back to article Internet Society tells G20 nations: The web must be fully encrypted

The Internet Society has called for the full encryption of the internet, decrying the fact that securing the digital world has increasingly become associated with restricting access to law enforcement. In a blog post aimed at the leaders of the G20 economies, ISOC CEO Kathryn Brown argues that the digital economy "will only …

  1. The_Idiot

    Cure...

    ... response from Ministers:

    "Yes, of course! We agree _entirely_! Well, and we know _you_ agree you'll only use that special encryption only _we_ can backdoor into. So we have a deal, yes? Oh, I suppose the other Ministers too. And our police. Well, and _their_ police. And our security services. Yes, and theirs. Unless it's an even numbered week - we don't like them on even numbered weeks. So you have to be able to turn _their_ backdoors off on even numbered weeks. So - we have a deal? What do you mean it's impossible? I thought we were having an adult conversation here!"

  2. a_yank_lurker Silver badge

    Remember your audience

    Mark Twain once observed that a flea is smarter than your local Congresscritter. I suspect the local equivalent of a Congresscritter is equally as stupid. They can not grasp either you have secure, encrypted communication for everyone or no one has it. The math is rather binary on that point. Given that basic arithmetic is beyond a Congresscritter's comprehension (you can forget about algebra and geometry) they will try to have both and wonder why it failed.

    1. Adam 52 Silver badge

      Re: Remember your audience

      "They can not grasp either you have secure, encrypted communication for everyone or no one has it. The math is rather binary on that point."

      Way back in the late 80s I worked in banks. Back then DES was export restricted and PGP didn't exist.

      We wanted encrypted comms, for obvious reasons. So I applied for a DES export licence. It was a long and complicated process but in the end I got one.

      So you *can* have legal secure and encrypted communication for *some* people and not everyone. The maths says nothing about legality.

      Nowadays things are different, source code to many algorithms is widely published, but that wouldn't stop a government introducing a licencing system for encryption if it wanted to. Licences issued to Google, Snapchat et al. on the condition that they open comms on production of a warrant. You can't uninvent the white van either, but you can regulate courier services (as Uber are discovering). Before you all start ranting, I don't think they should, but they could.

      All this talk about "you can't change the maths" could equally be applied to firearms - you can't change the basic physics either but that doesn't stop governments restricting their availability. Any idiot with a lathe can make a bad gun, just as any programmer with a compiler can make a bad encryption app.

  3. allthecoolshortnamesweretaken
    Coat

    "... Politicians and law enforcement called for a backdoor (or even a frontdoor) to the latest encryption efforts ..."

    Me, I'm waiting for someone to suggest a locked side door as a compromise.

    But seriously, getting the message across that bad (= no or "backdoored") encryption is bad for business is our only chance... which is a little bit sad in itself.

    (Mine's the one with the cereal-box decoder ring in the pocket.)

  4. John Smith 19 Gold badge
    Unhappy

    Politicians. Stuff can be misused. The good outweighs the harm. Stop trying to ban stuff.

    Because cars, lorries, mail, guns, sugar, fertilizer and of course the internet and encryption all count as "stuff."

    Only stupid, populist politicians who want to "look" (rather than be) tough on crime can be anywhere close to actually believing this BS.

  5. Infernoz Bronze badge
    Happy

    About f'ing time encryption was pushed as compulsory on the internet!

    TLS, or other hard encrypted data tunnel, for ALL traffic on the internet.

    Ban all unencrypted traffic, like HTTP or FTP, which are both vulnerable to monitoring and MitM modification, both ways; this is astonishingly stupid for all login (credentials sniffing) and logged-in user sessions (hijack-able)!

    Also add anti-MitM techology into TLS to detect all attempts to add a imposter cert HTTPS to HTTP to genuine cert HTTPS device between the client and server, kill the connection and error.

    1. Doctor Syntax Silver badge

      Re: About f'ing time encryption was pushed as compulsory on the internet!

      Between them it's up to the Internet Society and IETF to push it; introduce encrypted protocols and then deprecate the old ones. After all, they set they standards. Clearly they do need to make public presentation of the case but they need to do more than talk; fait accompli can be difficult to argue with.

    2. Alister Silver badge

      Re: About f'ing time encryption was pushed as compulsory on the internet!

      Ban all unencrypted traffic, like HTTP or FTP, which are both vulnerable to monitoring and MitM modification

      This is nearly as bad as the government's "Ban Encryption" stance. There's no need to ban HTTP or FTP, they are both perfectly good protocols for certain requirements. The problem comes with inappropriate use - for instance HTTP for passing credentials.

      And frankly, the use of MITM by criminal elements is wildly exaggerated, it is most unlikely that some "hacker" has managed to get in the middle of anybody's browsing session or FTP connection. Most leaked credentials come from malware on the host, or by compromising a database on a server.

      For MITM it is far more likely that your local friendly government, your ISP, or even the company you work for are the culprit (using a web proxy is increasingly common in the workplace).

      1. streaky
        Black Helicopters

        Re: About f'ing time encryption was pushed as compulsory on the internet!

        they are both perfectly good protocols for certain requirements

        No technical reason for any protocol to exist that transmits data in the clear. It's not really a question of should it be crypted it's why shouldn't it be. There's no technical reason to not do that.

        Also FWIW it's a standards track issue not a policy one. Just because a protocol or usage of a protocol looks unimportant or like it doesn't matter if it's transmitted in the clear doesn't mean it won't some day no longer be the case or in the right hands provide useful information to attackers. Hell, look at the sordid history of DNS for proof.

