On weakening encryption

It’s history time! While we are discussing Apple vs FBI and the ongoing legal battles over encryption, let’s consider how American politics have already prevented technology from being as good as it could be. Just a few decades ago, the internet came along and started improving the lives of a lot of people – mostly rich people in developed countries at first. Smart people were developing the technologies serving the internet as they went along. Encryption was among them. How could a person ensure that a communication over the internet would be accessible only to the intended recipient? Encryption was the answer. How could a person ensure that his credit card details transferred over the internet for a payment would not be stolen by someone? Encryption!

This is all very nice, but both the internet and encryption have strong links to the military. The precursor to the internet was ARPANET, a project by the US department of defense. Encryption was big during World War 2. Mathematicians worked in the United States and UK to break the code used in the German Enigma machines. This gave the Allies the ability to intercept German communications and it was essential in their establishment of military superiority leading to their victory in the war.

Perhaps due to its background, encryption was treated as a “munition” and the export of strong encryption from the US was severely restricted until the 1990s. This made it difficult for companies to provide secure services over the internet and – let us have no doubts about it – ordinary consumers failed to get the benefits of these protections until these restrictions were slowly eased during the nineties.

Lessons learned? Not yet. Politicians in the United States and UK, among others, continue to ask to make encryption and similar consumer protections weaker in order to carry out “law enforcement” and “anti-terrorism” activities. How far are they willing to harm their constituents in order to achieve the aim of law enforcement?

Here is one answer: A vulnerability called “DROWN” was discovered last week that makes it possible to intercept supposedly secure communications between your computer and 25% of servers (25% of HTTPS servers, to be precise.). That’s your credit card information, your personal details, your income tax information and your children’s birthdays that are being made available to criminals to exploit. As I type this, millions of IT departments will be working on patching and otherwise changing their systems to protect their companies and clients from the risk posed by this vulnerability. That will be millions of man-hours of work lost fixing a problem that should never have existed. Why did this happen? The researchers who discovered this vulnerability explicitly blame US government policies of the nineties for allowing this to happen.

“In the most general variant of DROWN, the attack exploits a fundamental weakness in the SSLv2 protocol that relates to export-grade cryptography that was introduced to comply with 1990s-era U.S. government restrictions.”

XKCD comic on encryption

Better cryptography was available at the time SSLv2 was invented. The US just refused to let people outside their country have it. Major US tech companies made unsecure products and distributed them everywhere (including in the USA). It is bizarre that this is putting people’s information at risk even today, in 2016. Now you know why (among other reasons) people in technology and security are backing Apple in the Apple vs. FBI case.