does encryption really work?

davey72

The Living Force
I apologize for my ignorance on the subject as i think i have seen it discussed before but i am curious if people are still using https and if it makes a difference anymore.
-- https://freedom.press/encryption-works
 
Hey davey72,

You're right about the recent discussion: Why HTTPS and SSL are not as secure as you think which started as a result of a SOTT article by Mr.Scott.

Personally, I never bother much about encryption except for on-line banking and such, but I always check for its availability elsewhere too to be on the 'safe' side. More an ingrained habit than anything else, though. ;)
 
I don't believe anything on the internet (encrypted or not) is really private. I recently read that if you do encrypt or use TOR servers, that it just puts a red flag on you, meaning 'they' will look to see what you may have to hide. I dunno much about it all, but my friend who does know computers says nothing is private.

Perhaps to do online banking, https is safer, but it probably only protects against small fry hackers, and if the big boys want to know, they will find out. OSIT.
 
One way to look at it is using analogy. Do locks really work? Locks may not protect against a sophisticated burglar with a master key or against a determined burglar with a battering ram. But locks do deter the average lazy burglar. So makes sense to use them while being aware of their limitations.
 
As far as on-line banking is concerned, I forgot to mention that in The Netherlands (where I live) most banking corporations and certainly the major ones have changed their terms and conditions this year to the effect that their customers now have the contractual obligation to do all that's possible within existing current technology to safeguard from their part each and every on-line transaction in which their bank might be involved either directly or indirectly (as third party, middle man, guarantor, insurer,or whatever) and that the customer needs to demonstrate and prove convincingly whenever something goes wrong that he/she/it effectively did everything within their grasp and possibilities to prevent any mishap or calamity occurring.

So, using any available encryption and/or freely provided apps and devices while doing on-line banking and such is now mandatory, especially when you want to get your money back in case it was stolen or defrauded any other way.
 
For IT savvies I highly recommend these videos of Moxie Marlinspike's DEFCON talks on SSL weaknesses:
https://www.youtube.com/watch?v=ibF36Yyeehw
https://www.youtube.com/watch?v=pDmj_xe7EIQ
https://www.youtube.com/watch?v=sIidzPntdCM
 
HTTPS is still definitely more secure than HTTP. At least then people have to work harder to steal your data while in transit, or modify the data you send/receive. Is it better to lock your bike up even though someone could cut the lock?

The question is really, is encryption better than no encryption? The answer is pretty much yes. Since any type of security takes more effort than no security, that needs to be factored in. So forcing people to use SSL to view your blog about the best ways to render lard makes no sense. But for any connection that handles private data, or allows changes to private systems, encryption should be used. Encrypting your hard drive is probably overkill, but if you store usernames, passwords, and account info, that should definitely be encrypted.

Most of the issues surrounding encryption have to do with the implementation of it, or the supporting protocols. Not the cipher algorithms themselves that render your data unreadable. There are a few notable exceptions like DES and WEP of course. But modern encryption protocols (cipher algorithms) themselves are generally pretty sound. If they weren't then:

  • Why does the US have such serious export restrictions surrounding cryptography to nations like Iraq, Cuba, Sudan, etc? A few other countries have similar restrictions. Even France for a long time had pretty serious limitations not just on exporting, but usage as well inside the country.
  • Why did the founder of PGP get harassed by the US government for releasing his crypto software?
  • Why does the US government (FIPS) and compliance standards (PCI/HIPAA) concerned with safe-guarding data require strong cryptography?

Because the underlying ciphers work very well. And generally, a given cryptographic system like SSL works pretty well too. I think the biggest issue is people's ignorance of the limitations, and unreasonable expectations. People don't expect that just because they lock their car it can't be stolen, but they seem to expect that just because their computer doesn't pop up a warning saying something is unsafe, it must be. To go off on a tangent, it's that same misplaced trust and ignorance that leads to most virus infections - people opening attachments that are obviously fakes or downloading software from sites they have never heard of.
 
On a related note, SSL is now defunct. Your browser should be using TLS. The vulnerability is called POODLE.

In Internet Explorer: Internet options > advanced, only check the TLS items. IE9 only does TLS 1.0. In firefox's address bar type about:config and change security.tls.version.min to 1. Check all browsers here, also check mobile browsers:

https://www.howsmyssl.com/
https://www.poodletest.com/

Haven’t used this, but it will check a site to see if it runs SSL3:
https://www.ssllabs.com/ssltest/
 
Lilou said:
I don't believe anything on the internet (encrypted or not) is really private. I recently read that if you do encrypt or use TOR servers, that it just puts a red flag on you, meaning 'they' will look to see what you may have to hide. I dunno much about it all, but my friend who does know computers says nothing is private.

Perhaps to do online banking, https is safer, but it probably only protects against small fry hackers, and if the big boys want to know, they will find out. OSIT.
This is sort of where my thinking leads me. Probably a good idea for online banking but what about the government spying. Would this be a reason for them to delve into your history a little more. Seems to me it would be right alongside the keywords they look for in conversations.
 
ignis.intimus said:
HTTPS is still definitely more secure than HTTP. At least then people have to work harder to steal your data while in transit, or modify the data you send/receive. Is it better to lock your bike up even though someone could cut the lock?

The question is really, is encryption better than no encryption? The answer is pretty much yes. Since any type of security takes more effort than no security, that needs to be factored in. So forcing people to use SSL to view your blog about the best ways to render lard makes no sense. But for any connection that handles private data, or allows changes to private systems, encryption should be used. Encrypting your hard drive is probably overkill, but if you store usernames, passwords, and account info, that should definitely be encrypted.

Most of the issues surrounding encryption have to do with the implementation of it, or the supporting protocols. Not the cipher algorithms themselves that render your data unreadable. There are a few notable exceptions like DES and WEP of course. But modern encryption protocols (cipher algorithms) themselves are generally pretty sound. If they weren't then:

  • Why does the US have such serious export restrictions surrounding cryptography to nations like Iraq, Cuba, Sudan, etc? A few other countries have similar restrictions. Even France for a long time had pretty serious limitations not just on exporting, but usage as well inside the country.
  • Why did the founder of PGP get harassed by the US government for releasing his crypto software?
  • Why does the US government (FIPS) and compliance standards (PCI/HIPAA) concerned with safe-guarding data require strong cryptography?

Because the underlying ciphers work very well. And generally, a given cryptographic system like SSL works pretty well too. I think the biggest issue is people's ignorance of the limitations, and unreasonable expectations. People don't expect that just because they lock their car it can't be stolen, but they seem to expect that just because their computer doesn't pop up a warning saying something is unsafe, it must be. To go off on a tangent, it's that same misplaced trust and ignorance that leads to most virus infections - people opening attachments that are obviously fakes or downloading software from sites they have never heard of.

I was watching the documentary citizen four, about Edward Snowden by Laura Poitras and Glenn Greenwald, if I remember correctly snowden was saying that the NSA could crack 10 digit password encryption in about two day's that's a-z, 0-9, 26+26 for uppercase+10 that's 62 charters, or 10^62 unique character combination's, in two day's!!! can you imagine the hardware and system's they have boggles the mind :scared:

Forgot to post link to documentary.
http://www.imdb.com/title/tt4044364/?ref_=fn_al_tt_1
 
Back
Top Bottom