
Stop Calling It “Military-Grade Encryption” - timothy-quinn
https://blog.signata.net/military-grade-encryption/
======
OskarS
Yeah, this part rings totally true:

> _I actually do a double-take when a company says "Military-Grade", as I
> start to question how well they know cryptography, and if they may have
> picked an inferior algorithm thinking it's safe._

"Military grade" might sound good to marketing people, but to everyone that's
actually involved in digital security, it sounds like it's made by people who
have no idea what they're doing.

Another phrase like that is "patented technology" or "patent-pending". Maybe
it sounds good to some people, but to to engineers it's a big red flag.

~~~
solarkraft
My worst red flag is "proprietary". It gives me an instant head ache because
it makes me think of bad quality, terrible documentation and just over all
pain.

~~~
opan
I've noticed this even with fast food commercials which say things like "our
proprietary blend of spices" in a tone implying you should be excited about
it.

~~~
mcv
I'm fine with proprietary spice blends. At worst, it doesn't taste the way I
want. But with encryption, "proprietary" means "untested", and that's a really
bad idea.

------
jddj
The salesmen at the company I work with at the moment (industrial/commercial
IoT) have adopted "banking-grade" for laymen, and have learned to recite the
algorithms and/or protocols for anyone who expresses further interest.

Stereotype incoming: This might be a cultural thing too. Military grade sounds
like something that would play well to the American ear, whereas these guys
are British.

~~~
mcv
When I hear some Americans about their banks, I'm not sure "banking grade"
will leave a positive impression there.

------
EliRivers
"Military-Grade" encryption. In my experience, this involves writing passwords
on daily orders and on the big white board in the ops room, giving them out
over the phone to anyone with a suitably clipped voice, and laminated guides
to zipping files with a password - from which everyone then copies the example
password they can see in the laminated picture - physically tied to "the
encrypting PC" so that nobody can wander off with the guide.

~~~
nessunodoro
It's this comment that should be laminated...

~~~
kinleyd
Seconded.

------
anilakar
To me, military-grade means that you run it over a physically separated
network and post armed guards who will shoot all intruders.

~~~
mcv
I will remember that for the next time someone calls something "military
grade".

"So you've got armed guards ready to shoot anyone who messed with it?"

------
IcePic
As seen in the Crypto Snake Oil FAQ from the 90s:
[http://www.interhack.net/people/cmcurtin/snake-oil-
faq.html#...](http://www.interhack.net/people/cmcurtin/snake-oil-
faq.html#SECTION000511000000000000000) If the first 20-30 years of "please
don't" didn't work, I am reluctant to think this post will help...

~~~
dogma1138
Military Grade iirc referred to the encryption schemes defined in the Rainbow
Series in the 80’s and 90’s today it is a buzz word but I’m not sure it was
always that undefined.

------
dewey
I never really took it as a factual statement on how amazing the used
encryption is. I always understood it as just another marketing term for the
sales process. It probably sounds very good for a non technical decision maker
and everyone who’s technical enough to understand encryption will look at the
more detailed information anyway.

------
buboard
Military = Safety. There is a reason they didn't choose "Terrorist-Grade
encryption"

~~~
jmiserez
Although that would probably need to be higher grade to work. Technically it
would be the better name.

~~~
vbezhenar
The best advertisement for me was that terrorists use Telegram and Russia
wants to ban it.

------
dtech
Yeah... This is a purely marketing reason. You're not going to convince people
to change that with technical arguments and everyone who cares also knows that
the term means zilch.

------
dominicr
While we're at it, can products stop using the phrase "aircraft grade
aluminium" to sell trivial items such as forks, wallets and, I kid you not,
Post-It note holders.

