Donate for the Cryptome archive of files from June 1996 to the present

24 May 2013

Backdoors Are Not Acceptable

Start of thread on this topic:

http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html


Date: Fri, 24 May 2013 20:26:46 +0200
From: Adam Back <adam[at]cypherspace.org>
To: Crypto List <cryptography[at]randombit.net>
Subject: Re: [cryptography] skype backdoor confirmation

It seems like there is this new narrative in some peoples minds about "all companies backdoor everything and cooperate with law enforcement with no questions asked, what do you expect". I have to disagree strongly with this narrative to combat this narrative displacing reality! I've seen several people saying similar things in this thread. No I say.

I think the point is not that a company could backdoor something. We know that companies that have information for whatever pre-existing reason that may help investigations will typically be expected to hand it over with appropropriate legal checks and balances, a court order, subpoena etc. sometimes their lawyers will fight it if the subpoena is ridiculously broad, and thats not that unusual. Sometimes there are gag orders to prevent the fact that a subpoena was received from being disclosed to the target, or disclosed ever. The latter is considered fairly obnoxious.

Now and then there are rumours or claims of forced changes that eg hushmail maybe changed some code in response to law enforcement request of some kind.

However it is not the case that anything that could be backdoored is backdoored. Do you think all SMIME email clients, all SSL clients (embedded and browser), all SSL web servers, all VPNs are backdoored? I seriously doubt any of them are backdoored in fact. Would those taking the "what do you expect" narrative like to try your narrative against web servers and VPNs?

Now web2.0 types of things that involve social media and messages being stored online obviously are targets for subpoenas and dont typically involve more than transport encryption.

IM most of the clients are not end2end by design - ie like web20 there is transport encryption from client to server, but a central server that sees all traffic. As someone mentioned many companies run their own server for this reason (to avoid traffic being readable to the internet scale IM server operator). Skype was claimed to be end2end secure. The skype security review white paper saying so is still on their web page. The privacy policy just says they will hand over information they have, in response to valid legal requests, which is a non-statement, companies operate in jurisdictions which issue legal requests. For all we know skype may still be end2end secure when used with a strong password, except for uploading URLs for some ill thought out malware checking. Or not, maybe thats happening server side, no one took the trouble to determine (its easy enough I think as I said just upload lots of URLs and same character count with no URLs and count the byte count of the traffic flow). The password reset doesnt sound so good, possibly not being technically end2end, but presumably you dont have to use that.

So anyway, no, products riddled with backdoors is not acceptable, its not business as usual, and we do expect better. And if companies are advertising end2end security, and yet routinely decrypting all traffic, in many countries that could open them up to fines and possible prosecution for false advertising.

Adam

_______________________________________________

cryptography mailing list
cryptography[at]randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography