Following the news that Amber Rudd’s Call for Whatsapp Messages to be Available to security services. IT security experts from Avast, CipherCloud, DomainTools, AlienVault, Tenable Network Security, Tripwire, Comparitech.com and FireMon commented below.
Tony Anscombe, Ambassador and Senior Security Evangelist at Avast:
“We understand why governments want to be able to access the content in these messages but, unfortunately, banning encryption in order to get to the communications of a select few opens the door to the communications of many, and renders us all less secure and our lives less private.
“If you build a back door, it’s there for everybody to access. And if you store that data you collect, even in encrypted form, how secure is it? All these data breaches we hear about show our privacy is regularly being breached by hackers, so the action suggested by the Home Secretary would only open us all up to further invasions of privacy.
“A lot of these terrorist organisations are already well resourced. It would be naïve of us to think that by removing the public methods of encryption which we use to protect our identity, our freedom of speech and to keep us safe from persecution, that those terrorist organisations will not develop alternative methods to encrypt their communications. If this were to happen, we’d only be pushing these people further underground, presenting a greater challenge to security intelligence services.”
David Berman, Director of Cloud Security at CipherCloud:
“As we have seen with past terrorist incidents in Paris and Brussels, in the wake of the attack in London the debate over security and privacy has been ignited again, this time between UK government officials. The predictable clash between intelligence gathering and civil liberties is once again on display. Each time the topic of government access to ‘end-to-end’ encryption is raised it is worth reviewing some of the reasons why backdoors that dilute encryption strength are an ineffective response:
– Encryption is less of a technology and more of a concept or idea. Ideas are hard to control. Bad and good actors have used encryption over the course of history to communicate securely. Governments and businesses need to keep secrets too. Encryption is a highly effective way to protect legitimate rights and interests.
– Controlling encryption is equivalent to controlling math. Modern encryption schemes (such as AES-256) are publicly available and can be implemented with skills of a college-level math major. If providers of secure messaging in western countries are forced to install backdoors, then bad actors will get their secure apps from regions where UK and US government enforcement do not reach. Preventing clever people anywhere in the world from applying readily available encryption or developing their own encryption schemes is impossible.
– Legitimate users will be hurt if government demands backdoors. If there are any backdoors to data protection, it is inevitable that hackers will steal and exploit them. The very existence of government backdoors would undermine the confidence in security from firms in western countries. Other countries will quickly fill the gap. Encryption plays a critical role in online privacy, ecommerce and the cloud. Undermining the trust in personal data protection will hurt businesses and users alike.
We live in scary times and should never underestimate the challenges we all face in deterring terror. But latching onto simplistic solutions that will not work, does not make us safer. In fact, if we undermine the effectiveness of our critical digital security mechanisms and damage an important industry, we will be handing the terrorists a victory. For these and many other reasons, this idea simply won’t work and will have no impact on those seeking to commit acts of terror.”
Kyle Wilhoit, Senior Security Researcher at DomainTools:
“The idea of having a perfect end-to-end encryption solution with backdoors embedded only for police sounds great, in theory. However, in practice, it’s not possible. If a backdoor is embedded into an application or service, it’s present for anyone to find and use. The only difference between police and criminals at that point is awareness of the backdoor and intent.
The ultimate victims are the end user and the organization required to comply with embedding vulnerabilities to allow for backdoors. Having embedded vulnerabilities leaves the end user vulnerable to criminals who leverage the backdoor that the organization willingly put into place. You can’t necessarily control who finds or uses this vulnerability once the application is distributed and used.”
Javvad Malik, Security Advocate at AlienVault:
“Today, as we stand with technology and encryption deployment, backdoors simply aren’t possible. It’s an all or nothing approach. If backdoors are built in, then they could be exploited by anyone, not just authorised bodies.”
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“As the computational power, complexity and value of these devices increases, the probability they’ll be targeted by cyber criminals to monetize security flaws will also rise. Smartphones are a particular weak spot, with cherished photos being stored and rarely backed up.
“As with traditional IT equipment, it’s important connected devices are kept up to date, applying fixes the vendors release in a timely manner.”
David Meltzer, Chief Technology Officer at Tripwire:
“You can have true end-to-end encryption that nobody but the participants can read, or you can have a system where a central authority can decrypt any message they want. It doesn’t make any sense to suggest that you can have both. It is either one or the other. It is a reasonable policy position to believe you should have a government backdoor in messaging systems, but this always worries security experts because that same backdoor you create for the government inevitably creates the potential for misuse, abuse, and being exploited by others.”
Lee Munson, Security Researcher at Comparitech.com:
“Westminster gets tough on terrorists. MPs clampdown on encrypted communications. Amber Rudd foils imminent attack while chatting on WhatsApp.
“Great headlines the lot of them, especially for politicians who like to curry favour with the electorate by pandering to, well, anything of note really.
“In this case, however, we find the Home Secretary seriously out of her depth with her suggestion that a back door should be placed in all encrypted messaging services, a claim made all the more laughable by her assertion that this could be accomplished with hashtags. Perhaps she intends to tweet #no_more_encryption and then sit back and watch the magic happen?
“Her crazy idea that a system could feature end-to-end encryption and a back door at the same time (which means it’s no longer end-to-end and available to anyone who, good or bad, who can find said backdoor) is almost as baffling as the notion that terrorists would then continue using that service regardless.
“Everyone knows that once one service is known to be broken, the bad guys will simply move onto the next. In the meantime, it is ordinary, law-abiding citizens who will be wondering whether their current government, or the next, or the one after that, is spying on their mundane but no less privacy-deserving lives.
“Equally, businesses will get the jitters too, wondering whether Amber Rudd wishes to weaken their ability to communicate with clients in other, less paranoid, countries, or unravel all the hard work and funds they have invested into the secure web payments they offer their customers.”
Paul Calatayud, CTO at FireMon:
“Encryption is a topic I am well familiar with; having spent 8 years in the military supporting encryption services and as a CISO. Much debate on this topic arose in the past with the Apple vs. FBI requesting backdoors.
“The problem with backdoors is they are essentially a request for access to applications or systems using alternative means than the front door. Many companies spent a lot of time protecting the front doors of their products. Backdoors by design allow those with keys access, but like the analogy, it also means attackers can attempt to penetrate and hack these backdoor systems. In essence, backdoors compromise the security of the products allowing for potential broad exploitation to occur. Those with keys can also lose their keys. Who in the government would be responsible for protecting the keys to these back doors? What if I attack those with these keys? Or more commonly, what if a contract working for a government decides to steal these keys and perhaps flee to Russia? Sounds familiar to other events that have occurred.
“Let’s turn our attention to WhatsApp. Yes, this communication application has built-in security enabling end to end encryption. If the bad guys feel that this application has been compromised by government officials and backdoors become available, this leads to a simple response by the bad guys, use a different application. WhatsApp is a third party application on a mobile device. Nothing prevents the bad guys from moving to a lesser known third party application. Plus, anyone that is looking to compete with WhatsApp may see this new backdoor feature as an opportunity to compete, promoting the lack of backdoor in their product as a true for the people product.
“Backdoors can have a negative financial impact to those companies providing these security type products.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.