Posted on
by

The UK Government snooping bill will apparently “handle” HTTPS and encrypted communication protocols like Skype.

More clarification is clearly needed, but to me this is concerning and means on of the following:

  1. Nothing new, and this was just hand waving: The bill already plans to monitor connection data, so even with HTTPs which encrypts content an observer can monitor requests at the domain level. The page request and any payload is encrypted, but the fact that you’re visiting a given site is not, meaning that an observer will be able to see that you visited https://foo.com, but not which pages therein.
  2. They have site/tool level back doors: More worrying is that the snoopers have muscled back doors into sites like gmail and facebook, and protocols such as skype.

    Rumours about Skype back doors have previously been circulated, but have been denied. Skype’s own websites state that all communication is encrypted and that no transport node on the network has access to the unencrypted data, but since the tool is proprietary it is impossible to independently verify this. In my view this damages the tool’s credibility as a tool to conduct business communication securely.

  3. Compromised root certificates: Most concerning would be if the snoops had managed to strong arm certificate providers into compromising the SSL root certificates, allowing them to perform a man in the middle attack without the usual warnings. This is particularly alarming and puts at risk our entire eCommerce and banking ecosystem when these are inevitably left on a train.

Urgent clarification is needed, but to me this casts doubt on centrally issued certificate based encryption and proprietary protocols, for the time being at least.

Image “GCHQ” by James Stringer.

Thanks for visiting! If you found this helpful, you might be interested in knowing that I offer development and consultancy services, and am available to hire!

Posted on
by

It is the second time in as many days that I’m having to log into things and change passwords because of some less-than smart design decisions various web companies made when implementing their password database (looking at you Linkedin and Last.FM).

While these companies have clearly made a dangerous snafu, lets not be overly harsh on them. There but for the grace of god go all software developers. The real problem is passwords, and until we find something better, this kind of thing will keep happening.

Lets look at it from a UX viewpoint as well a security one for a moment, because they’re both linked. People, myself included, are phenomenally bad at creating secure passwords and remembering them. Predictably enough, this results in the vast majority of users using one memorable (but as a result easily guessable) password for everything, and/or writing all their passwords down somewhere… both things that are a bad idea from a security point of view and often elicit derisive snorts from security professionals clearly blessed with an eidetic memory.

Moving past Username and Password

Computers should adapt to humans, not the other way round. Isn’t it time we stopped wasting time trying to patch a clearly broken system and build something else?

This is of course much easier said than done, and the two current alternatives to username/password authentication available – OpenID and OAuth – are not without their issues.

OpenID is nice and decentralised, but the UX is just awful. Sign in with a URL? Try explaining that one over the phone to your mum.

OAuth has the benefit of being super super easy for the user (one or two mouse clicks to log in), so long as you’ve got an account with a given site’s blessed identity broker (for all practical purposes either Google, Facebook or Twitter). This model nudges towards a centralised identity model which I find very uncomfortable.

This centralisation raises new issues of catastrophic single points of failure. Not only do you have the issue of the service being a prime target for crackers, you also have a far more insidious and arguably more likely problem, basically, what happens when the identity broker you use for your 1000s of accounts goes out of business?

Not to mention, all three of the main identity brokers still fundamentally identify you with a username and password. Google and Facebook have added second layer authentication to their accounts, but Twitter is yet to implement anything (so if you have a twitter account and use it for authentication anywhere make sure your password is really really good).

So, what can we do to make this better?

Myself, I’d like to move to some sort of two factor authentication (combining something you have with something you know), at least for really important accounts. More and more people have mobile phones so perhaps something similar to the Google authenticator model or SMS code authentication for new machine sign-in would be a start.

Whatever we use, it needs to be decentralised, secure, and fundamentally easy for people to use. Because if whatever fancy solution we come up with provides a barrier between the user and what they want to do, it will be useless. People will just work out ways of circumventing the security in order to get things done, or simply not use the service at all.

Today, the most secure password-protected system you can ever build can be defeated by one forgetful user and a post-it note.

Posted on
by

As you are probably aware, Nosy-parker in chief Theresa May wants to record all the internet activity and emails of everyone in the UK, just in case you do something the government thinks is wrong (or decides is wrong sometime later down the line should you become “Politically inconvenient”).

One wily UK citizen recently did a very British act of defiance and, using the Freedom of Information Act, requested CCDP like information for just one UK individual, namely Theresa May.

Since she is so keen on snooping on the rest of us, I’m sure she wouldn’t mind.

After a certain amount of back and forth the request was unsurprisingly denied. What I find interesting is that the request was denied on cost grounds due to the breadth of the request. This begs the obvious question: if the cost of obtaining this information for one person proves too costly to comply with a simple FOI request, and that by their own admission the request is too broad, how on earth can they justify doing the same for ~65 million people?

As a government minister, much of the requested information would almost certainly be recorded anyway as a matter of course.

My suspicion of course is that this request was never going to be complied with, as always there is one rule for us and another for them, cost was just a convenient excuse. In the words of Lance-Corporal Jones, “They don’t like it up ’em”.