There is no such thing as "#lawful#access". Encryption is #math. There is no math that the "good guys" can do but which cannot be done by the "bad guys".
Anyone who suggests different is #lying, to #spy on you.
@cazabon The part about the envelopes reminds me that while encryption is associated with obscuring the data, but that's not the only thing it does.
That is, like the opaque envelope, it lets us know if someone's tried to open it, change it, or can decrypt the message (The latter mainly relevant to TLS proxies.).
It also gives us an automated way of rejecting a message if it's been tampered with, like how we can refuse a message in an envelope previously opened.
> That is, like the opaque envelope, it lets us know if someone's tried to open it, change it, or can decrypt the message
That's message authentication. It's actually separate from encryption - for example, some people sign their email with a private key so that others can verify it came from them, but without encrypting the contents. Or data like Debian / etc packages, which are signed but not encrypted.
The two are frequently done together, but are otherwise not closely related.
@cazabon That's fair - it's my understanding that with public-private key encryption, it's essentially baked in to every message because if the decryption is still garbled, someone tried to modify the encrypted message...or someone used a different encryption key.
Which comes up with backdoors - because the current state is for a proxy to effectively act as a backdoor, both parties need to know its public key...and subsequently know that the proxy exists in-between them and their target.
Yes, the "trust problem". Securely distributing keys, centralized or web-of-trust, is and always has been an unsolved problem. We have "it mostly works okay" solutions and handwave the problem away, but we're still vulnerable to a determined attacker.
Modifying an encrypted message in traffic does result in a decryption error if implemented properly, but it's not because every packet is authenticated. Someone can snoop, if they derive the symmetric key, without notice.
Indeed. As long as the #spy agencies / law enforcement (that line is blurring...) have the ears of the politicians, the push to outlaw encryption will continue.
The USA may get lucky, in that the 1st amendment may be sufficient to declare any such law unconstitutional. Living in Canada, I won't benefit from that, and I'm not confident our supreme court would stand in the way of such a legal travesty.
I meant that #literally - correspondence on #paper in paper envelopes.
As for #email encryption, it's still too difficult for the average person to set up and use (correctly). Even if you're capable of it, you cannot assume the people you communicate with will be equally proficient.
So anything truly #confidential I do not send by email, ever. Then to minimize the remaining risk, I run my own mail service. #Gmail still has half my email, because they have half of everyone's email.
We need people who understand encryption in charge of writing the laws about it.
Because this alone doesn't fix the problem. The problem isn't that we can't, it's that laws spawned from America make it a big crime to fix yourself.
"Encryption is just math, can't make math illegal" is as good as argument as "guns don't kill people, bullets do". It's missing the whole point. Because yes they can make math illegal. Books too. Even people. Therein lies the real problem, it's the laws.
Add comment