Yes, there are differences in quality possible with aluminium, as there are
with most materials, but to make "aircraft grade" a main selling point for
your sunglasses case is snake oil marketing nonsense.

~~~
TheSpiceIsLife
Never know when you’ll need to whittle yourself a new aircraft component with
you’re genuine hand forged pocket whittler after you’ve crashed your handmade
single seater in the Tasmanian highlands.

------
dragonsh
This is just selling snake oil. I am not sure but this term is coined by
people who are in marketing, who does not really understand the real strength
and weakness of a encryption. Like a snake oil salesman they want to use a
jargon to create an image in people's mind that they are extremely secure.

But in reality as the article points out AES, RSA and others are all used in
military and all are military grade, but all have one or the other drawback if
not used carefully. This kind of advertising is generally misleading.

Hopefully if someone challenge such claims in court will be nice. But I
believe it will be hard to prove if the statement itself is untrue, its just
that it is created with a spirit to deceive or conflate the meaning.

------
LawnDart1
By calling it Military Grade, it's easier to Ban it...

~~~
DonHopkins
Actually, that's what already happened. And now they're trying to do it again.

[https://www.schneier.com/blog/archives/2019/07/attorney_gene...](https://www.schneier.com/blog/archives/2019/07/attorney_genera_1.html)

Posted on July 24, 2019 by Bruce Schneier on Security> Yesterday, Attorney
General William Barr gave a major speech on encryption policy -- what is
commonly known as "going dark." Speaking at Fordham University in New York, he
admitted that adding backdoors decreases security but that it is worth it.

[https://news.ycombinator.com/item?id=19916938](https://news.ycombinator.com/item?id=19916938)

In 1998, the EFF and John Gilmore published the book about "Deep Crack" called
"Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip
Design". But at the time, it would have been illegal to publish the code on a
web site, or include a CDROM with the book publishing the "Deep Crack" DES
cracker source code and VHDL in digital form.

[https://en.wikipedia.org/wiki/EFF_DES_cracker](https://en.wikipedia.org/wiki/EFF_DES_cracker)

[https://www.foo.be/docs/eff-des-
cracker/book/crackingdessecr...](https://www.foo.be/docs/eff-des-
cracker/book/crackingdessecre00elec.pdf)

>"We would like to publish this book in the same form, but we can't yet, until
our court case succeeds in having this research censorship law overturned.
Publishing a paper book's exact same information electronically is seriously
illegal in the United States, if it contains cryptographic software. Even
communicating it privately to a friend or colleague, who happens to not live
in the United States, is considered by the government to be illegal in
electronic form."

So to get around the export control laws that prohibited international
distribution of DES source code on digital media like CDROMS, but not in
written books (thanks to the First Amendment and the Paper Publishing
Exception), they developed a system for printing the code and data on paper
with checksums, with scripts for scanning, calibrating, validating and
correcting the text.

[...]

The exposition about US export control policies and the solution for working
around them that they developed for the book was quite interesting -- I love
John Gilmore's attitude, which still rings true today: "All too often,
convincing Congress to violate the Constitution is like convincing a cat to
follow a squeaking can opener, but that doesn't excuse the agencies for doing
it."

[https://dl.packetstormsecurity.net/cracked/des/cracking-
des....](https://dl.packetstormsecurity.net/cracked/des/cracking-des.htm)

[...]

The US Department of Commerce has officially stated that publishing a World
Wide Web page containing links to foreign locations which contain
cryptographic software "is not an export that is subject to the Export
Administration Regulations (EAR)."* This makes sense to us--a quick reductio
ad absurdum shows that to make a ban on links effective, they would also have
to ban the mere mention of foreign Universal Resource Locators. URLs are
simple strings of characters, like [http://www.eff.org;](http://www.eff.org;)
it's unlikely that any American court would uphold a ban on the mere naming of
a location where some piece of information can be found.

Therefore, the Electronic Frontier Foundation is free to publish links to
where electronic copies of this book might exist in free countries. If we ever
find out about such an overseas electronic version, we will publish such a
link to it from the page at
[http://www.eff.org/pub/Privacy/Crypto_misc/DESCracker/](http://www.eff.org/pub/Privacy/Crypto_misc/DESCracker/)
.

* In the letter at [http://samsara.law.cwru.edu/comp_law/jvd/pdj-bxa-gjs070397.h...](http://samsara.law.cwru.edu/comp_law/jvd/pdj-bxa-gjs070397.htm) , which is part of Professor Peter Junger's First Amendment lawsuit over the crypto export control regulations.

