On Fri, Mar 21, 2014 at 10:21:59PM +0000, Fred Baker (fred) wrote:
>
> Encrypting data in flight is a good thing. Encrypting data in flight
> end to end is a better thing. If you’re trying to encrypt it where
> “they” look at it, you need to think about encryption at
> rest. Reason? Per reports, that’s where they look at it. China broke
> into various companies’ computers, as did the NSA.
China has broken into systems to steal trade secrets, including
allgedly, fairly detailed copies of the F-35 Joint Strike Fighter.
But I'm not aware of any reports where China has broken into webmail
servers. They have hacked the login username/passwords of various
activsts and used to to steal their e-mail, but that's a somewhat
different thing.
Similarly, I'm not aware of any published reports, including coming
from the Snowden revelations, which detailed NSA breaking into
servers. They are spying on unencrypted communication data servers,
and they have been impersonating servers at Facebook and Google,
thanks to the deplorable nature of our CA architecture and the
security of CA issuers, but that's a somewhat different thing.
Yes, some of these problems can be solved if the users do end-to-end
encryption using tools like GPG or S/MIME. However, the usability of
such systems is pretty horrible. Fixing this is fundamentally much
more of an implementation issue than a protocol issue, so it's not
clear to me how much the IETF can do to improve things in terms of
user controlled end-point encryption.
> I find this whole discussion minorly inane. Yes, encryption is a
> good thing, and yes, after however-many-years of talking about it,
> I’d like to see it done. The problem that brought this up, the
> Snowden reports, was that the NSA (and the EU) were accessing
> *metadata*.
When the NSA was impersonating Yahoo servers, to capture video from
web chats and impersonating Facebook and Google servers, the NSA was
capturing *data*, not just *metadata*.
It's important to remember than when the NSA says, "we're only
capturing metadata under the authorities <FOO>", remember that that
says absolutely nothing about what they might be doing under some
other authority that they might have. They are as slippery as a
crooked lawyer....
- Ted
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
