Hacker News new | past | comments | ask | show | jobs | submit login

Fix the busted protocol, why is anyone expecting this not to be a problem? Use legitimate warrants to monitor communications on premise at the telco.



Encryption protocols are hard. Two stories, one public and one from my current job:

HTTPS is secured using SSL/ TLS. SSLv1 is so bad it didn't survive the laugh test when it was explained to actual cryptographers, I can't find any records of what it did. SSLv2 is also pretty bad. SSLv3 is at last good enough that actual cryptographers spent time finding holes in it and today it's considered so broken as to be useless.

TLSv1.0 went to the IETF. More eyeballs will fix it right? Note if they're all engineers. Finally in TLSv1.2 the cryptographers were called in, but only after it was finished. "Hey, is this finished thing secure? Yes or No answers only"

Only in TLS 1.3 which is finished but yet to be official, did they _start_ with cryptographers and do the engineering problems later after the cryptographers had baked in the security.

At work, after a system being in use for several years, I was told we couldn't put more key-value pairs into the session information, it was "full". So I went to see how this could possibly be true. All the session information is turned into a JSON blob, which is turned into a few hundred bytes, and then those bytes are encrypted with RSA with the results stored in a Cookie. RSA is only designed to encrypt small quantities of data, which isn't a problem because it's supposed to be used to move a symmetric key. But far, far more importantly - even if this particular _method_ of doing so is crazy why are we encrypting all this data and hiding it in a Cookie at all? That's crazy.


I agree encryption is hard, but phone encryption protocols are intentionally weak for the wrong reasons. In the past the parameters have been picked low enough that domestic intelligence agencies can purposely hack them, while exporting even worse versions so that foreign adversaries are dead simple to hack. The protocols have changed over time, but this hasn't.

Also the examples you cite it's not clear of those standards bodies were infiltrated by the same agencies implicated above. They very much do run private cover operations and "plant" people or acquire companies that allow them to weaken these protocols or standards.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: