Tuesday, November 19, 2013

So everyone is moving to encryption to make the NSA's life harder

Yahoo! is the latest:
Yahoo! is going to start encrypting its intra-data-center traffic and will offer a similar service as an option to webmail users next year, CEO Marissa Meyer has pledged.

"I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever," she said on her Tumblr page – which is now the preferred method of corporate communications following Yahoo!'s $1bn acquisition of the site.

"There is nothing more important to us than protecting our users’ privacy. To that end, we recently announced that we will make Yahoo Mail even more secure by introducing https (SSL - Secure Sockets Layer) encryption with a 2048-bit key across our network by January 8, 2014."
Sure, there is suspicion that NSA has weakened the standards and so can break the crypto if they want.  The problem is that this isn't trivial, or free.  If a big chunk of the Internet traffic becomes encrypted then NSA's job just got much, much more difficult.

Since Silicon Valley companies see their business model at risk, they're lining up to do exactly this.  So what about everyone else?  As it turns out, it may be pretty easy for everyone else to do this, too.

All modern Operating Systems (read: "Post Windows XP which is getting its lethal injection next year") support IP version 6 (IPv6 for short), the next generation Internet Protocol.  It was designed to replace the current IP (version 4, for those keeping score at home) back 10 or 15 years ago.  Rollout has been slow, but there's a very good chance that the computer you are reading this on already supports v6.

What does this have to with NSA?  Well, IPv6 includes encryption of all packets as an option (called IPSec).  All people have to do is enable IPv6 and IPSec.  Even better, you can be backwards compatible with IPv4 by running "dual stack".  Yes, this has it's downsides, but China is moving into v6 is a big way:
The ever-present desire for censorship may be the carrot, but for whatever reason China has a head start on adopting IPv6.  Even as the U.S. moves sluggishly towards the next generation internet address protocol, 3TNet -- China's state-provided broadband internet and public video service -- has made the switch.

The upside of IPv6 is one that's likely highly desirable in China -- more space.  IPv4, the previous standard, only allows 4.3 billion unique web addresses.  With over a billion people, China may surpass that total in domestic pages alone.

IPv6 is also expected to beef up security.  Using a technology called Source Address Validation Architecture (SAVA), IPv6 networks establish a relationship based on multiple trusted interactions across a network.  This can help beat so-called "IP spoofing" attacks, and advances the current version of IPv6 over less secure earlier versions.
So here's the thought: what if Google and a couple of the other big tech firms (the ones that are hopping mad at the NSA right now) put a little popup on their site that showed how easy it was for Joe Home User to turn on v6?  What percent of Gmail or Facebook users would do this, especially if the popup mentioned it would make government monitoring much more difficult?  The number isn't zero.

The more I look at things the more stunned I am at just how stupid the NSA has been.


cryptical said...

Back in the day on the cypherpunks list we talked about ubiquitous encryption being an enabling technology for all sorts of social and political change.

Nice to see it coming back, and I do agree that moving the crypto down the network stack is a good idea.

R.K. Brumbelow said...

I fail to see how the encryption offered by yahoo/google/amazon is anything but marketeering by these companies. They have the keys to the data, do they expect that I believe the NSA does not as well?

So long as the data is recoverable by anyone between origin and termination, it is not encryption as I see it.

KurtP said...

You seen to be giving these companies a little too much privacy creds, Borepatch.

All the NSA has to do is a lawyerly version of "AHEM!" and they'll roll over with whatever the NSA wants to see.