GreenGoo wrote:
Now if the real problem is Terrorists using the internet/social media to communicate/coordinate, well then good luck with stopping that. The UK is trying to outlaw encryption, which might seem like it makes a lot of sense, until you realize that 99.9% of e-commerce is encrypted. See what happens to e-commerce when people start transmitting their CC numbers in clear text across the internet.
Sorry for quoting myself, but this next bit is important and is related to the above.
The
POODLE attack is a direct result of the US trying to limit encryption use by enemies of the state. The article linked is a good one, but might be too technical for a layperson. More in a minute.
The US put heavy export limitations on encryption technology. The plan was for only the US (and allies, I assume) to own strong encryption. The problem is that the internet is an international place, and places like the US need to be able to talk to places like Syria. So servers and browsers and whatnot had to be able to speak both good (hard to break) and bad (easy to break) encryption. How do servers know which type of encryption to use? Well, they use the highest they can. But if the guy on the other side doesn't speak "Good" encryption then the choice is "bad" encryption.
To clarify the above, the US made it illegal to give "good" encryption to people not on the "list". Servers need to talk to people on and off the list, so they need to speak both good and bad encryption.
And that's how and why downgrade attacks exist. Hacker wants to talk to your bank. Bank says "I speak good encryption". Hacker says "sorry, I only speak bad encryption". Bank says "No problem, I speak bad encryption too". Hacker says "thanks, you've just made my formerly impossible job doable, because bad encryption is easy to break (by design, by US government plan)".
At some point (2010 maybe?) the US made changes to it's export limitations on encryption. Awesome. Years of evidence and experience resulted in a loosening of export restrictions. Great. Now EVERYONE can speak "good" encryption. Except there were thousands and millions of machines on the internet that were still backwards compatible with the "bad" encryption, and without active configuration change, could and would still talk "bad" encryption if asked.
So even after the US corrected it's mistake (imo, but a very reasonable mistake given the decision was based on WWII experiences with cryptography), all sorts of machines could be made more vulnerable because even though the law hand changed, the old technology hadn't been removed. It mostly has, now.
This topic falls under Fishpants' job description and he knows way more than I do on the subject, and can probably correct any mistakes I've made here.
The important take away from all this is that restricting encryption HAS ALREADY BEEN TRIED, and it failed spectacularly. In fact it failed so spectacularly that it made the news and everyone was all atwitter about their data security and omg omg omg what are we gonna do?
The idea that the UK is trying to kill encryption in the same year that everyone went NUTS because machines were vulnerable because of weak encryption is insane.
The idea has been floated in US political circles too. The NSA wants a backdoor into every popular device out there (because backdoors can't be exploited by anyone who's not the NSA, duh. That's just logic). That's not paranoia, that's fact. The lessons that we are still learning the hard way seem to be sailing right over the heads of a lot people.
Trump hasn't asked for the outlawing of encryption, but that's a natural end point of those trying to "fix" the terrorist/internet "problem". If he continues to talk about "fixing" the internet for Syria with our "brilliant people", he will end up on encryption. Keep this in mind the next time he opens his mouth.
