
If David Cameron bans secure encryption he can't intercept - rabbidrabbit
http://blog.mythic-beasts.com/2015/01/15/a-day-in-the-life-of-a-mythic-beasts-employee-after-david-cameron-bans-the-secure-encryption/
======
SCdF
Honestly, it sounds kind of relaxing. Good excuse to get some sunshine.

On a more serious note, I can't help but think David Cameron is employing the
technique of attempting something extreme so that he can do something less
extreme (but still really bad) later with less oversight. Of _course_ you
can't ban strong encryption. His advisers know that, he knows that, _everyone_
knows that.

It will be very interesting to see what actually gets put (or attempted to be
put) into law. Right now it's just a whole lot of unrealistic noise.

~~~
lowmagnet
Given current trends, I'm guessing national root certificate as a license to
MITM all traffic.

~~~
SCdF
Yeah I was going to have that as an example in my comment, but even then that
seems unrealistic to me. Why wouldn't the big tech companies simply _not_ do
that? The UK needs them more than they need the UK, and if you took away the
country's access to Facebook for more than an hour you'd have a riot on your
hands.

~~~
pjc50
I'd assume they'd go along with government policy, like they have done in e.g.
China. And the government proposed taking down twitter and BBM during the
London riots a few years ago.

~~~
greghinch
I'm afraid you might be a tad ambitious regarding the weight the UK market
carries with global corporate interests, as compared to the Chinese

~~~
stingraycharles
I'm not so sure. It only takes one browser vendor with a significant interest
in the UK (Google would be a good candidate, given that advertisers are very
sensitive to legislation) to make the whole exercise useless.

------
mike-cardwell
It's pretty clear that the UK government doesn't have the power to ban
encryption. This is just a distraction so that we are happy to accept whatever
"less bad" proposals they come up with to increase their surveillance powers.
I can't help but feel that peoples dislike of Cameron is a pointless
distraction too. This is not Cameron. This is government. We will still be
having this same discussion in 50 years, unless some miracle technical
advancement makes it moot.

~~~
tonyedgecombe
It's not really the elected government, it's the security services asking for
an expanded remit and being granted one by uncritical politicians and an
apathetic media.

~~~
chao-
Who are the security services employed by? I certainly wouldn't call them
private industry!

Did you mean to say it's not _elected_ government officials? Just curious,
because I definitely consider a country's intelligence apparatus to be
completely and wholly part of its "government", and would be surprised to find
someone who didn't.

~~~
Zigurd
Read about the Dulles brothers. They forged very strong connections between
overt and covert foreign policy and industry.

~~~
Zigurd
I don't see why gorgak's comment got flagged unto death. The Dulles brothers
caused the term "banana republic" to be coined by O. Henry because the US
government was toppling governments and killing large numbers of people on
behalf of United Fruit. It is also generally accepted that the Communism scare
they put up was bunk.

~~~
JupiterMoon
He's been hell banned I believe. Anything he posts is automatically killed.

------
steaminghacker
There won't be a ban, it will be licensed. Big companies like banks etc will
get their licence right away, so your secure banking will be fine. Routers
will still have wifi encryption because they'll have a licence.

The licence will be implemented as a fee for a digital certificate that
properly authenticates.

So, you're a small startup with an idea for a secure messaging app. want a
licence. no problem, its £10M. have you got the money handy?

~~~
Udo
A license won't be enough. You'll have to provide a backdoor as well.

------
Zigurd
Suggestions like banning strong encryption is a form of ritual abuse. It is
meant to get the public used to the idea of pervasive surveillance. That
pervasive surveillance will be carried out through a continuation of what
existed before the Snowden revelations, which was a successful Straussian
confection of fake freedom, carefully managed.

~~~
psimondo
spot on

------
cfstras
Happily looking forward to being rick-rolled, I click the YouTube link. It
fails, telling me the German content mafia doesn't allow YouTube to display
the video due to licensing issues.

Woo!

------
danpalmer
As far as I remember (and I may be wrong), the specific quote from David
Cameron was about banning encryption that can't be backdoored, so that the
government can look at things if they need to.

Obviously I'm completely against that, because once there's a backdoor, it's
all too easy to collect by default, instead of only when "needed".

With this clarification though, lots of this tech would still work. Most
things based on TLS will continue to work, if every computer has to have a
government CA certificate installed to allow MITMs. Hopefully HTTP Public Key
Pinning will become more prevalent if this looks likely to happen.

~~~
beagle3
> Most things based on TLS will continue to work, if every computer has to
> have a government CA certificate installed to allow MITMs.

And the following day, there will ba a Chrome+Firefox extension that
highlights when the government CA certificate has been used - so that you know
EXACTLY when you are MITMd. Isn't it good?

