SSL and internet security news

childpornography

Auto Added by WPeMatico

Firefox Enables DNS over HTTPS

This is good news:

Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can’t be intercepted or hijacked in order to send a user to a malicious site.

[…]

But the move is not without controversy. Last year, an internet industry group branded Mozilla an “internet villain” for pressing ahead the security feature. The trade group claimed it would make it harder to spot terrorist materials and child abuse imagery. But even some in the security community are split, amid warnings that it could make incident response and malware detection more difficult.

The move to enable DoH by default will no doubt face resistance, but browser makers have argued it’s not a technology that browser makers have shied away from. Firefox became the first browser to implement DoH — with others, like Chrome, Edge, and Opera — quickly following suit.

I think DoH is a great idea, and long overdue.

Slashdot thread. Tech details here. And here’s a good summary of the criticisms.

Powered by WPeMatico

Scaring People into Supporting Backdoors

Back in 1998, Tim May warned us of the “Four Horsemen of the Infocalypse”: “terrorists, pedophiles, drug dealers, and money launderers.” I tended to cast it slightly differently. This is me from 2005:

Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.

Which particular horseman is in vogue depends on time and circumstance. Since the terrorist attacks of 9/11, the US government has been pushing the terrorist scare story. Recently, it seems to have switched to pedophiles and child exploitation. It began in September, with a long New York Times story on child sex abuse, which included this dig at encryption:

And when tech companies cooperate fully, encryption and anonymization can create digital hiding places for perpetrators. Facebook announced in March plans to encrypt Messenger, which last year was responsible for nearly 12 million of the 18.4 million worldwide reports of child sexual abuse material, according to people familiar with the reports. Reports to the authorities typically contain more than one image, and last year encompassed the record 45 million photos and videos, according to the National Center for Missing and Exploited Children.

(That’s wrong, by the way. Facebook Messenger already has an encrypted option. It’s just not turned on by default, like it is in WhatsApp.)

That was followed up by a conference by the US Department of Justice: “Lawless Spaces: Warrant Proof Encryption and its Impact on Child Exploitation Cases.” US Attorney General William Barr gave a speech on the subject. Then came an open letter to Facebook from Barr and others from the UK and Australia, using “protecting children” as the basis for their demand that the company not implement strong end-to-end encryption. (I signed on to another another open letter in response.) Then, the FBI tried to get Interpol to publish a statement denouncing end-to-end encryption.

This week, the Senate Judiciary Committee held a hearing on backdoors: “Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy.” Video, and written testimonies, are available at the link. Eric Neuenschwander from Apple was there to support strong encryption, but the other witnesses were all against it. New York District Attorney Cyrus Vance was true to form:

In fact, we were never able to view the contents of his phone because of this gift to sex traffickers that came, not from God, but from Apple.

Let me be clear. None of us who favor strong encryption is saying that child exploitation isn’t a serious crime, or a worldwide problem. We’re not saying that about kidnapping, international drug cartels, money laundering, or terrorism. We are saying three things. One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices (this is just one example).

So let’s have reasoned policy debates about encryption — debates that are informed by technology. And let’s stop it with the scare stories.

Powered by WPeMatico

Dark Web Site Taken Down without Breaking Encryption

The US Department of Justice unraveled a dark web child-porn website, leading to the arrest of 337 people in at least 18 countries. This was all accomplished not through any backdoors in communications systems, but by analyzing the bitcoin transactions and following the money:

Welcome to Video made money by charging fees in bitcoin, and gave each user a unique bitcoin wallet address when they created an account. Son operated the site as a Tor hidden service, a dark web site with a special address that helps mask the identity of the site’s host and its location. But Son and others made mistakes that allowed law enforcement to track them. For example, according to the indictment, very basic assessments of the Welcome to Video website revealed two unconcealed IP addresses managed by a South Korean internet service provider and assigned to an account that provided service to Son’s home address. When agents searched Son’s residence, they found the server running Welcome to Video.

To “follow the money,” as officials put it in Wednesday’s press conference, law enforcement agents sent fairly small amounts of bitcoin­ — roughly equivalent at the time to $125 to $290­ — to the bitcoin wallets Welcome to Video listed for payments. Since the bitcoin blockchain leaves all transactions visible and verifiable, they could observe the currency in these wallets being transferred to another wallet. Law enforcement learned from a bitcoin exchange that the second wallet was registered to Son with his personal phone number and one of his personal email addresses.

Remember this the next time some law enforcement official tells us that they’re powerless to investigate crime without breaking cryptography for everyone.

More news articles. The indictment is here. Some of it is pretty horrifying to read.

Powered by WPeMatico

Australia Considering New Law Weakening Encryption

News from Australia:

Under the law, internet companies would have the same obligations telephone companies do to help law enforcement agencies, Prime Minister Malcolm Turnbull said. Law enforcement agencies would need warrants to access the communications.

“We’ve got a real problem in that the law enforcement agencies are increasingly unable to find out what terrorists and drug traffickers and pedophile rings are up to because of the very high levels of encryption,” Turnbull told reporters.

“Where we can compel it, we will, but we will need the cooperation from the tech companies,” he added.

Never mind that the law 1) would not achieve the desired results because all the smart “terrorists and drug traffickers and pedophile rings” will simply use a third-party encryption app, and 2) would make everyone else in Australia less secure. But that’s all ground I’ve covered before.

I found this bit amusing:

Asked whether the laws of mathematics behind encryption would trump any new legislation, Mr Turnbull said: “The laws of Australia prevail in Australia, I can assure you of that.

“The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia.”

Next Turnbull is going to try to legislate that pi = 3.2.

Another article. BoingBoing post.

EDITED TO ADD: More commentary.

Powered by WPeMatico