On 07/12/16 06:48, Kevin Oberman wrote:
> In case people are not aware of it, Russian law now requires ALL encrypted
> traffic must either be accessible by the FSB or that the private keys must
> be available to the FSB. I have always assumed that GOST has a hidden
> vulnerability/backdoor that the FSB is already using, but this makes it
> mandatory. Putin gave the FSB 2 weeks to implement the law, which is
> clearly impossible, but I suspect that there will be a huge effort to pick
> all low-hanging fruit. As a result, I suspect no one outside of Russia will
> touch GOST. (Not that they do now, either.) I'd hate to see its support
> required for any protocol except in Russia as someone will be silly enough
> to use it.

Agreed that it should be possible to use GOST crypto readily on FreeBSD,
but I dislike the idea of shipping with 'known vulnerable' ciphers
enabled by default.  It should take a positive act to enable them, given
the circumstances.  Whether that should entail installing something from
ports, or recompiling the system with specific settings in src.conf or
it could just be down to tweaking a config file somewhere I wouldn't
care to venture an opinion though.

I'm also curious as to how far these regulations are supposed to extend.
 Presumably traffic which is merely transiting Russian territory isn't
covered, at least in a practical sense.  How about people from Russia
accessing foreign websites?  I can't see any of the big Internet players
implementing GOST in any locations outside Russia any time soon.
Neither would I as a non-Russian have GOST capabilities client-side, so
what happens if I go and look at say a YandX website over HTTPS?  Putin
and his advisors aren't stupid, and they'd already have considered all
this; plus, as you say, the timetable is clearly impossible; so there
must be something else going on here.

Of course, now there's fairly good evidence that there's some sort of
backdoor in the GOST ciphers, all bets are off on how long it will be
until they get broken in a very public manner.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to