Reply From: William T Wilson <fluffy@dunadan.com>
> The approach made public yesterday by 13 of the largest technology firms
> will lead to an Internet that's easily wiretappable -- it's the on-line
> equivalent of the reviled Digital Telephony (CALEA) law planned for the
> phone system. [...remainder snipped...]
I have to come forward and point out the silliness of the entire thing.
First, the approach places no new wiretapping abilities in the hands of
law enforcement. As it is now, law enforcement has to go to your sysadmin
and ask for him to eavesdrop your network traffic. Eavesdropping Internet
traffic, on the difficulty spectrum, is about like overhearing a
conversation at a singles bar. You have to make an effort to do it, but
once you do, nothing is going to stop you. The new system gives exactly
the same power to system administrators that the existing system does,
i.e., all of it. :)
Second, the new system will by no means guarantee security of data. It's
a sort of a fuzzy feel-good of encryption. Primarily, it's because the
router at each end of the connection must support the special encryption.
Depending on how much magic they managed to stuff into the system (and how
many things besides just standard email and websurfing they're willing to
break) it's likely that every router along the way will have to support it
too. For example, ICQ and Quake et al, to name two popular programs,
probably couldn't be made to work unless EVERY router involved all
supported the new encryption. Most of them will not initially support the
new encryption. Many probably never will.
It would of course be possible to only encrypt the data for connection
types where it could be negotiated transparently. That would probably
include WWW, E-Mail, FTP, and any other TCP-based application; UDP-based
applications would probably simply have to be left out.
Finally, the most common place where data is eavesdropped is not "out
there" in the far reaches of the Internet. A snooper does not, typically,
find your traffic floating by on the backbone. This is difficult to do
(but possible). Instead, they break into your ISP (or more likely, the
server's ISP) and eavesdrop from there, before the encryption has a chance
to be used (or at the server, after it has been removed).
The only real secure way to encrypt your data is to encrypt it at your
computer and have the computer you're talking to decrypt it. Anything
else is a very imperfect solution.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sun Jul 19 21:17:46 1998