[Cryptography] FW: IAB Statement on Internet Confidentiality

John Denker jsd at av8n.com
Mon Nov 17 15:27:14 EST 2014

Thanks to RS for forwarding the IAB statement.

Then on 17/11/2014 04:54 am, alex at alten.org wrote in part:

>> 2. You can't just encrypt/authenticate without dealing with key
>> management


On 11/17/2014 02:00 AM, ianG disagreed, saying:

> The goal is unauthenticated encryption, first and foremost.

I vote with Alex on this one.

a) Obviously, unencrypted communication is like walking
 around in a bad neighborhood pushing a wheelbarrow full
 of cash.  You are going to get mugged.

b) Encryption without authentication is like putting a
 tarp over the wheelbarrow, with a big sign that says 
 "please do not passively eavesdrop on all this cash".

To repeat:

a) Obviously, the era is over when we can leave the IP
 networks and (!) the phone networks unprotected.

b) Evidently less obvious, and in need of emphasis:
 The era is *also* over when we can pretend that high-
 power active attacks are infeasible or even rare.

 Defending the Home Despot PoS terminals against the
 script-kiddie-with-a-laptop-in-the-parking-lot is
 nice, but nowhere near sufficient.

c) Furthermore, we must add traffic analysis to the
 list of things to worry about.  The IAB statement
 did not even hint at this.

 For example, traffic to https://firstlook.org/theintercept/
 is encrypted, but even a passive observer can tell
 what articles I've read, just by looking at the file

When the bad guys read "unauthenticated encryption, 
first and foremost" they start joyfully singing to 

  M-T-M all night,
  M-T-M all day,
  Traff'c analysis five miles long,
  Oh, de doo dah day.


Did you see the recent exposé in the WSJ about the
dirtbox aka DRT Box?  Here's a rehash:

I'm not surprised to hear that most of the population
is subject to more-or-less continual tracking.  Rather,
I was surprised that they bothered with aircraft and
dirtboxes rather than just vampiring the data out of
the phone companies.  Note the contrast:
 -- I can understand that a Stingray confers an
  advantage, namely pinpoint accuracy;
 -- but dirtboxes on aircraft?  Huh?

As a first guess, maybe they didn't want to risk 
the ever-so-slight chance that somebody at the 
phone company would notice that it's illegal and 
unconstitutional, and perhaps pull a Snowden on 
them.  I dunno, what am I missing here?

More information about the cryptography mailing list