Law

Encryption and You…

encryption-imageThere seems to be an endless stream of stories about how the UK wants to ban the use of encryption on the Internet.  It’s hard to say what this says about the UK officials, since banning encryption is essentially impossible without completely breaking the Internet.

Well, technically it could be done, but you wouldn’t want to be on this Internet anymore for anything requiring security.

So a quick rundown on just what encryption is.  Let’s say you send data cross the Internet, an email, a tweet, e bank password, a credit card number for buying something on Amazon.  Without any sort of encryption, data is simply converted into bits, and sent from router to router to the machine on the other end.  Capturing this traffic as it flows across the Internet is actually fairly easy.

There was a very famous exploit plug in a few years ago called FireBug.  Firebug would sniff the local network for the log in cookies used by Facebook and snatch them out of the air (so to speak) and allow the user of Firebug to access the Facebook account of anyone else on the local network.  This was before Facebook encrypted the data for it’s log in information, so the cookie was just flowing across the network.  The cookie data basically is a way for Facebook to know “yes, this , but it will person has logged in and this is who they are” so you don’t have to enter your password every time.

Because Facebook switched to SSL Encryption for their log in data, these cookies are now encrypted as they pass through the internet.  You may still be able to snatch the cookie but it will be a garbled mess of gibberish.

Now imagine if your bank or Amazon didn’t use encryption.  The same methods used by Firebug could be used to pull your bank or credit card data.

This is why encryption is important and used every day.

But how does it work.  When you connect to a remote website, your computer and the website exchange keys for translating the encrypted data.  This means the data can only be read by your computer or the remote website.  An extremely simple example, Let’s say the “key” is “13” and the “algorithm” is “ROT13”.  The data would be translated by moving all of the letters in a data packet by 13, hence ROT 13 (Rotate 13).  The phrase “My name is Josh” becomes “Zl nzar vfWb fu”.  Now, this is a very very very simplified example.  Real encryption uses long long keys, complex multi faceted algorithms, often with time based mechanics, and in general, would never be human translatable.  In fact, without the key, depending on how complex the encryption is, it could take the most powerful computer in the world millions of years to break some encryption.

So, why does the UK government (and others) want to ban this important security tool?  It’s simple, they can’t break it.  The world has become aware of how the governments of the world are scooping up and reading all of the data across the Internet, and the world has turned to encryption to keep their privacy.  Websites big and small have started using SSL by default so all traffic is encrypted making reading the contents impossible by outsides.  More people are using things like VPN tunnels, TOR networks, and PGP keys for their emails, these are all useful encryption tools.

The claim of these spying agencies is that it makes it hard or impossible to “find the bad guys”.  This assertion is as ridiculous as claiming say, we need to ban White Vans because kidnappers always and only use White Vans.  Or maybe, we need to ban beards because “Terrorists always have beards”.

“Only bad guys encrypt their data”.

It’s basically applying a false sterotype and getting mad when it doesn’t fit.  Its also blatantly ignorant of the real world uses of encryption.  No one would every shop online since it would be trivial for hackers to harvest credit card data.  You may as well require you to speak your name, card number, card verification number etc out loud to the check clerk at the grocery store every time you want to buy something.