[AusNOG] Dutton decryption bill
Alan Maher
alanmaher at gmail.com
Mon Sep 3 20:39:19 EST 2018
Regardless of the ins and outs being discussed so far, our "Dear
Leaders" in the 5 eyes alliance were
already meeting to discuss taking it further in the past week or two.
This was a bit hidden as Australia took time out to roll yet another PM,
which was likely convenient
for some of the players.
Never the less, the push is on against encryption by the spooks, and we
need to push back in equal
response to this intrusion.
https://www.stuff.co.nz/technology/106775413/internet-society-fears-five-eyes-could-be-about-to-undermine-the-net
On 3/09/2018 7:47 p.m., Paul Wilkins wrote:
> 3 - Also in this ideal world, this one government agency issuing the
> warrant SSL
> certificates, and collecting warrant data, would have it's DNS DNSSEC
> signed ;)
>
> Kind regards
> Paul Wilkins
>
>
> On Mon, 3 Sep 2018 at 16:56, Paul Wilkins <paulwilkins369 at gmail.com
> <mailto:paulwilkins369 at gmail.com>> wrote:
>
> Point taken that the point of insertion is inband as opposed to
> existing procedures for wire taps.
>
> 1 - Having multiple agencies all requiring access (as the bill
> does) is going to create a multitude of possible targets (m x n)
> to act as vectors. This is clearly a vulnerability. An alternate
> approach would be to have a single government agency with access,
> which would then relay the information to the original agency
> requesting access. Hence content providers would be required to
> allow only 1 VPN from law enforcement to the point of insertion.
>
> 2 - In an ideal world, each warrant request could be accompanied
> by the issue of a specific SSL key. An identifier assigned to the
> warrant could be included in the SSL key as an OID Alternate Name.
> Then any transfer related to that warrant could be protected using
> that specific SSL key. It would then be up to this one law
> enforcement agency to ensure the key remains secure. This agency
> could operate as a CA for all such keys.
>
> Kind regards
>
> Paul Wilkins
>
> On Mon, 3 Sep 2018 at 15:33, Chris Ford
> <chris.ford at inaboxgroup.com.au
> <mailto:chris.ford at inaboxgroup.com.au>> wrote:
>
>
> Paul,
>
> > I think we can envisage that the proposed regime could be
> made to work by issuing content providers
> > with Technical Capability Notices that would require the
> content provider to create asecure channel for
> > access to the clear text, similar to how secure OOB can be
> enabled for remote users. Traditional AAA
> > mechanisms could be used to ensure that access is secure,
> logged and audited to ensure all accesses
> > have been duly authorised.
>
> I agree that this is probably one way it might work, but my
> problem is that the endpoint for this "secure" channel is not
> hidden in the carrier or CSPs network. It needs to be
> accessible by the service provider and LEA, and hence is open
> to the internet. It would only be a matter of time before that
> is exploited.
>
> Chris
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180903/74047f46/attachment.html>
More information about the AusNOG
mailing list