Perfect Forward Secrecy: Not So Perfect, Not So Forward
James Firth
james2 at jfirth.net
Tue Dec 11 17:38:56 GMT 2012
Ian Batten wrote:
> Communication Data scrutiny report [1], paragraph 92 implies that Google
are
> in a position to retrospectively decrypt SSL sessions.
>
> <snip>
>
> "From a Google Inc perspective, we are very confident about the
security
> of our encryption. If a valid RIPA request comes in or UK law enforcement
goes
> through the MLAT, receives a court order and in turn gets Gmail user data,
we
> will obviously provide that data decrypted. If it was to use a third-party
> provider to gather the encrypted data, I think it very unlikely that
Google
> Inc would provide anyone outside Google Inc with that key.
Sarah Hunter is Google UK's chief policy advisor. She used to be a New
Labour SPAD on culture or somesuch.
I.e. AFAIK she has no background in crypto, or security protocols, etc.
So I wouldn't read anything into this.
Having read some of the transcripts and heard first hand from witnesses and
observers about some knowledge gaps on e.g. how TOR is structured (systems
architecture and business) and SSL (some people believe a "black box" can
read sessions in real time, because such kit is advertised, but don't know
the first thing about certificate chains, fingerprints etc) I'm fairly sure
the whole legislative process is dependent on "I believe so-and-so's view
but I don't have a clue what [s]he's talking about..."
IMO the likes of Sarah Hunter are simply translators in the process. They
get told one thing by Google's capable engineers and translate it into a PR-
and politico-friendly blurb. I'm sure a lot is lost in this translation.
James Firth
More information about the ukcrypto
mailing list