SSL Encryption Coming To The Pirate Bay

← Back to Stories (view on slashdot.org)

SSL Encryption Coming To The Pirate Bay

Posted by Soulskill on Sunday June 22, 2008 @03:20AM from the privacy-arms-race dept.

An anonymous reader writes "The Pirate Bay, in response to Sweden's new wiretapping law, will start offering SSL encryption to its user base this week. Although copyright issues really have little to do with national security, The Pirate Bay knows its population is uneasy with the recent legal change. The encryption will mostly benefit Swedish users living under the current law. Since The Pirate Bay and its servers are not hosted in Sweden, the additional security offered to outside users could be comparatively minimal."

46 of 267 comments (clear)

speed by youthoftoday · 2008-06-22 03:21 · Score: 3, Interesting

Won't that slow things down quite a lot?

--
-1 not first post
1. Re:speed by Anonymous Coward · 2008-06-22 03:25 · Score: 4, Funny
  
  Won't that slow things down quite a lot?
  
  Better slow downloads than meeting your new Swedish boyfriend in jail.
2. Re:speed by Anonymous Coward · 2008-06-22 03:33 · Score: 5, Funny
  
  Hmm... A Swedish jail boyfriend.
  A List? Lets.
  Pros:
  Funny Accent? Check
  Athletic? Check
  Likes Wooden Shoes? Check
  Digs Meatballs? Check
  Cons:
  Makes you scream in a funny accent? Check
  Athletic (in all the wrong places)? Check
  Likes pain and Abuse? Check
  Digs _your_ Meatballs? Check
  It's a hard call.
3. Re:speed by ozamosi · 2008-06-22 03:34 · Score: 5, Informative
  
  The actual file transfers are peer-to-peer, so they won't be effected (also, they're usually encrypted already, to avoid bandwidth throttling). This is for accessing the website and/or for contacting the tracker.
  Web pages have been using SSL for years without being especially slow.
  Contacting a tracker is a lightweight request that is being performed once every 30 minutes or so - if it was a few seconds slower, nobody'd notice anyway.
4. Re:speed by Zero__Kelvin · 2008-06-22 03:36 · Score: 3, Informative
  
  Most likely not, and it depends ...
  
  On the server side, presumably the bottleneck is the network connection or the storage medium access times, and not the CPU of the server. The network overhead to an SSL connection is minimal, to the point where it is negligible. The access times to the storage medium will not change to any measurable degree. The only way this will slow downloads considerably would be if the CPU was already at or close to 100% utilization, or if it is pushed "beyond 100%" utilization (i.e. the bottleneck becomes the CPU) due to the need to calculate SSL certificates, etc. Since The Pirate Bay is doing this in a planned and intentional way, they have almost certainly thought of this and will likely add processing power if need be on the server end.
  
  From the client side, YMMV, but the above holds true in general. If you are downloading and doing CPU intensive things in parallel, then yes, things will slow down considerably.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
5. Re:speed by duguk · 2008-06-22 03:37 · Score: 5, Funny
  
  (Yes yes, I know, everyone wants their cake and wants to it too.)
  Of course I want my cake and want it too.
  
  Its when you eat your cake and still want it you've got problems.
6. Re:speed by SirLurksAlot · 2008-06-22 03:39 · Score: 4, Funny
  
  You know the worst part? I actually took the time to "proofread" my post before making it too :-P Stupid word-skipping brain.
  
  --
  God, schmod. I want my monkey man!
7. Re:speed by youthoftoday · 2008-06-22 03:43 · Score: 5, Funny
  
  There's your answer! The fruit of your speed trade-off!
  
  --
  -1 not first post
8. Re:speed by Anonymous Coward · 2008-06-22 03:46 · Score: 4, Informative
  
  Won't that slow things down quite a lot? We're talking 20KB files here. The encryption will only affect the tracker search portal and the torrent file serving. I'd rather have an encrypted site that takes a couple of ms more to respond than something fast that spews out visible data left and right. All the data transfer is run by the peers and there encryption depends on the individual client settings (and many people already use full stream encryption w/o any slowdown). So "not really" would be an appropriate answer to your question.
9. Re:speed by Bandman · 2008-06-22 03:49 · Score: 4, Informative
  
  There are really a lot of hardware solutions to speeding up SSL.
  The real issue is that, typically speaking, the server which is responsible for the server-side processing is also responsible for encrypting the stream.
  By putting a hardware or software solution in front of the client-access machine, you offload encryption to that host, leaving the application server free to concentrate on serving applications.
  This can also be useful for debugging sessions, as you (the provider) have an unencrypted stream to examine.
  Securing that stream between the application and the encryption device becomes of paramount importance, in that case.
  
