GCHQoogle: so much for "Don't be evil"Given what we now know about the mass surveillance, and attack on the infrastructure of the internet, conducted by Britain’s GCHQ and America’s NSA (as well as their Chinese, Russian, German, etc counterparts).

Given that we now know, for a fact, that almost every byte of non-encrypted traffic is recorded and analysed, shouldn’t we now make a concerted effort to finally deprecate vanilla HTTP in favour of HTTP over TLS (HTTPS)?

When you use HTTP, it is a trivial matter for an attacker to see the content of the pages you visit, when, and how often you visit them. When using HTTP, there is also no guarantee that the content of the page hasn’t been modified without your knowledge, exposing you to all kinds of attacks.

Encryption, by and large, removes these problems, as well as massively increasing the cost of mass surveillance. Is it not time for all of us, as well as standards organisation like the IETF, push to make HTTPS the default? Even during my time I’ve seen insecure protocols like telnet and FTP go from widespread use to being almost completely replaced by secure alternatives (ssh and scp), so could we not do the same with HTTP?

Certificate authorities

Ok, there is one big difference between HTTPS and ssh (ok, many many, but one I care about here), and that is that HTTPS relies on certificate authorities. These are necessary in order to distribute trust, so that browsers can know to automatically accept a certificate and verify the server it is connecting to is who it says it is.

This is much nicer for the average user than, say, manually verifying the server’s fingerprint (as you have to do with SSH), but comes with some pretty serious problems if we were to make it default:

  • Every site owner would have to get a certificate, and these can only be obtained by a certificate authority if you don’t want browsers to pop up a big red warning, meaning we further bake these guys in to the Internet’s DNA.
  • Certificate authorities can be directly pressured by governments, so, a government attacker could MITM you on a secure connection and present you with a certificate that your browser accepts as valid, and so will give you no warning (of course, this is much more costly than the blanked mass surveillance that is currently going on).
  • Getting a certificate either costs money, and/or has restrictions placed on their use (for example, no commercial use, in the case of StartCom). This is really bad, since it essentially requires permission from a third party to launch a site.

It is this last causes me most concern, since it essentially provides an easy way of suppressing minority views.

Imagine that we lived in a world where HTTP had been deprecated, and browsers no longer supported unencrypted HTTP, or could, but you had to request it specifically (essentially the reverse of what we currently have). You wanted to launch a site that expressed a minority view – perhaps you were critical of your government, or you wanted to leak some information about crimes being committed, is it not inconceivable that you could have trouble obtaining a certificate? Given that certificate authorities are companies who worry about their bottom line, and are a convenient point for the bad guys to apply pressure?

If you couldn’t get a certificate in this environment, it could dramatically reduce the audience that would see your site.

So, perhaps before we move to deprecate HTTP, we must first find a better way than certificate authorities to distribute trust? How could we accomplish this? Perhaps we could take advantage of the fact that most people’s browsers automatically update, and so we could distribute browsers with expected certificates for sites hard coded into them (giving an added advantage that we could pin certificates)?

Anyway, its complicated, and I’m thinking aloud here… what are your thoughts?

Today is The day we fight back.

The day we fight back” is a international day of activism, held on the anniversary of Aaron Swartz‘s death. Swartz was an American computer programmer, writer and political activist who was driven to suicide by bullying from the US government, after he attempted to make public a number of scientific journals (the copyright wars now have a body count, read more, it’s horrific.)

On this day we commemorate Swartz’s death by holding an international day of protest against the illegal mass surveillance programs, conducted by the NSA and GCHQ (as well as others), that are used to invade the private lives of everyone on the planet, as revealed by whistle blower Edward Snowden.

The NSA and GCHQ, among other things, have attempted to subvert the technologies that we all use – to keep our medical records safe, to communicate in private about sensitive matters, to shop and bank securely online. In short, they have conspired (and succeeded) in making the internet a less safe place for you and your family, so it is fitting that today is also Safer Internet day.

So, today, do something to make the Internet a safe place for you and your family to work and play. Fight back.

So, we’re on the cusp of 2014, and I was going to write a yearly review of some of the things I’ve done, places I’ve been etc. I might do that later, but right now I thought I’d draw your attention to this absolutely terrifying talk on the scope of the NSA and GCHQ’s surveillance and information warfare capability, by Jacob Applebaum.

It’s fairly long, and somewhat technical, but in short, every paranoid fantasy that we in the IT security world have had, appears to be true, and it gets much much worse…

Militarisation of the Internet

The full capabilities of what has been deployed, in the wild, against ordinary citizens is still coming to light, but here are some highlights, in no particular order:

  • Computer hardware and components have been compromised on mass; including wireless cards, hard drive firmware, Ethernet cables (!!)
  • Your ADSL router can be used to spy on you (natch), but also to perform attacks on those geographically near you, and routinely is.
  • Practically every piece of communication infrastructure has been subverted, which can put lives at risk (for example, the box they use to pretend to be a cell tower and record activity while, say, spying on the Ecuadorian embassy or flying over a city in a drone, doesn’t appear to route 999/112/911 calls).
  • Ordering hardware over the internet? There’s a good chance it has been intercepted and bugged without your knowledge.

The list goes on, seriously, watch the video…

Yes, you are owned

So, some of the capability discussed doesn’t fall under “mass surveillance”. Flying a drone over your house, intercepting your mail, or giving you Cancer so that they can read what’s on your computer screen (and you were worried about the back scatter X-ray at the airport), doesn’t scale. These techniques would likely only be deployed against people of interest – security researches, journalists, democracy advocates, Muslims etc, and then, only if they couldn’t get you another way.

Of course, they almost certainly already have you.

The back doors placed in the computer hardware and software products that every one of us owns need only be switched on, and then they can record your entire life (and keep it for 15 years). Even if you believe that the NSA/GCHQ will never abuse this capability, by accident or design, the documentation presented proves that some of these back doors have been discovered and exploited independently. It is therefore the height of naivety (and I’d go so far to say it’s criminal negligence) to assume that foreign governments, criminals or terrorist organisations won’t be able to use the same exploits to similar effect.

I’m scared, what can I do?

Not a lot at the moment, but the first step to finding a solution is admitting you have a problem.

The fact that many of these exploits could not have been created without the criminal complicity of various US companies is worth noting (it would be good to have a full list), and if you’re in charge of purchasing decisions, it might be worth boycotting these companies. Few things will affect change faster than the market punishing this kind of collaboration.

It’s clear that proprietary software and hardware is a major problem, especially in networking equipment, so the importance of projects like the open router project can not be over stressed. You may also like to consider the surveillance capability of any new hardware you buy, and perhaps you might want to leave your cell phone at home or not buy that internet connected TV?

I also think that detection of these attacks needs to be looked at more closely, and developing new forensic tools for widespread use should be a priority, since raising the risk of detection has a herd immunity/deterrence effect. I think that the fact that the bad guys seem to love RC6 encrypted UDP is interesting, and it is something that we can start actively looking for, and report anything suspicious.

Remember, a secure internet secures everybody, and we as technologists have a moral obligation to do everything we can. This means developing tools and technologies to protect people, and helping our less technical friends and family to use them to protect themselves, and it means building countermeasures against these sorts of attacks into the architectures and platforms we build.

It also means not collaborating with organisations that seek to attack our freedom, saying no to that NSA/GCHQ recruiter, and it means blowing the whistle when you see abuses taking place.

Be safe out there.