Draft IP-Bill enters wrap-up phase

Dave Howe davehowe.pentesting at gmail.com
Tue Jan 26 10:21:47 GMT 2016

On 24/01/2016 17:56, Roger Hayter wrote:

> I was never important enough to be advised to do such a thing. It 
> does seem remarkably simple, but raises more questions.  Does it use 
> the same SSL libraries as used for encrypted web sites?

  Yes, mostly. Generation will use the SSL library of your web browser,
usage the SSL library of your email client. Underlying protocol is the same.

> If Thawte issue a certificate which you then use, does this 
> potentially give them a way into your encrypted information or not?

  Not - just as Thawte issuing a cert for your webserver doesn't give
them a way to reach that traffic. The private key is generated locally
by your web browser and never leaves your machine.

> And is this the same system the English NHS use for end-to-end 
> encryption?


> It would seem to render NHSnet irrelevant, unless its sole role is
> to prevent you sending encrypted email or secret documents outside 
> NHSnet.

  No. NHSnet/CfH/whatevertheyarecallingitthisweek isn't actually
encrypted - it's a private internet, with access controls, but any
security has to be layered onto that or traffic will be available to the
BT engineers who maintain and support it. As always, HTTPS & SMTPS can
protect point-to-point links, but S/MIME is recommended to protect data
end-to-end. By default private internets are no more secure than the
public one.

More information about the ukcrypto mailing list