ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 09:31:35
from [Stefan Winter] [Permanent Link] 
+1. I'd +10 if I could :-)


One thing that would be helpful is to encourage the use of
Diffie-Hellman everywhere.  Even without certificates that can be
trusted, we can eliminate the ability of casual, dragnet-style
surveillance.  Sure, an attacker can still do a MITM attack.  But (a)
people who are more clueful can do certificate pinning/verification,
and (b) if the NSA is really putting data taps into tier 1 providers'
high speed interconnects, they can only carry out MITM attacks on a
bulk scale by placing racks and racks of servers, which will require
significant amounts of cooling and power, in places that are much more
likely where they would be noticed.  It's no longer a data tap hidden
away somewhere in a closet near a tier 1's NAP.

For too long, I think, we've let the perfect be the enemy of the good.
Using TLS with DH to secure SMTP connections is valuable even if it is
subject to MITM attacks, and even if the NSA/FBI can hand a National
Security Letter to the cloud provider.  At least this way they will be
forced to go the NSL route (and it will show up in whatever
transparency reports that Google or Microsoft or Facebook are allowed
to show to the public), or spend $$$ on huge racks of servers in
public data centers, which maybe means less money to subvert standards
setting activities.

Although perfect security is ideal, increasing the cost of casual
style dragnet surveillance is still a Good Thing.

                                              - Ted




-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Bruce Schneier's Proposal to dedicate November meeting to savingthe Internet from the NSA, Theodore Ts'o
Next by Date:  Re: Bruce Schneier's Proposal to dedicate November meeting to savingthe Internet from the NSA, Pete Resnick
Previous by Thread:  Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA, Theodore Ts'o
Next by Thread:  pgp signing in van, Randy Bush
Indexes:  [Date] [Thread] [Top] [All Lists]