Months on from Apple and the FBI headlines, the security industry has had a chance to reflect on the lessons learned about backdoors in products – whether deliberate or put there without all parties knowing. Gunter Ollmann, CSO of Vectra Networks looks at the case for encryption in the second half of 2016.
Q1) Encryption backdoors have been a hot topic this year – what is your take on it?
The debate over whether technology manufacturers should install backdoors in to their products for lawful investigation is a much bigger and more demanding discussion – in particular the fact that weakening the encryption or installing a backdoor on devices simply makes it easier for criminals to exploit because there is no guarantee that such “secrets” could be kept and, once uncovered, would expose the “keys to the kingdom.”
Even if vendors were required to install backdoors or include recoverable keys in the encryption they use, there are a near endless number of applications and software additions that can be installed by the user to ensure that those backdoors are irrelevant. Even if it became illegal for companies to not provide backdoor keys to their hardware or software, there are plenty of countries around the world with companies only too eager to supply the add-on tools to protect consumer and corporate data.
Q2) Do you think we will ever be in a position where it will become illegal for companies to not provide backdoor keys to their hardware or software?
I’m hoping we’ll never be put in that position but some countries have already started down that path. It will likely be inevitable for software and hardware vendors if they’re to provide solutions in certain markets. For example, Saudi Arabia and now the United Arab Emirates are making VPN’s illegal, and China requires source code for all security products sold in the country.
I do think it’s a lost cause for two quite different reasons. Firstly, the objectives of governments that want to have backdoor access to encryption tend to be to monitor for sedition and crime. However, the people they’re most afraid of already have access to a wide variety of cryptographic techniques and can easily evade any network inspection of encryption use if they need to – and not expose themselves to undue harm. They will have more sophisticated tools to evade and secure their communications over time.
Secondly, by adding backdoors governments then expose themselves and the public to new external threats as any backdoor is vulnerable to being exploited by foreign governments and criminals. If a government is unable to secure itself and their internal communications, any harsh regime will inevitably be exposed through their own communication disclosures.
Q3) How far off are we encryption by default and what is the main obstacle to widespread adoption?
Encryption by default is essentially here already – it’s just that some older technologies are ignoring the memo for now and waiting until the next product refresh to include. In the space of a few short years we’ve moved from “use HTTPS if you can to protect user data” to “you are a threat to your users if you don’t enforce HTTPS.”
Q4) What encryption problems arise when HTTPS is adopted for web browser communications
Recent standards for HTTPS use within web browser technologies – such as certificate key pinning – are improving the overall resilience of web browsers to detect and thwart eavesdropping on user communications, even when Transport Layer Security (TLS) is used.
Widespread use of these new anti-man-in-the-middle technologies will further prevent organizations (and governments) from intercepting and altering HTTPS communications. However, this does pose new problems for employers forced to adhere to certain government, risk and compliance policies going forward.
Q5) Is that why you chose to focus your Infosecurity presentation on encryption?
The increasing prevalence of encryption within the corporate network is the 500lb gorilla in the room. Despite the diminishing visibility in to the traffic traversing their networks and the corresponding loss of deep packet inspection technologies that network security teams have used for frontline defenses for the last 20 years, security leaders are turning a blind eye to the encryption problem. They’re desperately looking for solutions, but afraid to voice their concerns to their boards.