General

Why You Should be Very Scared of Snoopers’ Charter

By Tim Hardy

Channel 4 news have revealed tonight more details of government plans to read all of your internet traffic.

The Home Office has held meetings with the UK’s largest ISPs and mobile network operators, and has given them information about the hardware which companies will have to use to monitor traffic flowing through their systems.

When an individual uses a webmail service such as Gmail, for example, the entire webpage is encrypted before it is sent. This makes it impossible for ISPs to distinguish the content of the message. Under the Home Office proposals, once the Gmail is sent, the ISPs would have to route the data via a government-approved “black box” which will decrypt the message, separate the content from the “header data”, and pass the latter back to the ISP for storage.

The report contains no information about how this “black box” works so the following is an assumption.

This is quite technical but it’s important to understand so I’ll try to keep it as simple as possible.

Here is what gets sent across the internet when I type “I have an embarrassing medical condition” into google.

wireshark capture of google search I have an embarrassing medical condition

If I was doing this at work or in a web cafe, anyone with the right skills could read what I’d typed.

Most modern web browsers change the colour of part of the title bar to green to let you know when you’re visiting a secure site. I’m writing this post using a “https:” connection which you can see at the start of the address bar.

browser showing https

Notice the colour. Notice too the padlock icon.

When I was researching my medical condition above, I visited http://www.google.co.uk. If I had visited https://www.google.co.uk instead, no one would have been able to snoop on my web traffic. The text “I have an embarrassing medical condition” would have been turned into a garbled string of characters, a code that would take them hundreds of years to break. The “s” after “http” stands for secure (it actually stands for “over Secure Socket Layer” but the important word here is “secure”).

Turning my search string into a coded message that cannot be read by eavesdroppers involves some clever mathematics using prime numbers explained in the brief video below.

Anyone can generate a public keys that can be used to encrypt traffic. But how do you know that the person or organisation is who they claim to be when you visit their site?

Let’s have a look at an example. When you try and browse Indymedia using https you receive a warning:

Warning that certificate is unsigned

If you accept the warning and select “Proceed anyway” the browser warns that the https connection is not trusted by using the colour red, a bar through the word and a cross through the padlock.

No one has validated this certificate. You are making an explicit choice to trust them.

If I click on the green beyondclicktivism.com padlock in my browser, however, I can see that the identity of the website has been verified by a Certification Authority. This is why I don’t get the warning I get with Indymedia. The information explains who issued the certificate and who it belongs to (there’s also some extra information about the security of the connection.)

Certificate for beyondclicktivism.com

Certification authorities belong to a web of trust, a group of bodies who validate each other. They issue public key certificates like the one from Go Daddy Secure Certification Authority above. These are electronic files that bind a public key with the name of a person or an organization and can be used to verify that a public key belongs to that individual.

Public key Infrastructure image

Principle of a public key infrastructure. Rough outline: A user applies for a certificate with his public key at a registration authority (RA). The latter confirms the user’s identity to the certification authority (CA) which in turn issues the certificate. The user can then digitally sign a contract using his new certificate. His identity is then checked by the contracting party with a validation authority (VA) which again receives information about issued certificates by the certification authority.

(Image via Wikimedia.)

If you haven’t followed all the details above, it doesn’t matter. All you need to understand for now is that there are certificates issued by authorities that identify gmail, for example, as belonging to google so when you go to a website that claims to be gmail you can be sure that it is what it says it is.

Such certificates could in theory be abused however. In February this year, Certificate Authority Trustwave was forced to revoke a certificate that allowed one of its clients to spy on employee’s private email:

Certificate Authority Trustwave has revoked a digital certificate that allowed one of its clients to issue valid certificates for any server, thereby allowing one of its customers to intercept their employees’ private email communication.

The skeleton-key CA certificate was supplied in a tamper-proof hardware security module (HSM) designed to be used within a data loss prevention (DLP) system. DLP systems are designed to block the accidental or deliberate leaking of company secrets or confidential information.

Using the system, a user’s browser or email client would be fooled into thinking it was talking over a secure encrypted link to Gmail, Skype or Hotmail. In reality it was talking to a server on the firm’s premises that tapped into communications before relaying them to the genuine server. The DLP system needed to be able to issue different digital certificates from different services on the fly to pull off this approach, which amounts to a man-in-the-middle attack.

