This blog post is licensed Creative Common Attribution Required v4.0.

Don't let the government break TLS

Official Construct Team Post
Ashley's avatar
  • 13 Jan, 2015
  • 529 words
  • ~2-4 mins
  • 1,444 visits
  • 0 favourites

I was very worried to read that the UK Prime Minister David Cameron is pushing for more Internet surveillance powers. In particular, some of his quotes are very concerning: "...are we going to allow a means of communications which it simply isn't possible to read... no, we must not."

The reason this is so dubious is modern Internet encryption - TLS (Transport Layer Security, formerly known as SSL) - provides a pretty good guarantee that nobody can read your communications other than your computer and the computer you are connected to. Disallowing communications which the government can't read implies severe measures against TLS: they would have to ban it, render it ineffective, or require software developers to deliberately add backdoors to circumvent the protection TLS provides. Either the government has no sensible technical advisors, or they are ignoring them, because the consequences of this would be appalling.

The most serious consequences would be for civil liberties. This would give the state all the capabilities it needs to track the political activities of its population. Discussion of political views, criticism of government, arrangements of protests and any other private communication will be available to the government. The Snowden leaks show us how the state is willing to harvest all the information it can get while misleading the public about their activities. They would have the power to identify individuals who could challenge the status quo, and probably have the ability to manipulate or cut off their activities. This can creep in under the guise of anti-terrorism powers. Creep has already happened: the UK government got powers to block websites hosting "indecent images", and the same capability has been rolled out to cover torrent websites, or even in some cases simply blocking entire websites by mistake (see List of websites blocked in the UK on Wikipedia). The direction this is going in and the technical competency of the policies seems highly questionable.

Further consequences would be destroying any trust on the Internet. If you buy something online, it's essential for your own security that your personal information and payment details are kept secret and only available to the service you are communicating with. TLS provides a pretty good guarantee of this. It's hard to see how breaking this trust won't weaken the security of the overall system. If online companies are required to reduce the security and trustworthiness of their services, how can the e-commerce industry work effectively?

With the IETF's view that pervasive monitoring is an attack, future technical developments on the web are likely to be aimed at preventing exactly what the government is trying to do. If the technology becomes even more effective, the government may try to make even more heavy-handed moves and cause even more damage to the web and the wider software and technology industries.

Terrorism must be stopped. There is no question about that. However we must not allow Internet security to be a casualty of terrorism. If we give up our civil liberties, trust in the Internet, and damage our own industries, are we still winning?

For another view on this, have read of Cory Doctorow's view on the dangers of this.


Get emailed when there are new posts!