Big Browser and SSL

Bazzer Bazzer" <bazzer at callnet0800.com
Fri, 9 Jun 2000 23:10:54 +0100 

Hi there.

First posting to the list, so please be gentle with me:).  I will immediately
confess to being less technically educated than most - if not all - people on the
list, so apols in advance.

Anyhow . . . as one understands it RIP in its current form implies that certain
agreed Gov't organisations (e.g. Local Authorities, DETR, etc) should be allowed
access to logs of web site activities without direct (per individual case)
authorisation under the hand of the Home Secretary. Yes?

Am I missing something (most probably!) or is it not relatively easy to use one of
a number of encrypted web browsing services to get round this?  If so, surely the
criminal element that RIP (supposedly) seeks to eek out will simply use these and
overseas SSL mail accounts etc.? And, er, surely the Home Office et al must be
aware of this?  In which case this bit of RIP seems, in practice, only to serve
the purpose of legalsing the monitoring of web visiting habits of UK citizens who
are most likely *not* to be engaged in criminal activity and who would otherwise
have little or no interest in encryption-type web browsing facilities if the Gov't
simply dropped the web-tracking element of RIP in its entirety (or at least limit
it to the same safeguards as email interception). Besides, is the Gov't seriously
suggesting that the security services can't quietly hack into an individual's web
log if there is a real and urgent need to do so?  So what we seem to be left with
is that everyone will start to use encrypted web browsing services and SSL email
for reasons of personal privacy and mistrust of RIP legislation and everything
will be back to square one: the security services will be no better off, the
general public will always have in the back of their minds that they are being
spied upon, and businessness which use the Net may as well get a slow boat to who
knows where . What does everyone else think?

While on the subject, could it be possible to drop in a couple of questions re SSL
please:

1.  Is SSL encryption too and from different web addresses a 'static' affair?  Or,
to put it another way, does each connection generate a new/unique encryption
process or is there some sort of common factor (e.g. a common factor could be my
browser as distinct from your browser)?  By "new/unique encryption process" I mean
to say that there is literally no common factor (for example, although each PGP
signature could be described as new/unique, there is still the common factor of
the private key which generated it . . or that's how I understand it).

2. What algorithm does SSL use?

3. I think it has been said that http requests are themselves encrypted during
SSL. I noticed the other day that "Anonymizer" is offering encrypted URL browsing
services but can't figure out what the difference between this is and encrypted
http requests within a SSL?

Hopefully havn't bored everyone to tears.

Best wishes,
Bazzer.