The same principle approach might be used in government monitoring activities, such as spying on its own citizens using web services such as Gmail and Skype. Evidence suggests that digital certificates issued by Netherlands-based firm DigiNotar last year were used in this way to eavesdrop on the webmail communications of Iran users last year, although no firm state-sponsored connection has been established.

The only way that these black boxes could work would be if the UK government were creating fake certificates like this with the collusion of a Certification Authority. This wouldn’t be a company spying on its staff, it would be a government spying on every email, every post, every tweet, every message, every query, every electricity bill paid or balance transfer arranged by its citizens. And the padlock in your browser would stay green.

If the government are planning on forging certificates then using tor or a VPN is not going to protect either you so those who’ve read a little bit about this and think they’ll be safe – think again. When I wrote Online Idiocy Kills warning of potential dangers when using tor, I assumed https was secure. News of the Home Office black boxes show that this is no longer the case.

Before the election, the Conservatives and Liberal Democrats both agreed they wanted to roll back Labour’s authoritarian state. They lied. This surveillance system has  no place in a democratic society. This legislation must be thrown out along with the totalitarian minded ministers who are trying to push it through. This is one step too far towards a police state that we must urgently reject.

Standard

12 thoughts on “Why You Should be Very Scared of Snoopers’ Charter

  1. Sam Barnett-Cormack says:

    So, either they’re doing what you describe (spoofing everything), or the Government have magic boxes that can factor products of large primes without breaking a sweat…

  2. John says:

    The whole cert hierarchy of trust mechanism was never designed to be used on a global mass scale and was a quickly thought out mechanism tacked on last minute. There have been so many holes appear as it grew over the years, leaks, abuses that pretty much most internet security based on certs is now forgeable/readable by anyone with a few quid for black market or power to intervene with force and hand out gag orders. With money or power you can get around it.

    If browser manufacturers removed all the actually ‘untrusted’ certs from the tree then almost all ‘secure’ sites would break and consumers would wonder what the hell is going on. They don’t want to admit the ‘trust’ tree thing is basically untrustworthy and unworkable when done on a worldwide scale.

    Its not a problem with encryption itself (some have been shown to be much weaker than others though and should be avoided from now on though and many companies haven’t switched to ensure forward secrecy etc). Its a problem with the concept of a trusted authority. There is no such thing in the long run. All ‘authority’ can be subverted if you throw enough resources at it because it is a human problem.

  3. John says:

    You can actually say that easier like this..

    ‘Trusted authority’ in the certificate sense is basically a broken mechanism so should not be trusted. The technical reality is that the only authority that could be really be trusted to sign something is yourself, so it makes the whole authority thing pointless.

    Certificate authorities are basically marketing hogwash, not a technical reality. That has been the case for a while. Companies like to pretend otherwise because it makes people feel good. Its just security theatre, not actual security.

  4. Extremely well written. Most people will hear the gov’t spin about protecting them from terrorists and kiddy fiddlers and think because they’ve nothing to hide, this must be a good thing. That’s the clever clogs propaganda machine of Cameron’s goons in action.

    Cameras on the high street, is a different issue. The street is a public place where good and pad things happen in public and the use of cameras is therefore not an invasion of privacy or the rights of individuals.

    The “ability” to read any message sent by e mail or web URL accessed from within people’s homes or from offices IS an invasion of privacy.

    How would it go down with the public if this proposal included the routine opening of the Royal Mail to protect us from suspicious packages, dirty magazines and terrorist plans ? The Queen’s mail is for now at least inviolate.

    The passing of this act will be just the beginning, the collar on the dog, with the leash to follow. Give it a thought before you accept the government is looking to protect you.

    Do the police etc really need that much help in the fight against the forces of evil being peddled by the Home Secretary ?

    • John says:

      If they ask google, they will hand it over if justified but google also has a good transparency policy to show stats of requests received, accepted denied etc to the public. The requests have been skyrocketing over recent times.

      They can also do it ‘on the sly’ without already asking by exploiting known security loopholes but this is a lot of work, so only worth it for serious cases and by high level staff.

