Weakening security is always a bad idea

SSL security issues have once again made the news. One might go as far as to say that SSL is the black sheep of the computer industry, the one everyone likes to pick on. Ironically, that isn’t far from the truth but if we consider attacks like Drown, Logjam and Freak they all have one thing in common. They are all the result of government interference with security.

Encryption has long been an issue for governments. They had to balance the right for privacy with the ability to gather any information they needed, when they needed it.  For many years, the US had quite harsh restrictions on the exportation of cryptography. SSL was developed to use keys of 1024 bit or larger and 128 bit encryption, but it was then reduced to 512bits or less and only 40 bit encryption when exported. At the time this was probably deemed a sensible balance. It would have taken months to crack but time doesn’t stand still and what might have taken months back then, today with the advances in technology, takes no time at all.

Many of those advocating the weakening of security in the name of state security don’t generally consider the fact that once something, like a backdoor, is thrown out there it will be very hard to conceal it from the bad guys. All the weak algorithms resulting due to export regulations have long been deprecated however, deprecating standards is never easy because you cannot just decide to stop using an old, unsecure standard. Turning off the switch will guarantee you will break the internet.

In technology, it is important for systems to be backward compatible. Even though steps have been taken to ensure these weak standards are not in use today, attacks like the recent Drown attack have shown us how certain attacks can leverage vulnerabilities by exploiting these underlying backward compatibilities. It is through these compatibility structures that attackers defeat modern implementations that on their own would be more secure, and unbreakable against brute force attacks.

Why dwell on the past?

That would depend on what past you’re talking about as recently major governments have renewed their effort to weaken security in various ways in the name of national security. The US government, specifically the FBI,  has requested Apple to weaken security on the iPhone by building an iOS which doesn’t limit the number of attempts at guessing a password. In response to this, the French government went a step further and had parliamentary voting in favor of actually imposing up to a 5-year jail sentence to company executives who don’t turn over decrypted information requested by law enforcement.

Unfortunately, it doesn’t end there as in recent years we saw various politicians in the US and the UK calling for a total ban on encryption or at least for backdoors to be installed so that data can be decrypted when needed. Even when we recently had cases of the large scale breach on Juniper firewalls because of a backdoor the NSA had requested.

Would it help?

Security has always been about striking a balance between convenience and safety. It may be justified to lose some security if it turns out you gain more personal safety. Problem is I personally don’t think any of the proposed amendments would result in any security gain. Let’s think like the bad guys would. Say we want to communicate in secret with our co-conspirators and the government had banned encryption on mobile phones, would that stop us? If committing mass murder is the end game, would someone really worry about breaking the encryption ban? Even if government had such tight control that somehow it could stop someone from installing any encryption communication software on their phones (they cannot really) would that be a problem? Wouldn’t the bad guys be able to use the good old internet, or to be safer, the dark net? Couldn’t they send a coded message through regular post, or maybe have a plain conversation in code? They could use stenography or the million other ways they could communicate in secret without using encryption on mobile phones.

The truth is that there is simply no way for governments to control every form of encryption because no government has full jurisdiction over the internet, and even if they did, as explained before, no one would care about breaking any ban when they plan to do much worse.

What all this is doing is making it harder to build robust security systems meant to keep people safe. It is not just governments who benefit if security, especially encryption, is weakened. Bad guys want to access confidential information too. In this day and age, we should be thinking how to strengthen security for the benefit of all not finding ways of how to get around it. Like Tim Cook CEO of Apple correctly pointed out, one cannot simply weaken security just for the good guys.