Hacker News new | comments | ask | show | jobs | submit login
Govt of India proposes to ban SSH (Or wants you to use 40 bit keys) (dot.gov.in)
163 points by shabda on May 26, 2012 | hide | past | web | favorite | 64 comments




The linked post doesn't provide any source.

According to the internet archive, it's from 2006 http://wayback.archive.org/web/*/http://www.dot.gov.in/isp/g...


Here's an article from 1999 http://www.rediff.com/computer/1999/jul/26gatewa.htm

Last week it announced the 'Guidelines and general information for setting up of international gateways for Internet'.

Another quote:

There is a view in the industry that 40-bit key length is too weak for most commercial applications and can be easily broken.

Surprisingly, Singhal [secretary, Internet Service Providers' Association of India] is not very worked up over this. He clarifies that it is just an initial step. "It is not a hard and fast rule that higher bit encryption is not allowed. If encryption over 40 bits is used then the key will have to be given to the government. The DoT seems to have taken the worldwide standard. As and when they receive complaints that it can be easily broken, they will consider going for stronger encryption.


It is from 2001, It can be verified by using google search with a date range.

https://www.google.com/search?hl=en&q=%22Individuals/Gro...

My apologies for jumping the gun. Its easy to get confused as there was no date on that page.


I think google doesn't have info about page dates prior to 2001. I think the actual date must be 1999 as linked by the parent post.

http://www.google.co.in/search?q=www.google.com&hl=en...

PS: I'm the one who should apologize.


Yeah. Here is the archive history for linked guidelines in the rediff article - http://wayback.archive.org/web/20060815000000*/http://www.do... Dates back to 2000 at least. So must be from 1999


Is the policy still applicable if it doesn't seem to be updated?


I love the broken images at the bottom of the page.

This proposal is just one way of destroying their call centres and any Internet based transaction system they may want to develop with the outside world.

You might also want to note the following:

  14.  The ISP should block Internet sites and individual subscribers, 
  as identified by Telecom Authority.
  
  15. The Government(Licensor) reserves the right to make changes in 
  the security considerations.
Don't forget the following kicker:

  Every international gateway location and/or the ISP node with a 
  router/switch having a capacity of 2Mbps or more shall be equipped with 
  a monitoring Centre at the cost of the ISP."
These are all excellent ways of destroying their IT industry, which is currently about 7% of total GDP. No organization with critical data who have any sense will transmit data over these sort of links.


Actually... is this current policy? I just checked the wayback machine, and this has been there since at least 2006. See http://web.archive.org/web/20060222081026/http://www.dot.gov...

Is this really still in effect?


OK, this is getting weird. Check out the front page:

http://www.dot.gov.in/

This is their "Department of Telecommunication"! But the site could have been slapped together by a 12 year old. It looks like an abandoned server - full of flashing "New!" images...

And down the bottom it says:

  This site can be best viewed at 800x600 resolution in IE 4.0/ Netscape 3.1 or above
  Copyright � 2002, Department of Telecommunications, India
Google has also blocked their custom search... looks like they are using Google without paying them so Google have cut off their access!

However, while this looks to be abandoned, the front page says that the last time it was updated was on 22nd May, 2012. Something seems very wrong with the Indian Government's IT department!

Edit: it's getting worse. Check out the contacts list:

http://www.dot.gov.in/rti/teldir.htm

They have government officials using hotmail acounts! But this isn't that old - they have Gmail accounts for officials. If that's not bad enough, the Legal Advisor for the Deputy Director General is using a Yahoo account and the actual Deputy Director General is doing the same!!!

Something is very, very wrong with the Indian Government's IT security.


National Informatics Center(http://www.nic.in/) is what's wrong with the IT in government here.

NIC acts as a complete "mean guard at the door" for anyone trying to get work in government. NIC insists on doing things "their way" or you just take "the highway".

Here is an example of a few thing we have to deal with every day. There is a small Java Swings app built by a government department which generates a few reports everyday. A few beauties:

- Hard coded mysql host(localhost), db name, username(root) and no password.

- Run it from command line(java -jar) and you can see a hellish amount of debugging statements scroll by(e.g. "I am here", "Inside Xyz.abc", "asdasdasd" etc). A lot of sensitive info is also printed out on the console that even, we vendors, might not be supposed to know.

- This app requires a 0777 permission on '/home' directory. Yes '/home', not '/home/<someuser>'

- If it's 1 minute past midnight there is absolutely no way to generate day's report. According to Cheif Programmer of that department this is a security feature. Oh wait, we just change the system date.

- When our project in-charge (politely) confronted this "Chief Programmer" about this he just said that I was lying and there is absolutely no problem in 'sudo chmod 777 /home'. "we do it all the time"

I know this because we have been working with the government on some quite big projects.


