 UTC (Fri) by shmget (subscriber, #58347) [Link]
"remember that Americans are learning about this for the first time along with the rest of the world."
and yet this T-shirt is for sale by the EFF since 2008 or so...
https://www.eff.org/deeplinks/2008/10/effs-new-nsa-spying...
https://www.eff.org/cases/jewel
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 0:36 UTC (Thu) by ncm (subscriber, #165) [Link]
Americans are now a managed population, fulfilling the dream of Edward Bernays, Father of Public Relations, to keep democratic apparatus from interfering in the business of government. Government agency employees use a tamed press to promote public approval of all their activities.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 7:04 UTC (Thu) by jezuch (subscriber, #52988) [Link]
> Americans are now a managed population, fulfilling the dream of Edward Bernays
Or was it Alexis de Tocqueville[1][2], more than 170 years ago?
[1] https://en.wikipedia.org/wiki/Democracy_in_America
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 5:12 UTC (Thu) by k8to (subscriber, #15413) [Link]
I think the real issues are:
* Legislative capture
Should we approve of half our budget being 'defense' but be offended that a small fraction of that is on spooks? That seems .. a very small part of the issue to me.
The issue of legislative capture means effectively the will of the populace is neutered.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 22:04 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
If you think that half our budget is spent of defense, you haven't looked at the actual numbers. It's a staggering 20% of the budget.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 26, 2013 4:15 UTC (Fri) by shmget (subscriber, #58347) [Link]
"It's a staggering 20% of the budget"
that is because retirement and healthcare is counted in the operational budget of the federal government and not in a separate accounting structure, like they are treated in some other countries...
in the mean time we are up to $4,000 per capita/year for military-related spending... (I find it hard, at that level, to call them 'defense' spending)
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 26, 2013 4:38 UTC (Fri) by k8to (subscriber, #15413) [Link]
As shmget states, it's half the decidable funding.
Debt servicing is the largest chunk, in absolute terms.
Even then, 20% would be pretty staggering.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 26, 2013 5:11 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
"decidable" is such a flexible term, it allows you to define things any way you want so you get the result you want
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 26, 2013 7:37 UTC (Fri) by k8to (subscriber, #15413) [Link]
Don't lower yourself to making such implied accusations.
That way of slicing the federal budget is the norm.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 19:13 UTC (Thu) by smoogen (subscriber, #97) [Link]
It is not just Americans who seem to be powerless on this.
http://arstechnica.com/tech-policy/2013/07/eu-reevaluatin...
Basically the data in the rest of the world isn't too protected either.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 26, 2013 5:39 UTC (Fri) by zooko (subscriber, #2589) [Link]
I think it is naive to believe that things are any different in Germany, or France, or the U.K., or China, or …
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 29, 2013 11:18 UTC (Mon) by tialaramex (subscriber, #21167) [Link]
Indeed. The choice isn't whether to permit "domestic" spying, but only whether to authorise and pay for spies at all. If you have spooks (and all the countries you listed do) then they will spy on your citizens because that's what they do. Indeed if they did NOT spy on your citizens you're wasting your money, the bad guys you were presumably hoping they'd find can conduct their business in plain sight of the spooks, protected by an arbitrary legal convention.
In reality, with so many powerful nations paying for spooks the choice is starker. You must pay for your own spooks, or accept a disadvantage for taking the moral high ground as others continue to spy on you. They'll be Merchants of Light stealing industrial secrets and manipulating your people, not James Bond types jumping off exploding boats but they will make you pay dearly for your smug openness. This (abolishing spooks) has been tried before without much success, but I welcome anyone who wants to attempt it again.
So, you will have spooks, and the spooks will do everything in their power to spy on everyone in the world. But this is /not/ the knock at the door of a totalitarian state. It wasn't ubiquitous surveillance that made the Stasi what they were, it was Zersetzung - psychological harassment. A ban on "domestic" spying by the NSA was perhaps well meaning but ultimately unenforceable, but ensuring our governments don't practice Zersetzung is entirely practical. If in a year's time Americans believe the spooks have magically stopped spying on them and they go back to sleep, we have achieved nothing. But if they instead accept that they've hired people to spy on them and now must behave accordingly, we might have some progress.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 29, 2013 13:18 UTC (Mon) by k8to (subscriber, #15413) [Link]
While I agree with most of your point, the legal structure we set up in the US was that we had internal "policing" and externally-facing spooks.
The "policing" and by that I mean the FBI were obviously partly spooks too but with a slightly different charter.
That both wings quickly dispensed with their charters and did what they felt like i think speaks volumes. The right thing to do is to have such groups, but limited in scope, on a short leash, and not periodically given any greater leeway.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 24, 2013 23:31 UTC (Wed) by fest3er (guest, #60379) [Link]
The Constitution is clear.
Without a valid, authentic warrant, the correct answer to such requests is, "No. Get a warrant."
Many kinds of data can be legally obtained without warrant Posted Jul 24, 2013 23:48 UTC (Wed) by lotzmana (subscriber, #3052) [Link]
Do you need a warrant or not?
"How the Government Can Get Your Digital Data" http://www.propublica.org/special/no-warrant-no-problem-h...
In some situations the legislation hasn't caught up with reality. For example, all the data you store in a cloud can be obtained without a warrant.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 7:05 UTC (Thu) by jezuch (subscriber, #52988) [Link]
> Without a valid, authentic warrant, the correct answer to such requests is, "No. Get a warrant."
