N.S.A. Foils Much Internet Encryption

Search on the page for the word:

custom

Security expert Bruce Schneier has an excellent article in the Guardian: The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it.

Who'd have thought that Mission Impossible's winged words 'This message will self-destruct in X seconds' might—literally—become important to many if not all of us? Silent Text (from Silent Circle) follows in MI's footsteps in a recent development along the lines The Guardian's Bruce Schneier is advocating. Long available for iOS, a version for Android was launched earlier this week. For obvious reasons, however, recent revelations suggest it would be prudent to be wary of US (and British) products in this field, apart from the fact that intercepted messages remain subject to brute force decryption attempts.
Btw, the IETF 'remake the internet' effort Schneier mentions has been going on for some time: Next version of the web will have resistance to surveillance at its core.

PS, the Guardian article Revealed: how US and UK spy agencies defeat internet privacy and security (link in the sidebar of the article you linked to) is another take on the subject matter of the NYTimes article MMT3 linked to. It doesn't have restricted access like the NYTimes, and may come in handy for those who already reached their monthly free access limit there.

HTTP2.0 offers the ability for the browser to request encryption, which means that all Web sites will need to be able to offer it.

Okay, well, erm, but...

SSL requires that the Web site have an encryption certificate signed by a certificate authority. At the moment, it's difficult to do this, and most Web hosting companies and CAs charge money for these security certificates.

That creates a bit of a pickle for people who for whatever reason can't get access to a security certificate. It places an additional hurdle in the way of folks who can't or choose not to be hosted on free platforms (because their ideas are not acceptable to the hosting platforms, or because they don't want their information such as their posting IP address to be within reach of a subpoena), but who lack either the technical skill or money to pay for an SSL certificate. It places a barrier in the path of people who have unpopular ideas--particularly if they're not in Western countries.

Look at China, for instance. It's already pretty difficult and potentially dicey for Chinese citizens to distribute ideas unpopular with the Chinese regime; this potentially makes it one step more difficult.

I'm not sure what the balance point is between providing for encryption to and from Web sites while still making the Web accessible to people whose ideas aren't popular.

Good point. Unfortunately, there are a number of conceivable security issues with any (new) internet protocol set. Most importantly, given history and the current flap about surveillance, there will almost certainly be a mutually exclusive set of requirements from 'regular' users and governments, and any new proposal—let alone implementation—will have to run the gauntlet of the latter no matter what formal policies and legislation allow. Individual security efforts within existing frameworks, to the extent that they are practical, will remain subject to interception and brute force access attempts. It's not even clear if 'effective' surveillance can ever be made too expensive to be worthwhile to those who are in favor of it.

All that said, you have to start somewhere, and I suppose any attempt is better than none. I'm not holding my breath, though.