  --
  Check out my sysadmin blog!
10. Re:speed by thermian · 2008-06-22 03:51 · Score: 4, Informative
  
  Um, no, this change has nothing to do with torrent swarms, so downloading of the files referenced inside a torrent would be unaffected.
  
  --
  A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
11. Re:speed by just_a_monkey · 2008-06-22 04:16 · Score: 5, Informative
  
  There are pros and cons to living in Sweden. This law is a big con. So are the taxes, and the regulations. A penal system which is not based on homosexual rape is a pro, though.
  
  --
  How inappropriate to call this planet Earth, when clearly it is Ocean.
12. Re:speed by JamesTRexx · 2008-06-22 04:25 · Score: 3, Funny
  
  Its when you eat your cake and still want it you've got problems.
  
  And don't look at me for sympathy because everyone knows the cake is a lie.
  
  --
  home
13. Re:speed by igibo · 2008-06-22 04:26 · Score: 5, Funny
  
  A penal system which is not based on homosexual rape is a pro, though. Speak for yourself.
14. Re:speed by orzetto · 2008-06-22 05:01 · Score: 4, Informative
  
  In Scandinavia, there are no "federal pound-in-the-ass" prisons. The prisons are top-notch, just google around: here is a couple of articles.
  
  --
  Victims of 9/11: <3000. Traffic in the US: >30,000/y
15. Re:speed by Haeleth · 2008-06-22 05:08 · Score: 3, Insightful
  
  Better slow downloads than meeting your new Swedish boyfriend in jail.
  
  Even better, how about paying for your movies, games, and music? That way you can download them as fast as you like, and the government won't try to put you in jail even if they spy on you doing it!
  I realise this is Slashdot, where "not getting busted for copyright infringement" is apparently categorised as a "right", so I'm probably about to be modded into oblivion -- but hey, that's life, isn't it?
16. Re:speed by Maxo-Texas · 2008-06-22 05:18 · Score: 5, Insightful
  
  I agree with your general point and agree that recent material that is still in print should be either paid for or ignored.
  That being said, I torrent.
  I use it for
  1) Movies that I can't buy if I want to.
  2) Comics that I grew up with and can't buy if I want to.
  3) Anime that isn't for sale in the U.S. (This has lead to be buying anime when it does become available- like Stand Alone Complex)
  And I do draw the line 28 years (the original terms before our governments sold out to disney and other companies and sold away the public domain to them). And I could get fined or go to jail for that activity. I keep that in mind, so I use peer guardian and other techniques to keep a low profile. But mainly, I stay away from new hot shit. Mostly, new hot movies you can buy for $5-$7.50 within 18 months of them coming out. Why risk prison/ fines to see a movie 18 months early? And more importantly, creators do deserve *some* compensation for creating.
  
  --
  She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
17. Re:speed by WeblionX · 2008-06-22 05:22 · Score: 5, Insightful
  
  Wait, so I can now buy HD movies online and download them as fast as my connection allows legally? I thought I had to drop a wad of cash on a new disc drive then had to either go out and buy or wait for it to ship to get the movie, then I had no option to put it on my computer (legally). This is all news to me.
  
  --
  (\(\ (=_=) Bani! (")")
18. Re:speed by Anonymous Coward · 2008-06-22 05:30 · Score: 4, Insightful
  
  Oh, I'll pay, when they offer me what I want to buy, not what they want me to buy.
  I certainly don't want to pay for drm, which I can't play in Linux without having to circumvent their stupid restrictions.
19. Re:speed by BrentH · 2008-06-22 05:35 · Score: 3, Informative
  
  I daresay such prisons don't exist in all of non Anglo-Saxon West.
20. Re:speed by Anonymous Coward · 2008-06-22 07:46 · Score: 5, Insightful
  
  ...creators do deserve *some* compensation for creating.
  Which is EXACTLY the point. They're product isn't *worth* anything if it isn't scarce. With digital medium nothing is scarce making it worth whatever the public is willing to pay - simple economics. What pisses me off is that media companies are allowed to force artificial scarcity. I have no sympathy and don't believe hiding their greedy little faces behind corrupt bureaucrats should be tolerated by the general public.
21. Re:speed by mollymoo · 2008-06-22 08:14 · Score: 3, Insightful
  
  Don't lump the rest of us Anglos-Saxons in with the Americans. UK prisons may not the most pleasant in the West (though they are currently overcrowded), but they're a damn sight more civilised than those in the USA.
  