        The internet is broken and crypto of all protocols - all the time - is how we fix it. If nothing else it'll make pervasive mass surveillance a pointless exercise in futility - it is already but it should stop governments getting ideas above their station.

    3. Snake Silver badge

      Re: About f'ing time encryption was pushed as compulsory on the internet!

      I said the same, on this very forum, a few years ago (I will be happy to link)...and was downvoted. Hard.

      The basic protocol is "broken" by not being encrypted by default, requiring each node to implement encrypting itself if needed. This was, and is, a disaster waiting to happen, dependent upon each instance to get the job done, get it done correctly and trust the chain.

      HTTPS across the entire internet, all communications, all devices, everywhere for everything. Period. From IoT to email to messaging, it will end up the only way to guarantee any form of both privacy and transactional security.

      I wasn't believed then...but as basic trust falls apart, people will be forced to learn: "Only the paranoid survive"

      1. streaky

        Re: About f'ing time encryption was pushed as compulsory on the internet!

        Probably something to do with the education system being f**ked. On a technical level and on a general internet (and non-internet FWIW) engineering policy level there's no reason any of this should be a problem.

        I don't know why anybody would have a problem with that who doesn't work for the NSA or organised crime - if there's an excuse I'd love to hear it.

  6. EnviableOne Silver badge

    The problem we have is the representatives we have are carrer politicians and no longer understand the people they are supposed to be representing.

    Even the most savy of them don't have a clue about how encryption works, and most put party politics before people.

    So those at the top dont have a clue, and set the party line

    Those that have half a clue are not listened to (as they are not true party)

    hence we have the blind leading the blinder, and we end up with the ineffective houses we have now.

    What we need is to get away from the system that has become an Effective Oligarchy and either use the technology and form a proper democracy or go back to true representative democracy we were meant to have.

    If we had a more accountable and in-touch government, they would be far more effective. People would be briefed on both sides of an argument and more reasined decisions would be reached, for the people by the people

  7. Spanners Silver badge
    Flame

    Cure the ignorance?

    We need politicians to pass some sort of test on something before they are allowed to regulate it. The same goes for civil "servants", quangos and council officers.

    Recently, here and across the pond, ignorance has been seen as a positive feature. "We don't need experts" was not quite the words but this sentiment is all around us.. Of "£$%^&* course we need experts! They are the people who have something meaningful to say on the subject. They are the ones providing the advice we should listen to.

    If a politician who last did maths or science at the age of 16 starts to tell us how to "do computers", their input needs the *heeded* advice of people who know about it. In the same way, if a politician is keen on homeopathy, why on earth would they bu put in charge of the NHS? We can not tell them how to deal with their magic water, imaginary hackers or rich banker chums.

    Maybe we need politicians who are not just arts graduates.

    1. Tikimon
      Facepalm

      Re: Cure the ignorance?

      It's a two-edged blade. The so-called "experts" usually end up being Googlebots and Faceborgs, who co-opt the process to favor themselves. In this sense, ignoring the "experts" is a very good idea.

      The trick is finding experts who know the subject and its implications well, but are reasonably objective and don't twist the facts in self-serving ways. Good luck with that!

  8. Tikimon
    Devil

    Thwart law enforcement, PLEASE!

    I say this because our so called "law enforcement" types callously break any law they see as an impediment to their ambitions. THEY are the criminals, and have not the slightest guilt or shame. From the city to the national level, cops have stomped our rights flat for years and done their best to hide it. When caught, they basically say "what you gonna do about it?" and carry on with nothing changed. God bless Ed Snowden, but we haven't beaten back a single illegal spying regime since his revelations. Our so-called "free countries" have surveillance regimes that the Stasi could only have dreamed of.

    I don't worry about terrorists. I worry about our governments.

  9. Anonymous Coward
    Anonymous Coward

    I don't want my internet encrypted...

    What if I forget the passphrase and have to re-format and start again from scratch?

    1. Robert Moore
      Joke

      Re: I don't want my internet encrypted...

      Just use: P@55w0rd for everything, like I do.

  10. cpu_necromancer

    I agree.. No, really I do but..

    Full protocol encryption will slow down attackers that's technically true, but that wont save you from hardware or software level backdoor's which unfortunately have become prevalent in teenage hacking communities, let alone in the hands of the CIA, kid's today, tusk!

    I doubt there are any out there that haven't already downloaded the wiki-leaks vault 7 files and we've all heard about the "ME" engine, an exploit said to be waiting to crack like an egg when someone discovers how to access the hidden ARC CPU inside your intel (iCore).

    Everytime I hear Tim Cook speaking on behalf of apple, I smile and reflect that apple still provides proprietary backdoor access to most of it's devices by leaving the SSH Password as: alpine and leave's most of it's iOS end users with no way to change it, unless they "Jail-Break!" there device.

  11. cpu_necromancer

    Re: I don't want my internet encrypted...

    I do...

    Because encryption is essential and they've tried rather stupidly to put a back-door into there own distributed computing standards and then followed that up with weakening there own security with hardware level back-doors inside the CPU and by trying to make the method's obscure and ending up with them plastered every-where, displaying the true "script-kiddie" america for the world to see, the unsuccessful story of patent wars and endless litigation and arguments whilst deploying "green" doors and NIS Interceptors everywhere and building tailored back-doors into platforms like OpenBSD & Linux!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020