Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Encryption Coming To The Pirate Bay

Posted by Soulskill on from the privacy-arms-race dept.

An anonymous reader writes "The Pirate Bay, in response to Sweden's new wiretapping law, will start offering SSL encryption to its user base this week. Although copyright issues really have little to do with national security, The Pirate Bay knows its population is uneasy with the recent legal change. The encryption will mostly benefit Swedish users living under the current law. Since The Pirate Bay and its servers are not hosted in Sweden, the additional security offered to outside users could be comparatively minimal."

8 of 267 comments (clear)

  1. speed by youthoftoday · · Score: 3, Interesting

    Won't that slow things down quite a lot?

    --
    -1 not first post
    1. Re:speed by mOdQuArK! · · Score: 3, Interesting

      Let's see:

      1) people who think they deserve special laws so they can extort more money out of people than they would otherwise be able to get in a normal "free" market, vs.

      2) people who think they should be able to use their own physical private property that they've bought & paid for without third party restrictions being forced on them.

      Who exactly is being "greedier"? Since when do people "deserve" to be paid a lot of money just because they did a lot of hard work?

    2. Re:speed by mollymoo · · Score: 3, Interesting

      A night in the cells and some community service (in the UK) is as close as I've been to prison. Community service usually means spending a fair amount of time with people with first-hand experience of prison. Anyway, your question is a false dichotomy - there is a whole spectrum between direct experience and mere assumptions. First-hand experience isn't required to gain knowledge about things. Conditions in prisons are reported in newspapers, on the news and in documentaries. Books and academic journals too, though I've never had the urge to delve quite that deeply into this subject.

      --
      Chernobyl 'not a wildlife haven' - BBC News
  2. Re:A broader lesson by GIL_Dude · · Score: 5, Interesting

    I agree with you here.
    I think it will be an escalation though between the people who want to know what everyone is doing and those of us who want privacy. For example, if we encrypt everything - how long will it take these same wiretapping morons to pass more laws requiring that sites make the decryption key available for all "official agencies" or some such?

  3. Re:Circumventing the law by endemoniada · · Score: 5, Interesting

    The law says that the government has the right to listen, nowhere does it demand that everyone speaks loud enough to be heard. We still have every right to encrypt everything we want, and newspapers/tabloids here in Sweden have already been running articles like "5 ways to not get wiretapped" and guides on encryption techniques.

    --
    Blog -
  4. Re:A broader lesson by NormalVisual · · Score: 3, Interesting

    Quite a while, I'd hope - pretty much all of the court cases that I've read about that touched on the subject ended up treating it as a Fifth Amendment situation, with the end result being that you can't be forced to divulge the passphrases to your keys. I don't know whether any of those cases form precident though.

    --
    Please stand clear of the doors, por favor mantenganse alejado de las puertas
  5. Re:A broader lesson by jc42 · · Score: 5, Interesting

    ... as I understand it security was outside of the scope of networking technology when it was first created. ARPANET was created in order to facilitate information sharing, and it started out quite small. Encryption at that point would've been counterproductive. ...

    Well, yes and no. Note that the ARPAnet project was funded by the US Dept of Defense. There were security experts around from the beginning. But it was well understood back in the 1960s that building the security into the low-level networking code was a bad engineering design. Everyone involved pretty much understood that you got (data) security by end-to-end encryption, and doing encryption at any level below the user app was simply a waste of cpu cycles. So the network-level design goal was reliable transport on unreliable ("battlefield") hardware. The design meant that the people working on the network layer could concentrate without distraction on the job of getting the bits reproduced accurately at the other end.

    The primary argument against low-level encryption has always been the same: The two endpoints have no reliable knowledge of or control over most of the data path. The history of encryption is full of stories about someone cracking someone else's encryption and reading their messages for a long time before they were found out. We must assume this can happen with any encryption scheme. This means that if a low-level link in the middle of a data path is decrypted (or even intercepted), the endpoints generally have no way of knowing it has happened, and also have no way of changing that link's encryption scheme. Low-level encnryption is thus only usable if you control every piece of hardware in the data path. This requirement would totally eliminate the wide-area networking that ARPA was trying to achieve. So if the ARPAnet was to meet its design goals, encryption of low-level data links was a pointless waste of cpu time.

    End-to-end encryption at the application layer, however, is totally under the control of the endpoints. It can be changed at any time, for any reason. It eliminates dependence on the security of the low-level links that aren't controlled by the entpoints.

    And there's a reasonable argument that end-to-end encryption increases security: It means that the data packets can be scattered across many different data paths, making it difficult for anyone to intercept all of the packets for a given conversation. Previous secure communication required tight control of the data path, and usually meant that there was a single data path for a given conversation. This is easy to intercept and either block or subvert, giving a copy of the conversation to an enemy. But if your packets are sprayed across all the available paths, interception and packet collection become nearly impossible.

    This is, of course, a very loose, off-the-cuff summary. But it's easy enough to find the early ARPAnet docs in various Internet archives, where you can easily spent far too much time learning about the subject.

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  6. Re:A broader lesson by devman · · Score: 5, Interesting

    I disagree, email clients have native support for S/MIME and signed PKI certificates. Conversely, most clients do not have native support for PGP, though you can get it through plug-ins (Thunderbird).

    Certainly you can get a email signing cert from Verisign by paying for it (It's very inexpensive and integrates well with most email clients). You can also generate your own key pair and get it signed by Thawte (so long as you complete there "Web of Trust" requirements), if you are worried Verisign might keep a copy of your private key (they don't).

    The problem with the whole system is that while only you need a PKI cert to sign an email (recipients client will auto verify it), but in order to encrypt an email your recipient must have a PKI cert and you must have there public key. That means both parties must care enough to encrypt email. This is where the envelope analogy breaks down, because to receive a sealed envelope in the mail I don't have to do anything.