  --
  Chernobyl 'not a wildlife haven' - BBC News
22. Re:speed by mOdQuArK! · 2008-06-22 08:42 · Score: 3, Interesting
  
  Let's see:
  1) people who think they deserve special laws so they can extort more money out of people than they would otherwise be able to get in a normal "free" market, vs.
  2) people who think they should be able to use their own physical private property that they've bought & paid for without third party restrictions being forced on them.
  Who exactly is being "greedier"? Since when do people "deserve" to be paid a lot of money just because they did a lot of hard work?
23. Re:speed by mollymoo · 2008-06-22 10:15 · Score: 3, Interesting
  
  A night in the cells and some community service (in the UK) is as close as I've been to prison. Community service usually means spending a fair amount of time with people with first-hand experience of prison. Anyway, your question is a false dichotomy - there is a whole spectrum between direct experience and mere assumptions. First-hand experience isn't required to gain knowledge about things. Conditions in prisons are reported in newspapers, on the news and in documentaries. Books and academic journals too, though I've never had the urge to delve quite that deeply into this subject.
  
  --
  Chernobyl 'not a wildlife haven' - BBC News
A broader lesson by dfaulken · 2008-06-22 03:31 · Score: 5, Insightful

While this particular instance doesn't concern me, it seems that, more and more, we're seeing reasons to start encrypting most data that we send across the Internet--certainly we would encrypt IMAP/POP3 sessions, Jabber and whatnot--why not HTTP as well?
Yes, there might be some performance drawbacks, but, on the whole, it seems to me like the less data we send in plaintext, the less we open ourselves up to identity theft, and being spied on by governments (not necessarily our own, mind you).
So I tend to think that this is just a manifestation of this broader trend towards encryption in all Internet transactions. I think the real question is whether we'll see people using SSL/TLS for things like checking the weather or sports scores.
1. Re:A broader lesson by GIL_Dude · 2008-06-22 03:35 · Score: 5, Interesting
  
  I agree with you here.
  I think it will be an escalation though between the people who want to know what everyone is doing and those of us who want privacy. For example, if we encrypt everything - how long will it take these same wiretapping morons to pass more laws requiring that sites make the decryption key available for all "official agencies" or some such?
2. Re:A broader lesson by oodaloop · 2008-06-22 03:44 · Score: 4, Insightful
  
  It's about time. If you look at the postal system, people have been using security envelopes or at least sealed envelopes since pretty much the beginning. The only mail postal employees are allowed to read are postcards, since it's pretty hard to stop them. Unencrypted email is basically like a postcard, and it pains me to hear people complain that governments are reading them. Do they complain that postal employees are reading their postcards? If it's important or private, use a security envelope or encryption. Otherwise, don't complain when someone reads it.
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
3. Re:A broader lesson by dfaulken · 2008-06-22 03:50 · Score: 5, Insightful
  
  If you look at the postal system, people have been using security envelopes or at least sealed envelopes since pretty much the beginning. This is exactly the problem, though--people are accustomed to using envelopes, whereas getting people to use e-mail encryption requires some serious additional effort, which most people aren't willing to put in.
4. Re:A broader lesson by nine-times · 2008-06-22 03:58 · Score: 5, Insightful
  