~~~
_asummers
Would probably look more like auto deny with user override if they choose,
with a setting to white list the domain. User should have to opt into their
connection being MITMd.

------
c0g
Except Cameron wants to backdoor end-to-end encryption like iMessage/Whatsapp,
rather than mess with something like SSL. With SSL they can just get a warrant
(or you know, don't get a warrant) and look at the server, where everything is
in plain text.

One possible way to backdoor it might be mandate that companies keep copies of
the encrypted messages, tagged with a device ID. Then to decrypt you need to
get the person's phone, which is a clearer analogy to getting a warrant to
search someone's house to look for things they have stashed.

~~~
swombat
I would be very surprised if Apple and Facebook (and Google, with GMail,
GTalk, Hangouts, etc) didn't use this golden opportunity to swing their weight
about and assert who's really in charge of technology around here, by simply
wholesale blocking use of all their communication tools in the UK to comply
with the law.

I have a feeling that if they did this, the uproar would be sufficient to have
the law reversed by emergency measures.

If they were followed, as they may well be, by a whole host of other essential
internet services (Google Search, Wikipedia, Github, etc etc etc) just
switching off simultaneously in the UK on the day the law comes into force,
that might be sufficient to ensure this sort of dumb shit is never done again.
The cost of billions of pounds of lost productivity would probably ensure
that.

~~~
thret
Doesn't this seem insane? You are advocating punishing some 64 million people
because of one idiot.

~~~
Drakim
The one idiot they technically elected (or at least allow to control the
wheel).

Ultimately, it's the people's right and responsibility, not one man.

~~~
andy_ppp
Hahaha! Only 37% of people voted for that guy... So how we are culpable I
don't know!!

~~~
fyolnish
Because democracy.

------
DanBC
The UK Crypto mailing list has some discussion.

[http://www.chiark.greenend.org.uk/mailman/listinfo/ukcrypto](http://www.chiark.greenend.org.uk/mailman/listinfo/ukcrypto)

EG:
[http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2015-Ma...](http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2015-May/002532.html)

But there's quite a lot of useful discussion there.

------
aembleton
9:15 : Think this is all a bit bizarre so phone colleague on mobile, she
answers to say that she’s having lots of problems too.

Mobiles are encrypted too:
[https://en.wikipedia.org/wiki/A5/1](https://en.wikipedia.org/wiki/A5/1)

~~~
Asseon
Yes but A5/1 is utterly brocken. Besides thanks to numerous attacks possible
through SS7 you probably do not even need to break the encryption.

~~~
swinglock
No attack is necessary, operators has taps for listening in. See "lawful
interception".

------
giancarlostoro
Why do we still have politicians trying to pass laws in technology if they
don't understand it at all? Really we need to change how laws affecting
technology are approved or something. It's always the same thing, some
politician is passing some law affecting technology in what seems like the
most absurd approach.

~~~
joesmo
I agree, but if it hasn't happened for women's issues, it won't happen for
technology either. From the point of view of those in charge, it makes sense
to have politicians be as dumb as possible. That reduces the chances of any
moral conflicts or other unpleasant issues that might arise to stop the idiocy
they're about to commit.

------
KaiserPro
So what are we going to do about it?

We've spent the last year running twitter campaigns, but the people that
matter (voters, well tory voters) don't do social media.

This means that you need to write a letter. Yes a real letter, not a fucking
email. Write a letter to your MP, then a local Lord.

Then you need to write to your boss, tell them that the cost of business will
go through the roof (if you're able to do business. )

Then start looking at jobs abroad. Because no doubt there will be a twitter
campaign, meaning that nobody actually bothers to engage in how the democratic
process actually works.

------
keithpeter
I'm a very happy customer of mythic-beasts. They do _insist_ on sftp/ssh/tls
&c for all connections which is probably wise.

I hope this gets the idea across to influential civilians (i.e. non-techs).
Humour can work quite well in the UK. The HGTTG references may be lost on the
younger ones though.

------
kuschku
The most unrealistic part is

> Youtube fails to load with a secure connection error.

YouTube still refuses to use anything more recent than RC4 encryption, so, if
Cameron would ban all secure encryption, YouTube would probably still work.

~~~
yrro
"Your connection to www.youtube.com is encrypted with modern cryptography.

The connection uses TLS 1.2.

The connection is encrypted and authenticated using AES_128_GCM and uses
ECDHE_ECDSA as the key exchange mechanism."