------
DonHopkins
"Military-Grade Deception" is a legitimate term.

------
paxys
> I actually do a double-take when a company says "Military-Grade", as I start
> to question how well they know cryptography, and if they may have picked an
> inferior algorithm thinking it's safe.

While I despise the term as well, this seems like an exaggeration. It's simply
marketing, nothing else. Developers implementing security aren't also making
sales decks.

~~~
OskarS
The thing is, real cryptographers and computer security experts never use
language like this. You'll never here Daniel Bernstein (or whoever) call
ciphers "military grade". Moxie Marlinspike never calls Signal "military
grade", even though it's probably superior to most actual military systems.
They know better.

~~~
paxys
Like I said, these real cryptographers aren't the ones going out and selling
the software. Marketers use whatever terms their audience likes to hear.

~~~
OskarS
If it's a three person SaaS start-up or whatever, there's no guarantee there's
a dedicated marketing team. And even if there is, the engineers/managers don't
know better than to tell their marketers "hey don't use that kind of
language". And the marketers selling a security product don't know better?

Sure, it's entirely possible that the product itself is absolutely solid. It
would be a bit silly to rule a product out on this basis alone. But when
evaluating a product, it's fair to "do a double-take" when seeing language
like this.

------
tzury
Obviously it is all depends on the classification level of the platform in
subject.

Military projects I've worked on, none of the known algorithms were in use.
However, those are not available for commercial use whatsoever.

The author is right about one thing though, since if it is available in the
commercial world, it is better off be called as "Industry Standard
Encryption".

~~~
viraptor
> Military projects I've worked on, none of the known algorithms were in use.

What do they use? I expected that us military would be 99% FIPS. (Other
military could be GOST, I guess)

------
vinay_ys
In a conversation I would interpret a mention of military grade encryption as
meant to defend against nation state actor adversaries who have theoretically
unlimited resources to mount an attack.

In that sense, I would expect it to be much more stronger than financial grade
or consumer grade encryption system where adversaries are less stronger.

Certain attacks like supply chain attacks (factory, transport etc of hardware
components) or special access attacks (Certificate authorities, BGP, DNS, ISPs
etc) or social attacks (patsy or spy with MICE/RASCLS) that nation state
actors can pull off which others cannot (without prohibitively significant
effort or negative consequences).

So, usually if someone says military grade, I would look at it as being
resistant to even these threats.

Of course, it is always about the system holistically and not just the AES,
RSA, SHA-2 etc algorithms.

------
shakna
I've seen a lot of people refer to their practices as "Industry Standard" when
they know what they're doing, and a lot of marketing teams use "Military-
Grade".

I don't think this particular hill is one to die on - the public have a
perception that the military are amazing at using the latest and greatest
technology, so the marketing teams will always continue to use it. Fighting it
will be about as effective as fighting clickbait.

Instead, let it guide your own choices. Any sign like this that shows the
marketing team wrote the Security Policy page is one where you should
absolutely start questioning if they know what they're doing.

------
headmelted
To be fair to the marketing zombies, I kind of see why it would be easier to
sell "Military-grade" rather than "Standard".

To our definition of "Standard" this means up to scratch and implemented
correctly to specification - to the normal folk this is probably interpreted
as "regular" or "basic-tier".

I'm a very important and aspirational small shipping/accountancy/dog-walking
firm. I don't want that potato-tier regular encryption - I deserve super-duper
fabtastic encryption like the banks have.

Maybe we _should_ call it Fabtastic Encryption 12.0 (people like numbers after
their software).

~~~
jabl
Double ROT-13 is for the plebs who can't afford better encryption. We do
QUADRUPLE ROT-13! Take that, crackers!

~~~
RandomBacon
Those are puny numbers. Don't talk to me until you're using ROT-26, or better
yet, ROT-52.

------
seedie
Probably it is because I'm not a native speaker but I'm not seeing any
difference between Military-Grade or Industry Standard Encryption. Can anyone
please clarify what the benefit is? Are these well defined terms and does
Industry Standard Encryption imply that it's continually updated?