  Yeah, it seems to me that it was an oversight that networking wasn't encrypted in the first place. When lots of these protocols were being developed, security didn't seem to be much of a consideration.
  It's about time that these things got rectified, but I'm not sure what the best course is. For example, using SSL concerns me in that we've accepted the convention that certificates should be issued by certain set organizations that require exorbitant fees. I mean, hundreds or thousands of dollars per year for an SSL cert? Seems a bit much to me. Yeah, I know you can generate your own, which will cause you to get complaints from your websites' users when they see what looks to them like an error message.
  I'm not a security expert, but I get the sense someone needs to go back to square one and figure out how to build a coherent, open, and secure model for networking that doesn't rely on giving such control to a small number of companies.
5. Re:A broader lesson by 99BottlesOfBeerInMyF · 2008-06-22 04:26 · Score: 3, Informative
  
  This is exactly the problem, though--people are accustomed to using envelopes, whereas getting people to use e-mail encryption requires some serious additional effort, which most people aren't willing to put in.
  The real problem is that people have to put in additional effort, because their e-mail program doesn't handle it seamlessly. Their e-mail doesn't handle it seamlessly because it isn't easy to do, because there is no one dominant standard, but there is one dominant e-mail client (Outlook) which is controlled by a monopolist who has no incentive to make things better for their customers (because they have a monopoly). This is one of the many hundreds of ways the computing industry is constantly being held back by MS's monopolies.
6. Re:A broader lesson by Free+the+Cowards · 2008-06-22 04:27 · Score: 4, Insightful
  
  If TCP/IP had been encrypted from the beginning, we'd be worse off, not better.
  Why? Because any crypto available from that time is trivially crackable today. So instead of an obviously insecure communications medium, you'd have an insecure communications medium that everyone thinks is secure because, hey, it's encrypted! It wouldn't change anything except make people more complacent.
  
  --
  If you mod me Overrated, you are admitting that you have no penis.
7. Re:A broader lesson by David+Jao · 2008-06-22 04:30 · Score: 5, Insightful
  
  Yeah, it seems to me that it was an oversight that networking wasn't encrypted in the first place. When lots of these protocols were being developed, security didn't seem to be much of a consideration.
  You may be too young to remember this, but until 1997, it was for all practical purposes illegal to transmit cryptography software over the internet because of ITAR regulations.
  As a result, during the formative years of the internet when networking protocols were being designed, there was no practical way to include security as a requirement. A cynic would interpret this state of affairs as being exactly the goal that the US government had in mind when they made cryptography illegal.
8. Re:A broader lesson by NormalVisual · 2008-06-22 04:55 · Score: 3, Interesting
  
  Quite a while, I'd hope - pretty much all of the court cases that I've read about that touched on the subject ended up treating it as a Fifth Amendment situation, with the end result being that you can't be forced to divulge the passphrases to your keys. I don't know whether any of those cases form precident though.
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
9. Re:A broader lesson by jc42 · 2008-06-22 05:15 · Score: 5, Interesting
  
  ... as I understand it security was outside of the scope of networking technology when it was first created. ARPANET was created in order to facilitate information sharing, and it started out quite small. Encryption at that point would've been counterproductive. ...
  Well, yes and no. Note that the ARPAnet project was funded by the US Dept of Defense. There were security experts around from the beginning. But it was well understood back in the 1960s that building the security into the low-level networking code was a bad engineering design. Everyone involved pretty much understood that you got (data) security by end-to-end encryption, and doing encryption at any level below the user app was simply a waste of cpu cycles. So the network-level design goal was reliable transport on unreliable ("battlefield") hardware. The design meant that the people working on the network layer could concentrate without distraction on the job of getting the bits reproduced accurately at the other end.
  The primary argument against low-level encryption has always been the same: The two endpoints have no reliable knowledge of or control over most of the data path. The history of encryption is full of stories about someone cracking someone else's encryption and reading their messages for a long time before they were found out. We must assume this can happen with any encryption scheme. This means that if a low-level link in the middle of a data path is decrypted (or even intercepted), the endpoints generally have no way of knowing it has happened, and also have no way of changing that link's encryption scheme. Low-level encnryption is thus only usable if you control every piece of hardware in the data path. This requirement would totally eliminate the wide-area networking that ARPA was trying to achieve. So if the ARPAnet was to meet its design goals, encryption of low-level data links was a pointless waste of cpu time.
  End-to-end encryption at the application layer, however, is totally under the control of the endpoints. It can be changed at any time, for any reason. It eliminates dependence on the security of the low-level links that aren't controlled by the entpoints.
  And there's a reasonable argument that end-to-end encryption increases security: It means that the data packets can be scattered across many different data paths, making it difficult for anyone to intercept all of the packets for a given conversation. Previous secure communication required tight control of the data path, and usually meant that there was a single data path for a given conversation. This is easy to intercept and either block or subvert, giving a copy of the conversation to an enemy. But if your packets are sprayed across all the available paths, interception and packet collection become nearly impossible.
  This is, of course, a very loose, off-the-cuff summary. But it's easy enough to find the early ARPAnet docs in various Internet archives, where you can easily spent far too much time learning about the subject.
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
10. Re:A broader lesson by CastrTroy · 2008-06-22 05:25 · Score: 3, Informative
  