~~~
kuschku
Check the actual connection for the video server, until a few months ago, that
was still RC4. They only changed to 128-bit AES-GCM with ECDSA after Firefox
started blocking RC4 encryption.

~~~
theWheez
So the YouTube web pages still wouldn't load, no?

~~~
kuschku
well, depends. 2 months ago, the pages wouldn’t have loaded, the videos (if
you download them through a third-party tool) would have.

Now, the videos wouldn’t load either.

------
lalm
SSL can be intercepted though so it wouldn't be the target of this theoretical
ban.

------
rysiek
The ban is not about encryption: [http://rys.io/en/149](http://rys.io/en/149)

Of course they can't expect to effectively police the ban if it's put into
law. But they don't have to. Everybody will encrypt anyway and that's fine,
because once they _want_ somebody put away, they will be able to simply by
saying "that person broke the Snooper's Charter by using SSH".

It's not about banning encryption, it's about having a convenient law to put
tech-savvy people away.

------
bit2mask
The rhetoric of "not allowing a safe space for terrorists to communicate" is
complete bullshit.

Terrorists can communicate using a book cipher or pick from any of a huge
number of other options. The kind of terrorists we should actually be
concerned about (competent ones) will already use extra measures such as this
in conjunction with strong encryption.

This is totalitarianism.

"For too long, we have been a passively tolerant society, saying to our
citizens: as long as you obey the law, we will leave you alone." \- David
Cameron.

------
ackalker
One-time pad encryption, implemented correctly, cannot be broken or
backdoored. There is the matter of key exchange of course, but that is as old
as the use of covert communications itself. Anyone who cares enough about
their communication remaining secret will find a way of exchanging keys for
which any attempt at interception by a government entity is entirely
impractical.

~~~
batou
I pull 120Gb a month down. That's going to be a fucking big OTP and side
channel.

------
joesmo
What's to stop people from using strong encryption on their own, illegally,
end to end? It's not like this is the first time the government has inserted
itself in between people's legitimate communications and intercepted them with
no recourse. If you assume that that is the default state of being (and except
for a few small governments, it is), then you realize that the short periods
of time where people could communicate freely and privately using networks
outside of private in-person meetings have been lapses in government
surveillance more than anything else and minor moments of relief for those who
want to communicate privately. Governments will spy. That is a given. They
will try to remove privacy. That is a given. Regardless of any laws and
especially when it's as simple and undetectable as making some database
queries.

I'm not defending any government's actions to remove privacy and spy on its
people. Quite the contrary, once one has accepted that as inevitable, it's
easier to move on. The need for human privacy is also, IMO, a fact. Some may
dispute that, yet there are true, the only other option then becomes to go
around the law. An unjust law __must be broken __. And it will. The worse the
government gets, the more it will be broken.

I don't see why people in the UK and elsewhere couldn't get copies of software
that still had strong encryption despite the idiotic laws. After all, it's
just as easy to click one link as another. Will the UK be monitoring traffic
for actual binaries and source code? Will the arrest people that use
encryption they can't break? Will they arrest people for sending garbage data
that looks like encrypted data but isn't and therefore can't decrypt? As the
government gets more totalitarian, I think we will see even regular people
training themselves in encryption and its proper uses. It's inevitable as
people have more and more to lose. Once life, limb, and property are at stake,
people either become competent or become victims, and people are generally a
lot more competent than they appear when high stakes are on the line.

Of course, UK companies will be hurt. They won't be able to do a lot of
business internationally. UK citizens will have their information stolen in
massive data breaches. Bank accounts and identities will be compromised. Many
accounts that are not with UK companies will be compromised because of
password reuse. Cameron doesn't have to ban ALL strong encryption. Whatever
systems he bans it in, will be compromised. That's inevitable. At the same
time, the people don't have to put up with it. Stop online banking with banks
that don't use strong encryption. Request paper bills. Clog up phone lines.
Pay in cash if possible. These are all things a regular person could do in the
event that strong encryption is banned that if done by even a small percentage
will increase costs quite a bit. It may not get the law reversed, but it might
get companies on the side of people if they have to cut paper bills again at a
10-100x cost over electronic ones, for example.

tl;dr: Governments will spy and people will use strong encryption regardless
of the law as privacy is a human right and oftentimes necessary to survival.
Businesses and convenience will suffer greatly.

~~~
strictfp
It's very easy to make people stop doing this by making it illegal. It might
sound obvious but I find that this aspect is often overlooked when tech people
talk about these issues. You cannot work around the law. At least not in the
long run. This is and must be a political battle.

------
tome
Good old Mythic Beasts. Very happy customer here!

