GCHQ has proposal to surveill encrypted messaging and phone calls. The idea is to use weaknesses in the “identity system” to create a surveillance backdoor. This is a bad idea for so many reasons. Thread. 1/ https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate …

Quick background: most end-to-end encrypted messaging systems do a great job at encryption. A big weakness in this (and all encryption systems) is key distribution — getting the right keys to encrypt with. 2/

A related problem is call/chat setup. For various reasons, some systems like WhatsApp allow the server to add new users to your group chat. You get a notification, but otherwise that part isn’t end-to-end. 3/

From a security perspective, most researchers recognize these as *flaws* to be repaired. It has been hard to convince actual companies to care about them, b/c they seemed like theoretical concerns. GCHQ’s proposal shows the problem with that approach. 4/

Which finally brings me to the meat of the GCHQ proposal. It’s alarmingly simple. Roughly speaking, they want to add themselves to your conversations and phone calls. 5/

GCHQ defends this approach as “not weakening encryption” but of course that’s a very lawyerly description. In practice they’re absolutely going to weaken encryption *systems*, with unpredictable and unfortunate consequences. 6/

Let’s tackle the obvious problems with this system. First off, right now most chat clients will give you an explicit warning when a new person joins your conversation. Obviously the police can’t have a “Special Agent Bryant joined your chat” message pop up. 7/

So that message will have to be suppressed. In a few systems this can be done by blocking a message at the server side (Apple iMessage in 2015) but generally it isn’t that easy. So you need to change the code running in the client. 8/

How is this updated (and weaker) client app distributed? Do you distribute the modified app to every user? Or push an app update just to your wiretap targets?



If it was the latter, then the problem would already be solved. So most likely, everyone gets the weakened app. 9/

So in the process of creating a “targeted vulnerability” you’ve introduced a global security hole across your entire userbase. No doubt you will try to block exploitation, but history tells us people are great at exploiting vulnerabilities. That’s why we don’t add flaws. 10/

The remarkable thing about this GCHQ proposal is how limited its shelf life is. The reason nobody hardens their key distribution systems against these attacks is because vendors saw them as impractical. By proposing the attack, GCHQ makes it legitimate to worry about. 11/

The thing is, we have a lot of ideas for how to harden key distribution systems. They range from simply allowing third party OSS clients (that can’t easily be backdoored) and can detect key tampering, to deploying systems like Key Transparency. https://github.com/google/keytransparency …

This puts everyone into a bind, because the only way GCHQ’s strategy seems like it will work is if they issue Technical Capability Notices to vendors. This has the effect of *forcing* vendors to keep their systems vulnerable against a known weakness, maybe indefinitely. 13/

If this was a Choose Your Own Adventure book, it would have two endings. In one, vendors rapidly patch their identity systems and GCHQ’s capability vanishes in a puff of smoke. In the other, GCHQ takes over the system design of every messaging system in the world. 14/

This has been a long enough thread but I want to make two final points.



1. Vendors like WhatsApp and Apple deserve plenty of blame here too. Everyone with a brain knew they had left a gaping key management hole in their systems, and they had better fix it quick. 15/

2. GCHQ pretends they aren’t attacking encryption. But the truth is that in 2018, safe key distribution and UX — as opposed to, say, cipher design — are the leading-edge problems in our field. If adopted, GCHQ’s proposal has the potential to set us back by a decade. 16/16

Also it kills me that there is a typo in the first tweet of this thread. Damn autocorrect.

You can follow @matthew_d_green.

Share this thread

Bookmark

____

Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.



Enjoy Threader? Sign up.



Since you’re here...



... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.



Download Threader on iOS.