On Dec 4, 2013, at 3:29 PM, Bruce Perens <[email protected]> wrote: > Every society chooses its balance between freedom and enforcement. Ours isn't > the right balance today, agreed. But the proposals I see here are the hacker > approach - we're not patient to deal with this as a political problem, so > we'll change everyone's web browser.
I think you're missing the point. The point is not that the NSA can surveil you. The point is that _anyone_ can. The NSA is just who most publicly did it recently. We know of a number of really successful attacks that have actually been done, in the real world, by law enforcement organizations, but that could be done as easily by a criminal organization. The lesson here is not "okay, so let's stop law enforcement from eavesdropping." It is "holy shit, we are really vulnerable." As to the question of encryption generally, nobody questions (I hope) that we want our transactions with banks to be secure. I think it's generally accepted that what videos we watch is private (there's a federal law in the U.S. making it illegal for video stores to give out that information). The Supreme Court recently decided that the FBI couldn't put a GPS tracker on your car without a warrant. So at least in the U.S., we are not navigating uncharted waters. Yes, we have a problem with LEO spying. But as a country, we do recognize the need for at least some communication to be confidential. And this is not a legal understanding that is unique to the U.S. Canadian appellate courts have held similarly, for example. So whether you think LEO spying is a good idea or not, there is clearly a problem here with the protocols that we have deployed on the internet. They make it too easy for _anybody_ to eavesdrop, and to use the information they acquire whilst eavesdropping in really nefarious ways (e.g. the watering hole attack someone referred to recently). And it is entirely appropriate for the IETF to think very seriously about how to make these protocols more secure. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