Most of the govt sites of india are in similar state. They are hardly ever updated. The main reason for this is the paperwork/legalese needed before a site can be revamped. Permissions have to be taken from various post holders. I have an email account that is given by govt college and the allotted space is 5Mb.


In that case, the Indian Government needs wholesale reform. And soon. If India wants to be a forerunner in the world of IT (which it's rapidly becoming) this is only going to cause massive problems.


The govt. was not responsible for the IT revolution, it was mostly just entrepreneurs taking advantage of the opportunity. Don't expect much help/facilitation from them. However, once it was clear that IT was a job creator, many state govt. did start promoting it; but the extent is still unclear to me.


I think you are misunderstanding where I'm coming from. While the government isn't driving IT growth in India, it is still able to hinder it fairly effectively. After all, it is the government that must legislate the IT industry and the bureaucracy that must administer these laws.

If this is the parlous state of both the government and the bureaucracy, then I suspect that growth will be hampered.


One of the reasons that IT took off in India was because it was not a sector recognized by the Indian govt. to be of any importance and was thus free from ridiculous laws that exist in other areas. Now that has changed, expect more boneheaded interference from them.


Came to say this.

The govts only contribution to IT was nothing. It's the best they could ever do. When it first started, back with modems which went to 14.4k, the fact that no one understood it or it's implications was the only reason it succeeded.

Otherwise the rent seekers or the security focused would have probably killed it at inception.


See point 2: LEVEL OF ENCRYPTION

Individuals/Groups/Organisations are permitted to use encryption upto 40 bit key length in the RSA algorithms or its equivalent in other algorithms without having to obtain permission. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organisations shall do so with the permission of the Telecom Authority and deposit the decryption key, split into two parts, with the Telecom Authority.


Welp my 2048-bit key may not float there. This is ridiculous, I never though it'd be THIS bad. And why are they asking for the "decryption key", in two parts?!


You're all thinking about this as if it were a law the First World, where this would be enforced impartially. Its just a revenue generation method for whatever bureaucracy gets to pretend to enforce it, aka another excuse to demand bribes. Same principle as countries with official tax rates over 100%.


>You're all thinking about this as if it were a law the First World, where this would be enforced impartially.

And I think you're overestimating the "impartiality" of the law in the First World.


Yeah, I guess I was. In the US you see things like relatives of police officers not getting ticketed when they crash while driving drunk, for instance, and other sorts of selective non-enforcement of laws and sometimes selective enforcement based on the prejudices the enforcers. But I've never had to pay a bribe, and I don't know anyone else who's had to pay one either.


Well, it's for higher echelons, and in that level it's not even called a "bribe". You know, like having your company get huge commissions from the very business your war policies created, or having your friends in DC bail you out because you're "too big to fail", etc. E.g (Wikipedia):

Halliburton has become the object of several controversies involving the 2003 Iraq War and the company's ties to former U.S. Vice President Dick Cheney. Cheney retired from the company during the 2000 U.S. presidential election campaign with a severance package worth $36 million.[40] As of 2004, he had received $398,548 in deferred compensation from Halliburton while Vice President. Cheney was chairman and CEO of Halliburton Company from 1995 to 2000 and has received stock options from Halliburton. In the run-up to the Iraq war, Halliburton was awarded a $7 billion contract for which 'unusually' only Halliburton was allowed to bid.


Yes, but equating these two things together is disingenuous. If you've ever been to a 3rd world country you'd know why.

I'm Lebanese(small country sandwiched between Israel and Syria that specializes in fighting proxy wars) and I've been around(not to the US, but to quite a few places in Europe as well as other Arab countries). Things are just not comparable from one place to another.

Yes, human nature is corrupt. Yes, with enough money you can buy people's consciences(at least a lot of them). But it's extremely different when it's systemic rather just one-off individuals being corrupt. Government employees here expect to be bribed, you literally cannot get anything done without bribery.

A few examples. I know quite a few engineers who work in construction, ask any of them and they'll tell you that they have a well-defined budget for bribes. Whenever there's a construction project anywhere, police officers will drop in for surprise inspections and expect to be bribed or else will stop work from getting done. Most of the time there are no violations, but they'll disrupt you enough that it's just cheaper to pay them off.

Another example, a friend of mine drives a motorcycle. They are actually quite rare here[1](and nobody bikes). This is due to the fact that road conditions and driving skills of people are really bad so it's extremely dangerous for anything that's smaller than a car to be on the road. We have a vehicle tax here and along with paying that tax you have to take your vehicle for a yearly inspection(it's one process). This is extremely streamlined for cars(as there are many of them and it has to be a fast process) so not much bribery to do there. But my friend tells me he pays about triple the actual tax where the rest if bribing people to accept his tax payments and confirm that he's had the bike inspected.

