https - hopefully not too stupid a question

Roland Perry lists at internetpolicyagency.com
Sun Jun 17 13:49:13 BST 2012 

In article <CAEWR3kt2dymZYgE+-biZOu+3OKFWnVSh+Lm=vgsWUiuRC4j_HA at mail.gma
il.com>, Francis Davey <fjmd1a at gmail.com> writes
>This is the first question I have initiated on this group, so I hope
>it does not seem to be too foolish a query.
>
>Reading:
>
>http://fsfe.org/news/2012/news-20120616-01.html
>
>I wondered to what extent the government could put a framework in
>place to avoid some of these, in particular the use of https. Could
>the government set things up within the UK so that certificates were
>forged so that they were able to intercept https in transit?
>
>Assume that the Bill gives them the legal power to require anyone in
>the UK to do anything in order to facilitate obtaining comms data
>could they use that power to require someone/anyone to issue
>certificates purporting to be for sites (like facebook)? I am not sure
>how easy it is for a state actor to do this in a way that will affect
>ordinary people.
>
>I'm not interested in whether the technically savvy are able to avoid
>such action - let us stipulate for the sake of argument that they are.

I'd like to ask some possibly stupid questions of my own, partly after
having looked at the fsfe.org site...

fsfe hint #1: Use https
=======================

As it happens, I looked at this site today (because it was alleged there
was something odd about its certificate (I saw nothing untoward, but
what would I know...)

<https://www.update.microsoft.com/windowsupdate/v6/thanks.aspx?ln=en&&th
ankspage=5>

Isn't it the case that the url is transmitted "in the clear", and thus
the traffic data associated with that access would reveal I looked at
blah/blah/thanks.aspx, although the content of that page would be
encrypted?

Back in the days of RIPA and the "Big Browser", the compromise I
negotiated (with invaluable help and advice from several stalwarts of
this list) was that:

        " includes data identifying a computer file or computer program
        access to which is obtained, or which is run, by means of the
        communication to the extent only that the file or program is
        identified by reference to the apparatus in which it is stored."

Which was the best proxy we could up for "everything up to the first
single forward slash" viz: "https://www.update.microsoft.com

I will tiptoe away from a discussion of whether the cloud which is
undoubtedly serving these requests today is an "apparatus" or not.

My understanding of reading the latest proposals is that rather than
stopping at the first single forward slash, the authorities might ask
for a filter to be set such that for https requests for this specific
site might reveal that the subscriber was looking at:

 https://www.update.microsoft.com/windowsupdate/v6/ <something>

which is not very much more, other than what version of Windows they
were looking for updates of (which might or might not be the version of
Windows they are running).

But it's probably still not "content", and nor has using https hidden
anything.

fsfe hint #4: Encrypt your emails
=================================

If you send a PGP encrypted email the content is more secure, but the
headers (who, where, when) aren't. Given that you need an Interception
Warrant to access the content of emails, why does encrypting them make
you any safer from someone examining the traffic data in the headers?

(I'm aware of arguments that maybe not all of the header is traffic
data, and some parts - like the Subject - might be construed as content,
but using PGP doesn't obscure that potential-content anyway; leaving it
blank would be a better protection.)

fsfe hints #2 & #3
==================

I don't have equivalent comments, but any pointers welcome.
-- 
Roland Perry

More information about the ukcrypto mailing list