Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA2013-09-06 09:31:35+1. I'd +10 if I could :-) One thing that would be helpful is to encourage the use of Diffie-Hellman everywhere. Even without certificates that can be trusted, we can eliminate the ability of casual, dragnet-style surveillance. Sure, an attacker can still do a MITM attack. But (a) people who are more clueful can do certificate pinning/verification, and (b) if the NSA is really putting data taps into tier 1 providers' high speed interconnects, they can only carry out MITM attacks on a bulk scale by placing racks and racks of servers, which will require significant amounts of cooling and power, in places that are much more likely where they would be noticed. It's no longer a data tap hidden away somewhere in a closet near a tier 1's NAP. For too long, I think, we've let the perfect be the enemy of the good. Using TLS with DH to secure SMTP connections is valuable even if it is subject to MITM attacks, and even if the NSA/FBI can hand a National Security Letter to the cloud provider. At least this way they will be forced to go the NSL route (and it will show up in whatever transparency reports that Google or Microsoft or Facebook are allowed to show to the public), or spend $$$ on huge racks of servers in public data centers, which maybe means less money to subvert standards setting activities. Although perfect security is ideal, increasing the cost of casual style dragnet surveillance is still a Good Thing. - Ted -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
0x8A39DC66.asc
signature.asc
|
|