Linked by Thom Holwerda on Thu 21st Nov 2013 23:46 UTC
Internet & Networking

"We can end government censorship in a decade," Schmidt said during a speech in Washington. "The solution to government surveillance is to encrypt everything."

Setting aside the entertaining aspect of the source of said statement, I don't think encryption in and of itself is enough. Encryption performed by companies is useless, since we know by now that companies - US or otherwise - are more than eager to bend over backwards to please their governments.

What we need is encryption that we perform ourselves, so that neither governments nor companies are involved. I imagine some sort of box between your home network and the internet, that encrypts and decrypts everything, regardless of source or destination. This box obviously needs to run open source software, otherwise we'd be right back where we started.

Is something like that even possible?

Thread beginning with comment 577361
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Comment by pcunite
by Lennie on Sat 23rd Nov 2013 09:28 UTC in reply to "RE: Comment by pcunite"
Lennie
Member since:
2007-09-22

Actually, there are multiple reasons:

There is the one you mentioned:
- certs signing takes time, knowledge and effort to get done. Certs are actually already free (!) or cheap (10 euros). You don't pay for the cert. You pay for that time and effort to talk to a CA.

But don't dismiss:
- SNI for HTTPS, no support in all browsers for virtual hostnames like for HTTP, so you need an IP-address per website (think about how we are running out of IPv4-addresses and the administrative overhead of configuring the server). Here you pay for configuration overhead and an IPv4-address.

Support for DNSSEC/DANE and SNI in browsers would help here.

Edited 2013-11-23 09:28 UTC

Reply Parent Score: 4

RE[3]: Comment by pcunite
by Alfman on Sun 24th Nov 2013 17:05 in reply to "RE[2]: Comment by pcunite"
Alfman Member since:
2011-01-28

Lennie,

Sounds like you've had a lot of experience navigating these muddied waters ;)

"- certs signing takes time, knowledge and effort to get done. Certs are actually already free (!) or cheap (10 euros). You don't pay for the cert. You pay for that time and effort to talk to a CA."

The thing is, they aren't all created equal. Many have bad support in browsers. And all the cheap CAs are of the automated variety, doing little more than contacting us via *insecure* email and http connections, pretty ironic right?

Another major problem with the CA model is that *everyone's* security gets reduced to the weakest CA in the browser, since that CA technically has the ability to forge signatures for any website whether they are even customers of the CA or not.


"Support for DNSSEC/DANE and SNI in browsers would help here."

Issues with complexity aside, I agree this is the way forward. It eliminates the security problems in relying on 3rd party CA's and also entitles everyone to certificates without having to buy them (everyone wins except for the CA's who loose big time).

It's great for academic theory, but in the real world ISPs, network equipment, and existing software are major hurdles with no easy answers. Look at initiatives like IPv6, jumbo packets, etc. In each case, we are all in firm agreement that the old standards are holding back technology, yet they're so deeply entrenched that we are barely any closer to deploying these things than we were 10 years ago.

I'm pretty convinced that the current internet will have to become completely unreliable before we will take migrations seriously.

Reply Parent Score: 2

RE[4]: Comment by pcunite
by Lennie on Sun 24th Nov 2013 18:16 in reply to "RE[3]: Comment by pcunite"
Lennie Member since:
2007-09-22

On the issue of browser support.

Bad support in (desktop) browsers is a thing of the past, I've not seen issues in a long time.

There are probably still problems on mobile though, but even those are going away.

If you are a provider, you really do pay only 10 euros per cert per year, maybe even 10 dollars. This isn't just some cheap provider that doesn't work. That is from the widely known CAs.

https://www.startssl.com/ is the one that is free and supported by all browsers.

On the issue of insecure email...

Yep, that is what domain validation is. It's just a check if you control the domain. I've never seen a CA use insecure HTTP though.

It really doesn't matter if you pay some CA more money or not. Because the user doesn't look at the CA, it just needs to be trusted by the browser.

If someone can prove they control your domain to an other browser supported CA then they'll get a cert for your domain. There is really nothing special about the different CAs. Any CA will do.

There are some other issues that do matter, like OCSP performance. Or the root included by default in Windows. But especially the last one doesn't matter all that much if it's a widely used CA.

If you want something more, you might want EV but you'll need to educate your users to look for the 'green bar' and not use the site if it's not there.

In many, many cases, for example something like Facebook that obviously doesn't work, when they visit the site they'll probably already sent the auto-login-cookie which an attacker can use to login in to your site.

Reply Parent Score: 3