      Basically, they can do all this stuff already but it is a bit of hassle and involves being a bit transparent which they don’t like.

      The snooping agenda seems to be driven mostly towards making it easier for more staff (and not so high level which is worrying) to have more access and much less transparent to the public. That is the scary part, the idea of giving a greater number of low level staff access without decent oversight and less outward transparency is a recipe for some bad abuses eventually. Its a slippery slope down.

      • The Google requests you talk of seeing I believe were requests from governments and LEAs to take down YouTube videos. I haven’t seen any statistics from Google relating to the amount of personal e-mail handed over to LEAs. Google hands that stuff over without any argument if there’s a request within whatever principles agreed on. Sometimes it requires a court order, sometimes just a letter from an LEA. You can read the Google “lawful spying guide” on Cryptome’s website. http://cryptome.org/isp-spy/online-spying.htm The article above talks of a future where LEAs are back-doored into all electronic communications. My guess this is already the existing situation in most countries already, no matter what ISPs and governments claim.

    • If it was one email – yes. But it’s not. It’s every email every single person sends and not just via gmail but via every single email provider – and not just email, but every single item of web traffic sent over https. There is no way this can be done without breaking the encryption (whether the mechanism I suggest above is how they’ll do it or not is a moot point: this is my best guess as to how it would be possible).

      • John says:

        The encryption for most ‘trusted’ sites in the current world is easy to decrypt and do a man in the middle attack. The SSL ‘trusted autorities’ mechanism was invented a long time ago when the web was small and never designed to scale. The original idea was that the ‘trusted’ authority was some organisation you knew and could actually investigate yourself. It fits the intranet idea better with say a small group of coworking companies. It has a big design flaw for something like a global internet.

        The weakness of ‘trusted’ certs is that it is based of trusting humans. The bigger the chain of trust the greater the chance of compromise as only one actor within needs to be ‘got’. Organisations with enough power to coerce or enforce laws (govs) or money to bribe or carry out blackmail etc can all inflitrate the trust hierarchy at some point.

        So the idea that SSL is secure now in the modern world of scale and gov pressure and criminal organised crime is nonsense.

        I don’t want to get too technical but the reality now is that https does NOTt mean you cannot intercept it anymore. The only trusted authority in a global internet is you or someone you know, which means self signing. This will appear to a browser though to be ‘untrusted’ because it is not signed by an official ‘authority’.

        Also, only 10% of SSL using companies on the internet use algorithms that don’t have know weaknesses. Also most don’t really care or have the competence. Its just a marketing image really these days.

        Anyone who thinks governments can’t throw enough money, technology and legal threats at the cert authorities and complacent site weaknesses must be very naive.

        Some SSL stats on how poor the situation is (and that’s without dodgy cert auths).
        https://www.trustworthyinternet.org/ssl-pulse/

        People need to stop pretending that a ‘secure’ site really is because it says so.

      • John says:

        In other words..

        Security is and always has been an arms race. Guess who can throw the most money at winning that race? If you could pay a team of 100 great cryptographers and exploit researchers, you could intercept anything made by average day job worker who just wanna go home at the end of the day and have probably left a spanner in the works by accident or lack of time. If you can pay off or coerce an ‘insider’ even easier.

  5. John says:

    There is nothing in current technology stopping them turning up at a data centre, putting a network tap on and intercepting stuff (even altering it) using known weaknesses right now. They can use the might of law and expertise. They already do it and succeed in 99% of cases. However, it takes a lot of effort and so they only do this for very serious cases that most people would agree is justifiable for an intercept.

    The snoopers charter is mostly about making this process standardised, easy and accessible for very minor misdemeanors by not so skilled staff, which is why it is frightening in reality. It allows use and abuses for many things that most people would not agree with. Possibilities of abuse includes tracking whistleblowers to journalists, cracking down political opposition and right to assembly (you could fish and map group dynamics), automating justice for minor infractions such as copyright infringment and taking it out of the usual legal system (they think proper justice is too expensive and should be automated).

    People are right to oppose this but its not about something they can’t do already for serious crime. Its about scale and lesser and even non crimes.

    It is frightening, but not because it involves cracking encryption.

  6. Pingback: Encouraging Online Privacy | Entrepreneurial Geekiness

Comments are closed.