Linked by Thom Holwerda on Thu 21st Nov 2013 23:46 UTC
Internet & Networking

"We can end government censorship in a decade," Schmidt said during a speech in Washington. "The solution to government surveillance is to encrypt everything."

Setting aside the entertaining aspect of the source of said statement, I don't think encryption in and of itself is enough. Encryption performed by companies is useless, since we know by now that companies - US or otherwise - are more than eager to bend over backwards to please their governments.

What we need is encryption that we perform ourselves, so that neither governments nor companies are involved. I imagine some sort of box between your home network and the internet, that encrypts and decrypts everything, regardless of source or destination. This box obviously needs to run open source software, otherwise we'd be right back where we started.

Is something like that even possible?

Thread beginning with comment 577255
To read all comments associated with this story, please click here.
Comment by pcunite
by pcunite on Fri 22nd Nov 2013 02:04 UTC
pcunite
Member since:
2008-08-26

The real problem is that web browsers freak out when they see a certificate they don't recognized. Allow me to create and use my own.

Reply Score: 2

RE: Comment by pcunite
by WereCatf on Fri 22nd Nov 2013 02:14 in reply to "Comment by pcunite"
WereCatf Member since:
2006-02-15

Allow me to create and use my own.


What's stopping you? I've been using my own ones for ages, you just accept the certificate in your browser and go on your merry way.

Reply Parent Score: 4

RE[2]: Comment by pcunite
by Soulbender on Fri 22nd Nov 2013 05:55 in reply to "RE: Comment by pcunite"
Soulbender Member since:
2005-08-18

I think he mean that if you use a self-signed certificate on your site all your visitors get the rather scary browser warning.

Reply Parent Score: 3

RE: Comment by pcunite
by Kroc on Fri 22nd Nov 2013 09:09 in reply to "Comment by pcunite"
Kroc Member since:
2005-11-10

This right here is one of the biggest bug bears I have.

Encryption != Identity.

Tying the trust of encryption to SSL CAs is the reason that even today most websites don't use HTTPS -- just broadcasting everything unencrypted over the web.

The browser vendors too should be blamed. Had Firefox allowed 'untrusted' certificates in the beginning then HTTPS would be standard and on by default for all servers, everywhere. This is not a security problem -- trustworthiness of the host (identity) is the responsibility of ECV certificates and the like, but that shouldn't force everybody else to have to run on HTTP!

Reply Parent Score: 3

RE[2]: Comment by pcunite
by moondevil on Fri 22nd Nov 2013 12:15 in reply to "RE: Comment by pcunite"
moondevil Member since:
2005-07-08

If you accept untrusted certificates, it makes SSL useless to prevent man-in-the-middle attacks.

You can still do them with trusted certificates, but with untrusted ones it is a piece of cake.

Reply Parent Score: 3

RE[2]: Comment by pcunite
by Lennie on Sat 23rd Nov 2013 09:28 in reply to "RE: Comment by pcunite"
Lennie Member since:
2007-09-22

Actually, there are multiple reasons:

There is the one you mentioned:
- certs signing takes time, knowledge and effort to get done. Certs are actually already free (!) or cheap (10 euros). You don't pay for the cert. You pay for that time and effort to talk to a CA.

But don't dismiss:
- SNI for HTTPS, no support in all browsers for virtual hostnames like for HTTP, so you need an IP-address per website (think about how we are running out of IPv4-addresses and the administrative overhead of configuring the server). Here you pay for configuration overhead and an IPv4-address.

Support for DNSSEC/DANE and SNI in browsers would help here.

Edited 2013-11-23 09:28 UTC

Reply Parent Score: 4

RE[2]: Comment by pcunite
by Alfman on Sun 24th Nov 2013 16:16 in reply to "RE: Comment by pcunite"
Alfman Member since:
2011-01-28

Kroc,

"The browser vendors too should be blamed. Had Firefox allowed 'untrusted' certificates in the beginning then HTTPS would be standard and on by default for all servers, everywhere."

You are right. Mozilla has a long history of handling HTTPs certificates very poorly (starting with FFv3 they made unpopular changes I recall when they shifted policy from warning the user about unrecognized certificates to blocking the user completely). Their terrible support for self signed certificates makes it a continuous pain to use HTTPS on embedded devices (where the CA model is completely broken anyways) and even for websites where we cannot justify buying certs.

From a policy point of view, HTTPS connections to unverified peers is not less secure than plain HTTP, and would have the additional benefit of defeating passive surveillance techniques. Unfortunately, HTTPS implementations such as mozilla's have precluded the possibility of enabling HTTPS _everywhere_, consequently many websites that would have enabled HTTPS are left using plain text HTTP, and we're all much worse off given the widespread instances wiretapping.

Reply Parent Score: 2