I've been to Syria a lot and it's even worse there. It starts right at the border. If you don't bribe the officer conducting the inspection they will just keep opening bags, laptops and asking you about every single detail of every single item and being general dicks until you pay them ~20$(a lot of money in Syria). I was at some point traveling there with a friend who didn't want to pay on principle, they held us up for ~3hrs at least and then he payed anyway.

The list goes on and on, and this is just for personal stuff. For doing business(getting stuff shipped, getting any kind of license, etc...) it's even worse. My friend's father is an executive in the local branch of a big multinational fast moving consumer goods company and he's told me that they have a lot of problems operating in these parts because they have a lot of internal policies that forbid them from doing a lot of things that are just facts of life here.

TL;DR corruption in the 3rd world is something that permeates almost everything that you do. Equating it with some individuals being corrupt and self-serving is just not right. You won't know what I mean until you've tried it I guess.

[1] Note: this does not include a lot and a lot of un-registered, illegally-aquired, scooters that are some of the most annoying as well as dangerous things on the road. These are mostly driven by poor people and immigrants who can't afford anything else. Unfortunately none of them have ever actually learned to drive and it shows. But most of them don't really have a choice so how to deal with them is not clear.

EDIT: fixed typos and grammar.


This is an absolutely terrible idea.

20 years ago people where hailing the Internet as a bastion of freedom and espousing how it would liberate people around the world, it was supposed to be the death knell of censorship.

Sadly it seems more likely that it will be used to reduce the freedoms and liberties of all men across all nations, unless we stand firm in our convictions and remain unafraid to raise our voices in protest.


"20 years ago people where hailing the Internet as a bastion of freedom and espousing how it would liberate people around the world, it was supposed to be the death knell of censorship."

But it still is. Now more than ever. It's toppled regimes, unmasked government secrets. If authorities try to take away what has once been given to the people, there will be protests.


People did those things, as we have done throughout history. To add meaning to your claim you would have to prove that the rate of regime toppling has dramatically increased since the advent of the internet. I am not saying it did not play a part or wasn't a key tool, but such things always start and succeed based upon the commitment and sacrifices of those willing to stand up to their oppressors.

The internet is a tool for communication. If you co-op that communication then it is a tool for propaganda and oppression. I am not seeing a trend lately for more openness, instead I am seeing more and more laws for restricting what can be done, and governments demanding back doors into all aspects of our communication. of course I maybe blind and misinformed, but I see governments and corporations making a land grab for our individual freedoms.


This is natural. So far the Internet has gone from : "geek toy" to useful tool to "ok we need to handle this"

It's taken governments time to wake up to it and to figure out how to handle it.

All governments around the world today no longer see the Internet as what technologists did. They see it as a threat. Theyve finally figured out what to do about it.

This was the end game visible from the start, the net makes it too easy for people to get together and as a result removes and creates its own power centers.

The state has to then assert its control over those centers and naturally they will do it by laws, and later by force.


40 bit key length for RSA is just trolls. 768 bit keys have already been cracked, so you could probably crack these with a calculator.


Just tried it and Ti-89 breaks 40 bit RSA keys in about 6 seconds.


I think this is only for international gateways using foreign satellites physically located within the country. No? Does this effect users of, say, Airtel? Didn't Airtel use Singtel's gateway (located outside India)?

And this does not look like a proposal, more like a TOC for establishing a gateway.

Nevertheless, a terrible thing.

EDIT: Nope, it is for everyone - It is same clause in Cable Landing Stations for ISPs using offshore Gateways. See here - http://www.dot.gov.in/isp/landing_station.doc

Now I wonder why aren't ISPs already blocking. The documents don't look old, they are still linked on their site.

EDIT 2: Document is too old. Doesn't hold.


India will get a Darwin Award for killing it's relevance in global IT services business.


Surprisingly many of the indian IT workers (outsourced) I am in touch with support the increasing limitations of freedom in India.

I am not sure why, maybe they are just brainwashed or simply not used to having as many rights as people in the western world are accustomed to. In any case, terrorism is a real threat in India and I suspect they are all a bit touchy.


I am from India and I am pretty concerned about terrorism, but I am assuming that the people/businesses who will end up following such rules would most probably be the people who aren't planning any thing nefarious.

Meanwhile, the real bad guys are going to find a way around it - and will the govt of India pay me damages if my private key ended up on piratebay because someone stole it from their servers? Nope, don't think so.

Most Indian's have been brainwashed into accepting flaws/weaknesses in (big)governance, kind of like - "its a feature, not a bug"


You're on HN. This puts you far above the "average person". You probably have critical thinking, and problem solving abilities that not many people have.

My guess is that once tech. penetration reaches a critical mass where the rewards for breaking into a low security server outweighs the hassle for the poor or smart people, only then will the government policies be upgraded.


