A Zombie From the 90s Makes the Case For Demanding Strong Encryption

Let our journalists help you make sense of the noise: Subscribe to the Mother Jones Daily newsletter and get a recap of news that matters.


Companies like Apple and Google have announced recently that they will start providing their customers with encryption that even Apple and Google don’t have the keys for. This means that even if law enforcement officers get a subpoena for data held by the companies, it won’t do any good. They couldn’t turn over decrypted data even if they wanted to.

This has led to calls from the FBI and elsewhere to provide “backdoors” of some kind for use by law enforcement. This would be a kind of master key available only under court order. But security experts argue that this makes encryption fundamentally useless. If you deliberately build in a weakness, you simply can never guarantee that it won’t be exploited by hackers. Encryption is either secure or it’s not, full stop.

Over at The Switch, Craig Timberg provides an interesting recent example of this. Back in the 90s, we were fighting this same fight, and one temporary result was the government’s mandate that only a weak form of encryption could be exported outside the U.S. This mandate didn’t last long, but it lasted long enough to get incorporated into quite a few products. Still, that was 20 years ago. What harm could it be doing today?

The weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.

Researchers discovered in recent weeks that they could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button.

….The existence of the problem with export-grade encryption amazed the researchers, who have dubbed the flaw “FREAK” for Factoring attack on RSA-EXPORT Keys….Nadia Heninger, a University of Pennsylvania cryptographer, said, “This is basically a zombie from the ‘90s… I don’t think anybody really realized anybody was still supporting these export suites.”

For vulnerable sites, Heninger found that she could crack the export-grade encryption key in about seven hours, using computers on Amazon Web services….More than one third of encrypted Web sites — including those bearing the “lock” icon that signifies a connection secured by SSL technology — proved vulnerable to attack in recent tests conducted by University of Michigan researchers J. Alex Halderman and Zakir Durumeric. The list includes news organizations, retailers and financial services sites such as americanexpress.com. Of the 14 million Web sites worldwide that offer encryption, more than 5 million remained vulnerable as of Tuesday morning, Halderman said.

This is an object lesson in deliberately building vulnerabilities into encryption technology. Maybe you think you’ve done it perfectly. Maybe you think nobody but the proper authorities can ever exploit the vulnerability. But the chances are good that you’re wrong. In the case of FREAK, we were wrong for nearly 20 years before we figured out what was going on. There’s no telling how long we might be wrong if we deliberately do this again.

THE TRUTH IS...

what drives Mother Jones' team of 50-plus journalists. The truth is powerful, as evidenced by how hard those with something to hide, or profit to gain, seek to discredit it. The truth, stated boldly and reported meticulously, is what draws so many readers to Mother Jones.

And the truth is, going into the final 4 days of the year we still needed to raise $TK to hit our $350,000 goal and start 2021 on track. It's nerve-wracking, wondering if the big spike we normally see at the end of December is going to be another thing that doesn't go as planned in 2020, or worse, if, now that Donald Trump is set to leave the White House (for longer than a taxpayer-funded golf trip to a property he owns), folks might be pulling back from fighting for the truth and a democracy and think the hard work is done.

It's not, and if you can right now, please consider a year-end donation to support our team's fearless nonprofit journalism so we can close that big fundraising gap and finish the year strong, ready for all that's ahead in 2021. Whether you can give $5 or $500, it all matters in keeping us charging hard, and we'd be grateful.

payment methods

THE TRUTH IS...

what drives Mother Jones' team of 50-plus journalists. The truth is powerful, as evidenced by how hard those with something to hide, or profit to gain, seek to discredit it. The truth, stated boldly and reported meticulously, is what draws so many readers to Mother Jones.

And the truth is, going into the final 4 days of the year we still needed to raise $TK to hit our $350,000 goal and start 2021 on track. It's nerve-wracking, wondering if the big spike we normally see at the end of December is going to be another thing that doesn't go as planned in 2020, or worse, if, now that Donald Trump is set to leave the White House (for longer than a taxpayer-funded golf trip to a property he owns), folks might be pulling back from fighting for the truth and a democracy and think the hard work is done.

It's not, and if you can right now, please consider a year-end donation to support our team's fearless nonprofit journalism so we can close that big fundraising gap and finish the year strong, ready for all that's ahead in 2021. Whether you can give $5 or $500, it all matters in keeping us charging hard, and we'd be grateful.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate