The Coming War on Encryption, Tor, and VPNs

Last week, a group of organisations and companies including Mozilla and the EFF announced Let's Encrypt.


Last week, a group of organisations and companies including Mozilla and the EFF announced Let's Encrypt:

Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.

And when they say free, they mean free, plus much else:

Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.

Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.

Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.

Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.

Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.

Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

As well as being completely free, one of the other huge boons of using Let's Encrypt is how easy the process will be once it goes live next summer:

enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server:

$ sudo apt-get install lets-encrypt

$ lets-encrypt

That’s all there is to it! is immediately live.

The Let’s Encrypt management software will:

Automatically prove to the Let’s Encrypt CA that you control the website

Obtain a browser-trusted certificate and set it up on your web server

Keep track of when your certificate is going to expire, and automatically renew it

Help you revoke the certificate if that ever becomes necessary.

No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.

This is a hugely important project, because it has the potential to move the Web from default open to default encrypted communications. That's sadly necessary in the light of Edward Snowden's revelations about how the very openness of the Internet and its services has been abused by the NSA, GCHQ and others. Encrypting Web connections will at least make things harder.

And that, of course, will not go down well with the world's spy agencies. As I wrote a couple of weeks ago, there is a clear move to demonise strong encryption using a crude "if you have nothing to hide, you have nothing to fear"-type argument: only bad people could possibly want to hide their communications. I predict that things will only get worse - not just because of Let's Encrypt, but also following the Home Secretary's announcement this week of yet more counter-terrorism measures.

One of them claims to address the fictional "capabilities gap the authorities face when it comes to communications data." There is no such gap, because the volume of communications data has grown so hugely that any *percentage* loss of capabilities is more than made up for by the greater total quantity of information now available. For example, even if the authorities were only able to access a half of all communications data, say, that would still represent hundreds of times more raw information than previously because overall traffic has probably increased many thousands of times thanks to the rise of the Internet (those figures are plucked from the air, but the point remains valid.)

Here's the new measure:

the Bill will go some way to bridging that [capabilities] gap. It will therefore require internet providers to retain Internet Protocol - or IP - address data to identify individual users of internet services.

The Open Rights Group has a good post explaining why this is being proposed:

this is a rather backward proposal, dealing with a problem that exists because the mobile companies continue to rely on out of date technology. To take a moment to explain: the Internet is famously running out of addresses (numbers that identify a point on the Internet – Internet Protocol version 4 (IPv4) addresses).

To deal with the lack of address space, mobile companies use a technology called "Network Address Translation" or NAT, which allows several devices to share the same IP address. Most people use this at home to allow two or three computers to use the ADSL or cable connection, However the mobile companies do this at a far greater scale called "Carrier Grade NAT" — and there will be hundreds of different people using the same IP address.

That is, it's about tracking mobile access to the Internet, where the IP address may be shared by large numbers of people. Since this is about matching IP addresses and port numbers to people - something in itself that is not very clever, since these identify systems, not who is using them - the new power seems to be designed to find out who has visited certain sites, presumably those that allegedly support terrorism etc.

But it is, of course, trivial to avoid this surveillance using Tor or a VPN. And so inevitably the next stage of this assault on online digital liberties will be to attack those too, even though both have perfectly legitimate uses, especially the latter. Indeed, now would be a good time for businesses to make it known to the UK government that they require VPNs to function properly in the online world, just as they require strong encryption; and that trying to outlaw any of these, or to restrict or weaken them in the name of "counter-terrorism" would be yet another deeply disproportionate response with serious adverse consequences for the economy and society.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+