This reminds me of ~10 years ago, when downloading Linux distros, they came in “US” and “non-US” flavours. I vaguely remember this having to do with “exporting” crypto from the US. I guess something has changed since I no longer see this, but I would love if someone could shed some light on that piece of Internet history.


I don't think this is a direct result of Bernstein v. US (as that covers source code rather than executables), but it's related:

http://en.wikipedia.org/wiki/Bernstein_v._United_States


something changed, indeed. djb vs. usa: https://en.wikipedia.org/wiki/Bernstein_v._United_States


I'm not that surprised by this. More developed countries use their scientific prowess to build massive organisations like the NSA to decrypt and monitor communications in the name of national security, the Indian government tries to legislate it instead. This is what they insisted on doing with RIM's encrypted Blackberry services as well. Technology's progressing too fast for the government research agencies to keep up with and eavesdrop on.

(ref: http://news.ycombinator.com/item?id=4018084)

I'm not too concerned because of the standard 'I've got nothing to hide' line, but there's always the chance of corrupt officials and poor data security in their wiretapping centers. Anyways, it doesn't seem like this rule is enforced since the document has been there for a while and SSH traffic works just fine.


>I've got nothing to hide

In that case, they've got no reason to look.

But I think like quite a few other comments say, it's old document.


Horrible idea. Can anyone explain what is motivating the Indian government to require such access? We all basically know what the deal is with China and certain oppressive regimes in the middle east, but India is an actual democracy (maybe with a somewhat high level of corruption.)


Not trying to be snarky, but the USA is supposed to be the paragon of freedom and democracy, yet even its government is spying on its own citizen via the NSA. A democracy is no guarantee against a surveillance-expansionist regime, especially when a large portion of the electorate are highly uneducated and below the poverty line, as is the case in India.


The idiots in our government are jealous of China & have identified censorship & suppression of freedom as the one thing they can quickly compete with China on


>Horrible idea. Can anyone explain what is motivating the Indian government to require such access? We all basically know what the deal is with China and certain oppressive regimes in the middle east, but India is an actual democracy (maybe with a somewhat high level of corruption.)

Democracy in that sense is an empty word. You mean it's a democracy because people get to vote? In the US the democratic part amounts to getting to chose between the same two century old parties, which have heavy corporate backing and dead-ringer platforms. With the main issues (economic policy, foreign policy, educational policy, labour laws) are only debated superficially, reduced to slogans and yes/no decisions.

Still, the democratic US snoops on its own citizens, maintains (and demands ISP's maintain) huge backlogs of private data, has the Patriot Act, has private prisons, the list goes on and on...


If encryption higher than the proposed limits are required, they want us to seek permission from authority and deposit decryption key.

Considering how corrupt and inefficient government and the officials are there, its not gonna work well or will be too frustrating and may require bribing.


I wonder how this could impact the Indian IT outsourcing industry. Will customers be happy to have the Indian government being able to peek into everything they do from India?


This may be one of the strongest arguments for stopping this. US companies will certainly not want their business to be compromised by competitors because of this rule.


US companies continue to do business in China even after their businesses have been compromised and knockoffs are being made because it's cheap to do so. They clearly do not have a problem with it as long as the price is low enough.


France had a similar policy in the mid 90s. I recall SSL had a renegotiation to allow banking sites to upgrade from the weak key to a stronger one. Over time, this policy went away.

There are companies that do disallow ssh or require you use a null cipher/key to a gateway before going to the outside world.

I'm not sure how this will be enforced, however from prior comments, it looks like it may be an old policy?


> There are companies that do disallow ssh...

How are these companies still in business? You're just asking to get cracked.


It wouldn't work and they would be even deeper in corruption and legal system inefficiency. I guess they want just that, stupid humans.


This came up at a meeting at EPIC a while back. Someone indicated it was one of various contradictory regulations by different agencies in India that aren't actually enforced. Still troubling, but more in the category of those weird laws that slip on the books and never get removed than an all out war on privacy there.


I think it is a very old document.


I would hope so. Do you have any citation on when was this published?


<meta name="GENERATOR" content="Microsoft FrontPage 3.0">


On that site's front page they recommend you to use IE 4.0. :(.


In that case, does anyone know where I can get a copy?


Browserling.com


And that my friends is one of the reasons why as an Indian I cannot live in my country. People are not mean there , but plain old stupid. Stupidity backed by authority. That DOT site. My god!


If this is a satirical remark about the US, I acknowledge your wit.


Is it even feasible to attempt to block ash? They can block the port, but users can set up sah on any port.

What level of monitoring would be necessary to detect a user's traffic was encrypted?


ssh-keygen (from OpenSSH) doesn't even let you create keys that short-- 768 bits and the default is 2048 bits for RSA keys, according to the man page.


In layman terms it says, lock your houses with government made keys or if not - deposit a copy of your keys with the government.


Anonymous hack has stopped facebook access also.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: