By Tim Hardy
Channel 4 news have revealed tonight more details of government plans to read all of your internet traffic.
The Home Office has held meetings with the UK’s largest ISPs and mobile network operators, and has given them information about the hardware which companies will have to use to monitor traffic flowing through their systems.
When an individual uses a webmail service such as Gmail, for example, the entire webpage is encrypted before it is sent. This makes it impossible for ISPs to distinguish the content of the message. Under the Home Office proposals, once the Gmail is sent, the ISPs would have to route the data via a government-approved “black box” which will decrypt the message, separate the content from the “header data”, and pass the latter back to the ISP for storage.
The report contains no information about how this “black box” works so the following is an assumption.
This is quite technical but it’s important to understand so I’ll try to keep it as simple as possible.
Here is what gets sent across the internet when I type “I have an embarrassing medical condition” into google.
If I was doing this at work or in a web cafe, anyone with the right skills could read what I’d typed.
Most modern web browsers change the colour of part of the title bar to green to let you know when you’re visiting a secure site. I’m writing this post using a “https:” connection which you can see at the start of the address bar.
Notice the colour. Notice too the padlock icon.
When I was researching my medical condition above, I visited http://www.google.co.uk. If I had visited https://www.google.co.uk instead, no one would have been able to snoop on my web traffic. The text “I have an embarrassing medical condition” would have been turned into a garbled string of characters, a code that would take them hundreds of years to break. The “s” after “http” stands for secure (it actually stands for “over Secure Socket Layer” but the important word here is “secure”).
Turning my search string into a coded message that cannot be read by eavesdroppers involves some clever mathematics using prime numbers explained in the brief video below.
Anyone can generate a public keys that can be used to encrypt traffic. But how do you know that the person or organisation is who they claim to be when you visit their site?
Let’s have a look at an example. When you try and browse Indymedia using https you receive a warning:
If you accept the warning and select “Proceed anyway” the browser warns that the https connection is not trusted by using the colour red, a bar through the word and a cross through the padlock.
No one has validated this certificate. You are making an explicit choice to trust them.
If I click on the green beyondclicktivism.com padlock in my browser, however, I can see that the identity of the website has been verified by a Certification Authority. This is why I don’t get the warning I get with Indymedia. The information explains who issued the certificate and who it belongs to (there’s also some extra information about the security of the connection.)
Certification authorities belong to a web of trust, a group of bodies who validate each other. They issue public key certificates like the one from Go Daddy Secure Certification Authority above. These are electronic files that bind a public key with the name of a person or an organization and can be used to verify that a public key belongs to that individual.
Principle of a public key infrastructure. Rough outline: A user applies for a certificate with his public key at a registration authority (RA). The latter confirms the user’s identity to the certification authority (CA) which in turn issues the certificate. The user can then digitally sign a contract using his new certificate. His identity is then checked by the contracting party with a validation authority (VA) which again receives information about issued certificates by the certification authority.
(Image via Wikimedia.)
If you haven’t followed all the details above, it doesn’t matter. All you need to understand for now is that there are certificates issued by authorities that identify gmail, for example, as belonging to google so when you go to a website that claims to be gmail you can be sure that it is what it says it is.
Such certificates could in theory be abused however. In February this year, Certificate Authority Trustwave was forced to revoke a certificate that allowed one of its clients to spy on employee’s private email:
Certificate Authority Trustwave has revoked a digital certificate that allowed one of its clients to issue valid certificates for any server, thereby allowing one of its customers to intercept their employees’ private email communication.
The skeleton-key CA certificate was supplied in a tamper-proof hardware security module (HSM) designed to be used within a data loss prevention (DLP) system. DLP systems are designed to block the accidental or deliberate leaking of company secrets or confidential information.
Using the system, a user’s browser or email client would be fooled into thinking it was talking over a secure encrypted link to Gmail, Skype or Hotmail. In reality it was talking to a server on the firm’s premises that tapped into communications before relaying them to the genuine server. The DLP system needed to be able to issue different digital certificates from different services on the fly to pull off this approach, which amounts to a man-in-the-middle attack.
The same principle approach might be used in government monitoring activities, such as spying on its own citizens using web services such as Gmail and Skype. Evidence suggests that digital certificates issued by Netherlands-based firm DigiNotar last year were used in this way to eavesdrop on the webmail communications of Iran users last year, although no firm state-sponsored connection has been established.
The only way that these black boxes could work would be if the UK government were creating fake certificates like this with the collusion of a Certification Authority. This wouldn’t be a company spying on its staff, it would be a government spying on every email, every post, every tweet, every message, every query, every electricity bill paid or balance transfer arranged by its citizens. And the padlock in your browser would stay green.
If the government are planning on forging certificates then using tor or a VPN is not going to protect either you so those who’ve read a little bit about this and think they’ll be safe – think again. When I wrote Online Idiocy Kills warning of potential dangers when using tor, I assumed https was secure. News of the Home Office black boxes show that this is no longer the case.
Before the election, the Conservatives and Liberal Democrats both agreed they wanted to roll back Labour’s authoritarian state. They lied. This surveillance system has no place in a democratic society. This legislation must be thrown out along with the totalitarian minded ministers who are trying to push it through. This is one step too far towards a police state that we must urgently reject.