The UK Government snooping bill will apparently “handle” HTTPS and encrypted communication protocols like Skype.

More clarification is clearly needed, but to me this is concerning and means on of the following:

  1. Nothing new, and this was just hand waving: The bill already plans to monitor connection data, so even with HTTPs which encrypts content an observer can monitor requests at the domain level. The page request and any payload is encrypted, but the fact that you’re visiting a given site is not, meaning that an observer will be able to see that you visited https://foo.com, but not which pages therein.
  2. They have site/tool level back doors: More worrying is that the snoopers have muscled back doors into sites like gmail and facebook, and protocols such as skype.

    Rumours about Skype back doors have previously been circulated, but have been denied. Skype’s own websites state that all communication is encrypted and that no transport node on the network has access to the unencrypted data, but since the tool is proprietary it is impossible to independently verify this. In my view this damages the tool’s credibility as a tool to conduct business communication securely.

  3. Compromised root certificates: Most concerning would be if the snoops had managed to strong arm certificate providers into compromising the SSL root certificates, allowing them to perform a man in the middle attack without the usual warnings. This is particularly alarming and puts at risk our entire eCommerce and banking ecosystem when these are inevitably left on a train.

Urgent clarification is needed, but to me this casts doubt on centrally issued certificate based encryption and proprietary protocols, for the time being at least.

Image “GCHQ” by James Stringer.

One thought on “Snooping bill “Will handle” HTTPS

  1. Hi Marcus and thanks for taking the trouble to make this website. It’s sad that the majority of the UK online public is apathetic about
    this. (This is Jack’s total lack of surprise – Chuck Palahniuk)

    When I started computing in 1997, the vast majority of computer users would have had awareness of how this is an insult to our dignity.

    I had to search for your website, since I am very concerned about the government’s increasing intrusion and vioation of privacy. It’s a sad state of affairs that people in general lack this awareness. (like Hindu cows – Chuck Palahniuk) Should we issue the public with oxygen masks, particularly as this sort of intrusion totally stinks!

    Best regards,

    Martin

Leave a Reply