Skip to main content
banner image
venafi logo

Why Governments Should Be Wary of Encryption Backdoors

Why Governments Should Be Wary of Encryption Backdoors

government encryption backdoors
October 3, 2018 | Guest Blogger: Kim Crawley

What happens when one country has access to another country’s SSL certificates?

India’s Deccan Chronicle recently reported that more than 31 Indian government websites shared SSL certificates with Akamai, a private American company that’s subject to American law, not Indian law.

Having access to an SSL certificate allows the party to decrypt the internet traffic of the website which uses it. Akamai, being an American company, could have been a vector for the US government to acquire access to sensitive Indian data.

Security researcher Kingsly John said:

“Government websites should not be using such foreign services like Akamai and Cloudflare in the first place. Everyone's name, Aadhaar (Indian government identification system for Indian citizens), and mobile number are first sent in clear text to a US company's servers before they reach the government server. A whole bunch of government websites seem to be using Akamai which can be forced by the US to hand over any and all data. This is a disgrace and impacts national security.”

The Reserve Bank of India was also using certificates from an American company Cloudflare, a serious Indian cybersecurity risk.

The bank and other Indian government websites have since ceased using SSL certificates from American companies and are now using certificates that only Indian entities have ownership of. Government websites worldwide should be similarly careful to keep SSL certificate ownership exclusively domestic, so that it’s not so easy for foreign governments to deploy man-in-the-middle attacks.

One particular group doesn’t want any of us to have good encryption technology! Five Eyes is an intelligence alliance between Canada, the United States, the United Kingdom, Australia, and New Zealand. They want all civilian encryption technology to have backdoors for police and intelligence. They cloak their opinion that they and law enforcement should be able to digitally spy on anyone without the annoyance of cryptography under the guise of “countering the illicit use of online spaces.” From their Five Country Ministerial 2018:

“Encryption is vital to the digital economy, a secure cyberspace and the protection of personal, commercial and government information. The five countries have no interest or intention to weaken encryption mechanisms. We recognise, however, that encryption, including end-to-end encryption, is also used in the conduct of terrorist and criminal activities. The inability of intelligence and law enforcement agencies to lawfully access encrypted data and communications poses challenges to law enforcement agencies' efforts to protect our communities. Therefore, we agreed to the urgent need for law enforcement to gain targeted access to data, subject to strict safeguards, legal limitations, and respective domestic consultations. We have agreed to a Statement of Principles on Access to Evidence and Encryption that sets out a framework for discussion with industry on resolving the challenges to lawful access posed by encryption, while respecting human rights and fundamental freedoms.”

Not so fast, Five Eyes. If there’s a backdoor for law enforcement, anyone can exploit it, rendering the encryption useless. According to Bruce Schneier:

<“There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There's no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.

This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It's actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals' safe houses would be more secure, but it's pretty clear that this downside would be worth the trade-off of protecting everyone's house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.

Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won't make it impossible for law enforcement to solve crimes; I'll get to that later in this chapter.) Regardless, it's worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects.”

Having your SSL certificates in the hands of other countries is a security problem that’s easy to miss. The consequences can be dire if an outside government can decrypt your internet communications. You could even have regulatory compliance problems.

Fortunately, you can get a Certificate Risk Assessment performed by Venafi, free of charge. It’s vital for you to find out what’s going on with your encrypted internet services, and you can’t fix a problem until you know what it is!

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

end-to-end encryption, ghost proposal, encryption backdoor

Will the Trump Administration Succeed in Banning End-to-end Encryption?

HTTP, man-in-the-middle attack, HTTPS, TLS, TLS certificate, phishing attack

Can Attackers Use a New HTTP Exploit to Bypass Your TLS?

encryption backdoor, Cybersecurity, ssh key pair

Battle of the Backdoors in Networking Infrastructure: Intentional vs. Incidental

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat