End-To-End Encryption Isn't Just About Privacy, But Security
from the legacy-of-ed-snowden? dept
Nicholas Weaver has a fantastic article over at Wired detailing how GCHQ and NSA’s “quantum injection” effort works to install malware on the computers of targets via packet injection. As he notes, this effort “turned the internet backbone into a weapon.” That’s dangerous on multiple levels. He explains that, while experts have been suggesting this for years, cleartext traffic isn’t just a privacy issue, it’s now a security issue:
If the NSA can hack Petrobras, the Russians can justify attacking Exxon/Mobil. If GCHQ can hack Belgicom to enable covert wiretaps, France can do the same to AT&T. If the Canadians target the Brazilian Ministry of Mines and Energy, the Chinese can target the U.S. Department of the Interior. We now live in a world where, if we are lucky, our attackers may be every country our traffic passes through except our own.
Which means the rest of us — and especially any company or individual whose operations are economically or politically significant — are now targets. All cleartext traffic is not just information being sent from sender to receiver, but is a possible attack vector.
The only way to protect against this is to encrypt everything:
The only self defense from all of the above is universal encryption. Universal encryption is difficult and expensive, but unfortunately necessary.
Encryption doesn’t just keep our traffic safe from eavesdroppers, it protects us from attack. DNSSEC validation protects DNS from tampering, while SSL armors both email and web traffic.
Thankfully, he’s not the only one thinking about this. As we pointed out a few weeks ago, IETF is moving forward, full-steam ahead, on looking at ways to make the internet secure by default.
That seems like a very useful consequence of all of this. While we’ve mostly been focused on what’s happening at the political and policy levels around here, the technology can make a lot of that meaningless. The simple fact is that an awful lot of security online has involved kludges pasted on later, after problems or concerns appeared. Rethinking and rebuilding a more secure (it’ll never be perfectly secure but it can be a lot more secure) internet from the ground up isn’t just good for protecting privacy and keeping away from snooping spies, but it’s just a good plan, in general, for security.