that no security expert wants to create a haven for online opium trading or make texting apps safe for organized crime. It’s also safe to say that no legislator wants to open a pandora’s box that will syphon out all available credit card numbers. However, the issue thickens with WhatsApp being secured on specialty phones encrypted for the Sinaloan cartel. Data-defenders and privacy activists have been holding a staunch line against encryption backdoors, but recent government rumblings indicate the line might be giving way. The complicated tangle that is the ensuing debate for privacy, protection and the pursuit of encryption, in this week’s Digest.
For those needing an end-to-end binge reel of the Going Dark encryption debate, Stewart Baker of Lawfare did an excellent job of chronicling the schism. We’ve summarized his points here, and it appears the conclusion may be in plaintext:
That’s why we have the term “career politician” - because to get elected, it often takes a career. That’s one less career that can be spent understanding the intricacies of cybersecurity. And that’s one more generalist that unfortunately is being asked to make the decisions of a specialist.
Bruce Schneier encourages the existence of a national cybersecurity regulating body that can inform these decisions and provide expert counsel in a world where rapid tech is par for the course. Times are changing. Policy needs to change too. The problem is, do policy makers know how? Survey says when it comes to encryption: they may not.
Richmond, CAN resident Vincent Ramos was a successful CEO by all measures. He ran the cyberfirm Phantom Secure that specialized in specialty encrypted devices, for a niche clientele. The only problem was his niche. He allegedly catered to a Sinaloan organized crime gang that created a WhatsApp chat on his encrypted phones to organize the murders of hundreds of Mexican law enforcement agents.
However, one thing Phantom Secure’s CEO can’t be blamed for is allowing investigators an encrypted backdoor into their secure phone network, because he never did. "He was given the opportunity to do significantly less time if he identified users or built in/gave backdoor access," said a source close to Ramos. According to another source, "He never gave law enforcement a backdoor into Phantom Secure. He did not do that."
Encryption backdoors widen the game of cat and mouse. The problem is, in this scenario the mouse is just as big and formidable as the cat. Opening encryption backdoors would allow more good guys to catch bad guys. It would allow more bad guys to catch good guys.
It widens the arena and grows the game. The question is—do we want to play?
With all the cards being stacked in favor of government access, it may be too late to ask.
“Your connection is not private.”
If you were looking to save a dime with Her Majesty's Revenue and Customs tax care portal, last Sunday would not have been the day. Parents log on to take advantage of the credit that allows you to pay some of your childcare bill before tax. However, on that day the UK tax authority let a TLS certificate lapse, rendering their payment portal unarmed and dangerous.
What leads to a certificate related outage? You can watch, below.
Even without a decent certificate management platform, an enterprise should still be able to renew a certificate fairly quickly. Right?
I asked Venafi’s Mark Miller, Sr. Director of Support, how long this type of TLS certificate renewal should take in a usual scenario. Here is a Slack transcript, minus the GIFs:
Me: How long should this have taken
MarkM: with [Venafi] TPP, seconds
Me: Cool. How about without?
MarkM: problem is though that you only do this manually every 1-2 years
by the time renewal comes around, you may have different staff and finding all of the right addresses, credentials, and info needed can really extend this to a day or more of work
That might have been what happened at HMRC, as well into the next workday, they were still running for a solve. The TLS certificate has now been updated, but hopefully when full awareness of automated certificate management tools becomes ubiquitous, scares like this certificate outage will be as ancient as HTTP.
TalkTalk, quadruple play provider of telecom and broadband services in the UK, was temporarily offline last week. Why? Their certificate had been revoked. Why? Wrong address.
In Scott Helme’s twitter feed, he chronicles his minute-by-minute unearthing of the paper trail leading to what appears to be an 11-hour mishap.
Apparently, the address—yes, just the physical locale—of the British ISP was originally mistyped with Comapanies House, the UK’s business registration authority. Two days later the address was amended. The CA issued the offending EV certificate 6 months later (a separate issue) and unfortunately did so with the wrong address. Consequently, the certificate had been null since its origination and managed to stay sequestered until just 2 weeks before it was set to expire.
In this case, the problem was uncanny. You could even blame the CA. But with certificate related outages leading to breaches averaging $3.4 billion dollars apiece, no major entity can afford to take chances.
Tired of hearing about certificate related outages? So are we. See how we’re going to stop them with VIA Venafi, the industry’s first No Outage Guarantee.