They’re not really getting this, are they?

Macron backed efforts to allow the security services better access to encrypted communication, echoing the Conservatives’ manifesto pledge to examine how to tackle encrypted communications between extremists. The plans have already raised concerns among privacy campaigners about state access to private citizens’ communications and how it might act as a potential gateway for hackers.

Macron said both countries “were committed to improve the means of access to encrypted content in conditions that preserve the confidentiality of messages”.

Encryption is encryption. End to end encryption is just that. The companies, Google, Facebook, don’t have keys or backdoors.

It’s like trying to stop people using one pad techniques by telling the paper makers to do something.

21 comments on “They’re not really getting this, are they?

  1. The companies, Google or Facebook, have some degree of control. They can be pressured into weakening the strength of the encryption in subtle ways (e.g. by not properly randomising one of the input variables).

  2. Macron is welcome to lobby the IETF to weaken the draft spec for TLS 1.3 (https://tlswg.github.io/tls13-spec/), and the IEFT is correspondingly welcome (and likely) to recommend that Macron and his chums become more intimately familiar with farm animals.

    They could also lobby the French certificate authorities to mint improper intermediate certs to enable eavesdropping on major sites – it wouldn’t be the first time (https://arstechnica.com/security/2013/12/french-agency-caught-minting-ssl-certificates-impersonating-google/) but since it’s the fast track for the CA to be banished from every major browser, I’d expect a certain amount of pushback.

  3. The companies, Google or Facebook, have some degree of control. They can be pressured into weakening the strength of the encryption in subtle ways

    Not if it’s end-to-end.

    The UK and frog governments can try to weaken encryption by having their spooks try and get compromised random number generators accepted into the TLS standard. It’s believed the NSA tried this with Dual_EC_DRBG but they were rumbled (partly with the help of Snowden).

    The frogs have form in this too – the GSM data encryption standard was deliberately compromised: http://www.aftenposten.no/verden/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s-98459b.html

  4. Encryption. Why do they bother?
    I’ve a phablet format smartfone I Ieave available for visitors to use. Currently it’ll give me access to at least a dozen people’s e-mail accounts, various Facebook accounts, what is apparently a Google cloud storage for someone’s entire image & video library, instant access to a number of bank accounts, endless free shopping opportunities through retail sites have credit card details stored on them, any number of messenger type app accounts …

  5. Yes, yes, yes. Before we get into tackling encryption, what evidence is there that “extremists” are using it? As opposed to just passing slips of paper during Friday prayers?

  6. The stupid cow got the Tories into a street fight that left them with a collective broken nose tho’ –Thank God in view of the alternative–they weren’t knocked down.

    I get that they don’t want rid of her just yet.

    But why are they allowing her the freedom to continue her program of sabotage? Her first post election appearance should have been with two black eyes and she should be asking permission to stand up and sit down let alone speak.

    Tory bunglers have lost power before by letting a bungling vapid shite run his mouth and follow stupidity as a lifestyle.

    Theo–your shower need to be purged as well.

  7. Nit pick: One time pad. It requires two actual pads, one for the sender, one for the receiver.

  8. Yes, yes, yes. Before we get into tackling encryption, what evidence is there that “extremists” are using it? As opposed to just passing slips of paper during Friday prayers?

    Or discussing their plans on Channel 4 documentaries or informing immigration officers that the intend to travel for terrorism purposes.

  9. BiS
    Was in Portugal recently and used hotel computer to print boarding card for flight home. Hit the history button and up popped pages of previous users including Facebook, enail,flight details etc. Was kind and cleared history, mainly to get my hisyory removed.

  10. The companies, Google or Facebook, have some degree of control. They can be pressured into weakening the strength of the encryption in subtle ways

    Not if it’s end-to-end.

    Err, yes they can. The servers can provide a list of weak cipher suites for the browser to select from or, with modern browsers that are wise to this sort of thing, you can just have the server have a very limited entropy pool for the random number generator.

    The last, albeit by accident, was the issue with very early versions of PGP.

  11. @Roué le Jour’s comment.
    Quite. There’s any number of guides to covert operations tradecraft. Why would anyone rely on a communications pipeline that is available for interception & compromise? Makes as much sense as passing information over the phone network. If you want secure communications you do it in a way that no outsider can intercept it & get an opportunity to decrypt it.

  12. “were committed to improve the means of access to encrypted content in conditions that preserve the confidentiality of messages”

    Is it just me or is that complete nonsense, a masterpiece of dissembling worthy of Blair?

  13. Err, yes they can. The servers can provide a list of weak cipher suites for the browser to select from

    Ok, if they are one of the ends then yes they can.

  14. @Roué le Jour

    Yes, yes, yes. Before we get into tackling encryption, what evidence is there that “extremists” are using it? As opposed to just passing slips of paper during Friday prayers?

    I’m not sure where you get this idea from – it’s not for use against islamic extremists, it’s against those who criticise islam.

  15. Indeed. The U.S. has used terrorism as an excuse to spy on everyone. Clear violation of the Constitution, but by saying the magic word, ‘terrorism,’ they get away with it.

  16. There’s some confusion about where the encryption is taking place. If you’re searching on Google or reading Facebook, your conversation is secured from third parties (such as your ISP), but not (obviously) from Google or Facebook themselves. They both keep records of what you’re looking at (‘cos that’s how they monetise you) and they will release those records to appropriate authorities with appropriate warrants (it wouldn’t surprise me if they have trigger phrases that set off warning lights in GCHQ/NSA).

    But if you’re using a third party application, such as WhatsApp or simply PGP encrypted email, no-one except you and the person you’re talking to should be able to read your correspondence.

    Apologies to most of you who know this stuff already, but clearly some don’t

  17. “Nit pick: One time pad.” It’s an odd mistake by Worstall; didn’t he have a boyhood?

  18. ” End to end encryption is just that. The companies, Google, Facebook, don’t have keys or backdoors.”

    When I’m browsing Facebook, my browser is one end and Facebook.com is the other end. Facebook most certainly have the session keys. If they choose to save those in a file and hand them over to Monsieur Macron, they are free to do so.

    I just don’t think they will.

  19. @synp

    Facebook don’t need to retain any keys, they have the plaintext (without which their systems couldn’t operate).

Leave a Reply

Name and email are required. Your email address will not be published.