Home // Surveillance & Privacy // Internet Communications

Internet Communications

When using services on the internet, it is a good practice to assure that the service you use has an encrypted communications mechanism. This usually means that a technology called SSL is used (for example : web sites start with HTTPS).

Once you know that SSL is used, the next major concern is how strong are the keys used to encrypt the communication. If you liken encryption keys to real physical keys used on locks, you know that children’s toy hand cuffs tend to have a small plastic key with one single tooth jutting out, or bathroom door knob locks tend to have a push (or turn) mechanism on the inside, and a small hole (paper clip size) on the outside. Picking the plastic hand cuff lock is trivial, and poking a paper clip into the bathroom door handle is even easier. A nice Abloy lock (like I have at home) has a lot more teeth on the key, and is a lot tougher to pick. SSL key length is usually measured in bytes or kilobytes. A 1024 byte (one kilobyte) key was considered adequate a few years ago, though today most services and sites have moved (or are in the process of moving) to 2048 byte (two kilobyte) keys. Some even use 4096 byte (four kilobyte) keys or more. The more bytes in the key, the more difficult it is for someone to decrypt the information that you’re sending through the internet.

Keep in mind that increasing the difficulty to decrypt information doesn’t mean that it can not be done! It just means that it will take longer to do if a brute force mechanism is used. Brute forcing a key means trying all the possible combinations. If you have a key of ten possible combinations, brute forcing it will be very fast. A key of billions of combinations will take much longer. To put this into a reference time that is easier to understand, crasking a relatively strong key on your personal computer might take a few years. Cracking that same key in a warehouse full of racks of servers dedicated to the sole purpose of cracking keys might take a few minutes. The cost of setting up such a warehouse of servers could be in the millions (or tens of millions), so not many people will have access to such outside government or large enterprise with an interesting exception: people who control a large botnet and have set it up for distributed computing. In this case, a (bad) person may have control of thousands (if not tens of thousands or hundreds of thousands) of personal computers by using malware (viruses and the like), and can use their processing power all together to achieve a goal (such as cracking a particular key). This is also not something that is likely to be used for stealing your personal information, as there are much more valuable targets than your personal computer.

All this talk of key strength and encryption becomes moot if someone has acces to the key from the server that is storing your information. Not long ago, there was a story of a large secure email service provider who had to turn their encryption key over to an agency. As soon as the agency had a copy of their key, the agency would have been able to decrypt and read all the communications of everyone who used the service. Passwords would have been read in real time (immediately upon their use), and any messages, documents, or other information would be – for all intents and purposes unencrypted and copied by the surveillor. Rather than allow the agency to access all the information flowing through the encrypted SSL communication, the company decided to terminate their service.

This is an excellent example to use for discussions of perspective. If the service was used by terrorists, kidnappers, or some other people who were doing very bad things, it makes sense to turn their information over to law enforcement. Ask yourself where should the line be drawn between handing over information about known issues, and allowing an agency to record all data for faster future searches if they know that there is something bad happening or about to happen. There is no one correct answer, and unfortunately there are a lot of people who are evangelizing their opinions without acknowledging and considering all of the facts and perspectives. I’m sure in many cases both sides are wrong.