@cypherpunks@lemmy.ml
@cypherpunks@lemmy.ml avatar

cypherpunks

@cypherpunks@lemmy.ml

cultural reviewer and dabbler in stylistic premonitions

This profile is from a federated server and may be incomplete. Browse more on the original instance.

cypherpunks,
@cypherpunks@lemmy.ml avatar

/c/nottheonion@lemmy.ml

cypherpunks,
@cypherpunks@lemmy.ml avatar

Yeah, it’s used all over the world for not only cop radios but also control systems for things like power plants and railway switches, and ETSI’s backdoored cryptography is sometimes relied upon for authenticity as well as confidentiality. So, it is literally possible to exploit this backdoor and cause physical disasters with a radio transmission.

The conspirators should be held accountable and should never be trusted again, but instead they’re having more of their future standards written into law. You can read an interview with the chair of ETSI’s Technical Committee TETRA and Critical Communications Evolution (TC TCCE) Brian Murgatroyd here.

cypherpunks,
@cypherpunks@lemmy.ml avatar

The researchers found five different vulnerabilities. The one that can most unambiguously not be called anything besides a backdoor (internally reducing what were believed to be 80-bit keys down to 32 bits) was specific to TEA1, the export cipher for use outside of Europe and the US, but the other vulnerabilities applied to other ciphers also.

The homepage for the research is www.midnightblue.nl/tetraburst

cypherpunks,
@cypherpunks@lemmy.ml avatar

All Cops Are Broadcasting was the title of one of the talks the researchers did about it

cypherpunks,
@cypherpunks@lemmy.ml avatar

what those posts have in common is that they’re both about EU attempts to reduce the power of US tech companies. (In the first they’re reducing those companies’ power to violate privacy, and in the second they’re reducing their power to protect it.)

cypherpunks,
@cypherpunks@lemmy.ml avatar

This doesn’t restrict TLS, a protocol, it restricts the implementations of TLS by the handful of companies who develop and distribute widely-used web browsers - which are mostly US-headquartered multinationals.

cypherpunks, (edited )
@cypherpunks@lemmy.ml avatar

I’m not sure what part of my comment you’re saying is categorically false? I agree with your assessment of eIDAS! I even made a meme about it.

I guess you’re disagreeing with me saying this restricts companies’ implementations of TLS rather than TLS itself? I’m saying that because the law is specifically talking about web browsers, and doesn’t appear to apply to other uses of TLS.

cypherpunks,
@cypherpunks@lemmy.ml avatar

Currently browser vendors are able to make their own decisions about which CAs to trust, and how to validate certificates. Most browsers trust a lot of nation states’ CAs, but they (the browser vendors) are currently free to unilaterally stop trusting them when they learn of abuses.

That’s like saying wiretaps are an attack on the telco, not the phone calls being listened in on.

Often it is both. Remember MUSCULAR?

https://lemmy.ml/pictrs/image/d46c3283-4aa2-4a89-ac42-11d0e4ace108.png

cypherpunks,
@cypherpunks@lemmy.ml avatar

not only, but yes.

cypherpunks,
@cypherpunks@lemmy.ml avatar

The legislation requires web browsers to trust EU countries’ CAs (which browsers already tend to do, but are presently free to remove when they’re observed being misused) and prohibits doing non-ETSI-approved validity checks (eg, certificate transparency, which is a way CA-misusing MITM attackers can be caught).

Wouldn’t you say the point of that particular clause is to reduce browser security (so that cops and intelligence agencies are free to exploit it without interference from CT)?

cypherpunks,
@cypherpunks@lemmy.ml avatar

I haven’t had a chance to check anything yet, but given who (Mozilla) is reacting and how, I suspect this is just another case of EU authorities acting to protect their citizens from (American) corporate abuse

Not in this case. I suggest you read the open letter (which is signed by 335 scientists and researchers from 32 countries so far).

Or, do you consider it to be corporate abuse when Mozilla prevents governments from using their certificate authorities to launch MITM attacks and impersonate websites for the purpose of intercepting internet traffic? Because that is what we’re talking about.

cypherpunks,
@cypherpunks@lemmy.ml avatar

i’ll take your word for it

  • All
  • Subscribed
  • Moderated
  • Favorites
  • anitta
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • megavids
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • provamag3
  • tester
  • Leos
  • JUstTest
  • All magazines
    •