On 07/12/16 06:48, Kevin Oberman wrote: > In case people are not aware of it, Russian law now requires ALL encrypted > traffic must either be accessible by the FSB or that the private keys must > be available to the FSB. I have always assumed that GOST has a hidden > vulnerability/backdoor that the FSB is already using, but this makes it > mandatory. Putin gave the FSB 2 weeks to implement the law, which is > clearly impossible, but I suspect that there will be a huge effort to pick > all low-hanging fruit. As a result, I suspect no one outside of Russia will > touch GOST. (Not that they do now, either.) I'd hate to see its support > required for any protocol except in Russia as someone will be silly enough > to use it.
Agreed that it should be possible to use GOST crypto readily on FreeBSD, but I dislike the idea of shipping with 'known vulnerable' ciphers enabled by default. It should take a positive act to enable them, given the circumstances. Whether that should entail installing something from ports, or recompiling the system with specific settings in src.conf or it could just be down to tweaking a config file somewhere I wouldn't care to venture an opinion though. I'm also curious as to how far these regulations are supposed to extend. Presumably traffic which is merely transiting Russian territory isn't covered, at least in a practical sense. How about people from Russia accessing foreign websites? I can't see any of the big Internet players implementing GOST in any locations outside Russia any time soon. Neither would I as a non-Russian have GOST capabilities client-side, so what happens if I go and look at say a YandX website over HTTPS? Putin and his advisors aren't stupid, and they'd already have considered all this; plus, as you say, the timetable is clearly impossible; so there must be something else going on here. Of course, now there's fairly good evidence that there's some sort of backdoor in the GOST ciphers, all bets are off on how long it will be until they get broken in a very public manner. Cheers, Matthew
Description: OpenPGP digital signature