But they do get it... secret warrants from a secret court (FISC).
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 13:19 UTC (Thu) by dakas (guest, #88146) [Link] > Without a valid, authentic warrant, the correct answer to such requests is, "No. Get a warrant." But they do get it... secret warrants from a secret court (FISC).The point of a warrant is to have accountability. A "secret warrant" is an oxymoron. Since "secret courts" are outside of public perception, they are not under democratic control. They are a tool of fascist governments, fascism being the doctrine that the interest of the state takes primacy over that of its citizens. This is opposed to to democracy where all power is supposed to be under the ultimate control and supervision of the voters. The U.S.A. now have secret forces that can make secret investigations based on secret warrants gained from secret courts, and have people dragged into such secret courts without providing defense with the material necessary for its task. What other traits of the Gestapo and the SS is the U.S. eager to copy in the name of "freedom", a word that is increasingly getting out of fashion in relation of "security"? What kind of "security" does a citizen enjoy when he can be dragged into prison or killed without a chance of defending himself?
Perfect Forward Secrecy Posted Jul 25, 2013 0:00 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
Note that HTTPS clients (and other TLS clients) can ask for PFS, although the server is under no obligation to offer that mode, in the same way that you can ask for (but many servers will refuse) the anonymous mode which removes MitM resistance.
If it's revealed that TLS keys were used to unravel past transactions we might see more interest in enabling that feature, both as a client preference (e.g. a Firefox checkbox) and on servers.
Perfect Forward Secrecy Posted Jul 25, 2013 14:02 UTC (Thu) by brunowolff (guest, #71160) [Link]
There was another article about this recently which claimed that the server gets to pick which mode to use from the common set. And that since there is a performance hit to PFS, some servers will choose non-PFS modes if they are available. So on the client side you'd need to only offer up modes that support PFS and then have a backup plan for servers that don't support any PFS modes.
Feds put heat on Web firms for master encryption keys (CNET) Posted Jul 25, 2013 8:19 UTC (Thu) by jpfrancois (subscriber, #65948) [Link]
So now all key will be centralised somewhere, and you need only one bad apple among the feds to have the whole key set leaked to whatever mafia is interested.
suggestion for webserver administrators. Posted Jul 25, 2013 12:48 UTC (Thu) by Richard_J_Neill (subscriber, #23093) [Link]
If you administrate a Webserver, this may be helpful:
1. Make sure you are running Apache 2.4.
2. If you're running Ubuntu, that means you have to upgrade your production server to the latest alpha, Saucy/13.10.
3. Enable the ECDHE keys. In ssl.conf, set:
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
(This set is still not perfect, but it seems to be the best compromise we can have; it is proof against BEAST, supports RC4 for old browsers, and has perfect forward secrecy for all modern clients other than IE 10.)
4. Test it: https://www.ssllabs.com/ssltest/analyze.html
I hope that's helpful.
suggestion for webserver administrators. Posted Jul 25, 2013 15:17 UTC (Thu) by ssmith32 (subscriber, #72404) [Link]
That is helpful :)
Thank you!
-stu
suggestion for webserver administrators. Posted Jul 25, 2013 16:31 UTC (Thu) by jeff_marshall (subscriber, #49255) [Link]
Regarding your point 1, why are you comparing RC4 to ECDHE? They serve two entirely different purposes: RC4 is a stream cipher used for protecting data once a secret key has been established, and ECDHE is a key agreement algorithm used during key establishment.
Does TLS not support a regular DHE (non-EC) paired with a safe block cipher + mode?
suggestion for webserver administrators. Posted Jul 25, 2013 16:43 UTC (Thu) by Richard_J_Neill (subscriber, #23093) [Link]
I may have caused some confusion here. My understanding is that:
On Apache 2.2, we had a choice between two evils, either ciphers which have forward secrecy (but which are vulnerable to BEAST), or which are immune to BEAST but sacrifice forward-secrecy. The latter is the Apache-2.2 configuration (at least on Ubuntu).
This one is secure, but requires Apache 2.4
To answer your question, I think the answer is "no" - at least, experimentally, and using the ssllabs test-suite.
suggestion for webserver administrators. Posted Jul 25, 2013 18:38 UTC (Thu) by jeff_marshall (subscriber, #49255) [Link]
Thanks for the clarification. I think my confusion stemmed from your use of "cipher" vs. "cipher suite"( i.e., ECHDE is a cipher, ECDHE-RSA-AES128-SHA256 is a cipher suite).
Ultimately, the problem appears to stem from the choices of which ciphers are grouped into suites in the SSL/TLS standards- many of the suites either pick a key agreement scheme without forward secrecy or a block cipher + mode vulnerable to BEAST.
suggestion for webserver administrators. Posted Jul 25, 2013 18:06 UTC (Thu) by jimparis (subscriber, #38647) [Link]
Word of warning: in Debian, Apache 2.4 is still pretty new, some modules like libapache2-svn haven't been ported, and the configuration layout has changed in some key ways. I messed up my server pretty badly by diving in. Fortunately, /var/log/apt/history.log told me how to get my old packages back, and etckeeper let me easily revert /etc. I'll try again in a few months when 2.4 support is a little better, and be more careful next time!
|
|||||||||||||
