Brexit Deal Copied And Pasted Recommendations For Netscape, Outdated Encryption
from the I'm-sure-this-will-all-go-great dept
You’d think a massive and controversial deal to sever the UK from the European Union, impacting the lives of millions of people over the better part of the next generation, would contain a certain amount of… precision.
Not so much.
After a long, contentious debate and some last minute <a href=”https://www.bloomberg.com/news/articles/2020-12-23/outline-of-brexit-trade-deal-has-been-reached-officials-say”https://www.bloomberg.com/news/articles/2020-12-23/outline-of-brexit-trade-deal-has-been-reached-officials-say”>haggling over fish, the final agreement governing the United Kingdom and European Union?s trade relations for decades was finalized last week. But when security researchers dug through the wording of the final agreement (which you can peruse here (pdf)), they found a bunch of indications of laziness.
Including, apparently, recommendations to protect yourself from cyberattacks by using a web browser (Netscape) that stopped being updated somewhere around 1997 or so:
Netscape Communicator is mentioned in Brexit document … Almost feels like it is 40 years old …1K RSA and SHA-1 … one day we will build a digital world fit for the 21st Century … pic.twitter.com/1cg6uX3clw
— Prof B Buchanan OBE (@billatnapier) December 26, 2020
As the BBC notes, the language appears to have been copied and pasted from a 2008 law, and the recommendations were already outdated then. While it’s reflective of the rushed and sloppy nature of the effort, the Netscape recommendation isn’t that big of a deal, given it’s simply cited as an example of a “modern e-mail software package? and will likely be ignored. More troubling however is the document’s recommendation of using 1024-bit RSA encryption and the SHA-1 hashing algorithm, both outdated and vulnerable to cyber-attacks:
” the SHA-1 hashing algorithm has been demonstrated to be vulnerable to collision attacks, and computing power has advanced such that 1024-bit RSA encryption can be broken in a sensible time frame by anyone with sufficient GPU power to give it a try. It?s clear that something is amiss in the drafting of this treaty, and we?d go so far as to venture the opinion that a tired civil servant simply cut-and-pasted from a late-1990s security document.”
While you’d hope the recommendations won’t be taken seriously, it still suggests a certain amount of… half-assedness that doesn’t bode particularly well for the broader agreement, the finer details of which will impact the lives of real human beings for decades.