> _MD5 is thoroughly useless as a hashing algorithm[...] but it was used by
> the military and banks in the past, so it 's technically "Military-Grade"_

If it was used by the Industry in the past wouldn't the same hold true for
Industry Standard Encryption?

Edit: quote formatting

~~~
74ls00
They’re all just marketing terms and have no technical meaning. The author
just wants the marketing terminology to better reflect the technical reality
of all applications using the same technologies at any given time.

------
asdz
Most of the software either claim it military grade encryption or bank level
encryption, which is literally AES256.

Out of topic, my phone case - Spigen provide military grade protection too. :)

------
llarsson
Am I the only one that gets a NET::ERR_CERT_AUTHORITY_INVALID when I visit the
page in Chromium? Quite ironic, considering the title of this item.

~~~
tialaramex
You can use add-ons like Certainly Something (I don't know the name of an
equivalent for Chromium but I bet there is one) to show you exactly what's in
these certificates.

By far the most likely cause of an error like this (in which the browser
clearly connected but didn't like the offered certificates) is that an
intercepting proxy aka a MITM or middlebox is between your browser and the
remote site and it fucked up.

Things that are intercepting proxies (some of which you might have classified
wrongly as something else)

* Most 3rd party AV "solutions" or "endpoint protection" on your machine itself

* WAFs

* Any kind of "Next generation firewall"

* Government or ISP "filters"

All these products are pretty bad, and most are worse than useless.
Recommendations to get one or more of them for "security" are probably this
era's "Rotate passwords every 30 days" in terms of the actual security
behaviour that results as distinct from what the policy proponent imagines
will happen.

------
oliwarner
The EU has strict food labelling laws[1]. They stop companies making stupid
claims like "100% asbestos free!", or claiming to be a health food when a
major indicator is way out of line with guidelines.

I think marketing in general could learn something from that. Screen out
ridiculous claims that have no basis on the viability on the product, and
force people to focus on product and deviances from industry "standard".

For example, your transport layer might be using the same ciphers and key
length as a military installation, but if Maureen in accounts can log in from
home with the username and password she's used on every site since 2002 and
access 400,000 customer details, and download them to an unencrypted file on a
personal computer... You're not meeting GDPR obligations, let alone military
or banking standards.

... And by tangential extension, I think non-developers might be surprised
just how many companies still have absolutely zero _effective_ access control
to data. No storage encryption. No plans to warehouse or delete old data. Just
records in a database (or shared spreadsheet) where a username and password,
and sometimes just network access, will give you PII for every customer in the
last 20 years.

[1]:
[https://ec.europa.eu/food/safety/labelling_nutrition/claims/...](https://ec.europa.eu/food/safety/labelling_nutrition/claims/nutrition_claims_en)

------
gaspoweredcat
"Military Grade" fails to clarify which military or from when, the enigma code
was military grade but it wouldnt stand up to much now

~~~
bradknowles
The Caesar cipher was the best encryption available, once upon a time.

------
alexgmcm
Isn't it just an expression by now though? Like how "weapons-grade" is used
for many things that aren't nuclear material.

------
kgdinesh
Anyone else getting a "Untrusted SSL Server Certificate" on the page?

~~~
timothy-quinn
OP here. What browser/OS do you use? Our blog is run on Ghost so we don't
actually control the TLS cert used, but we can try to find the cause of why
it's not trusted and fix it.

~~~
johnonolan
Hi! John from Ghost here, had a quick look and can't see any issues on this
side with the cert. It's a relatively new certificate, though, so there could
be an old cache on an edge node somewhere which just hasn't fully updated yet.

I suspect this is a one-off, but please do reach out to us if you still have
issues, I've already passed this along to the team to fast-track support if
you do send us an email.

------
captainredbeard
First guns then nmap.

------
benj111
Ok, I don't often comment on web design, but why is there the effect of
shining an extremely dim torch at a dark page? I'm finding it very hard to
read.