  As far as email encryption goes. PGP is pretty much the defacto standard. I'm sure there are some other methods, but PGP seems to be the way it's done in most cases. I wouldn't be hard for the mail client, outlook or otherwise to completely automate the system. Key exchange would be a little difficult, but not so much. You could either meet someone in person to exchange public keys, or get their public key from somebody else who already has it, who you already trust and share keys with.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
11. Re:A broader lesson by devman · 2008-06-22 05:42 · Score: 5, Interesting
  
  I disagree, email clients have native support for S/MIME and signed PKI certificates. Conversely, most clients do not have native support for PGP, though you can get it through plug-ins (Thunderbird).
  
  Certainly you can get a email signing cert from Verisign by paying for it (It's very inexpensive and integrates well with most email clients). You can also generate your own key pair and get it signed by Thawte (so long as you complete there "Web of Trust" requirements), if you are worried Verisign might keep a copy of your private key (they don't).
  
  The problem with the whole system is that while only you need a PKI cert to sign an email (recipients client will auto verify it), but in order to encrypt an email your recipient must have a PKI cert and you must have there public key. That means both parties must care enough to encrypt email. This is where the envelope analogy breaks down, because to receive a sealed envelope in the mail I don't have to do anything.
12. Re:A broader lesson by aliquis · 2008-06-22 06:51 · Score: 3, Insightful
  
  ... if USA was the whole world.
13. Re:A broader lesson by mrchaotica · 2008-06-22 08:03 · Score: 3, Informative
  
  Encrytion is not in every circumstance easy to set up, but for example Thunderbird together with EnigMail... just plain easy to use and doesn't take a long time to teach.
  
  I actually just set that up (literally -- I created my key immediately before typing this), and I think it could be easier. Namely, after installing EnigMail in Thunderbird, it didn't immediately work. Why was this? Because I needed to install GnuPG separately, which was not mentioned in the "how to install in Thunderbird" steps on EnigMail's Thunderbird addon page. Either it ought to be added to that list, or (better yet) GnuPG itself ought to be somehow included in the EnigMail installer itself.
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
About time by nurb432 · 2008-06-22 03:42 · Score: 5, Insightful

Lets hope this is just the beginning.
*everything* should be encrypted by default, and no unencrypted connections should be offered.
I don't care that i'm doing nothing wrong, its no ones business.
ya, there is a performance hit, but thats just part of the deal to have your communications remain private.

--
---- Booth was a patriot ----
1. Re:About time by You+ain't+seen+me! · 2008-06-22 04:43 · Score: 5, Funny
  
  *everything* should be encrypted by default, and no unencrypted connections should be offered.
  If you were to start using unlimited encrypted connections here within the UK, I guess the thought-police will immediately assume you to be a terrorist and bang you up for 42 days.
2. Re:About time by Anonymous Coward · 2008-06-22 05:10 · Score: 3, Informative
  
  I always hated that https://slashdot.org/ just forwards to http://slashdot.org./
  
  If you're a subscriber it works (though it's been a few years since I've been one, so I might be talking out of my arse with regards to the current setup, here).
Re:Circumventing the law by endemoniada · 2008-06-22 03:52 · Score: 5, Interesting

The law says that the government has the right to listen, nowhere does it demand that everyone speaks loud enough to be heard. We still have every right to encrypt everything we want, and newspapers/tabloids here in Sweden have already been running articles like "5 ways to not get wiretapped" and guides on encryption techniques.

--
Blog -
Copyright issues != terrorism by frdmfghtr · 2008-06-22 04:09 · Score: 4, Insightful

" Although copyright issues really have little to do with national security... "
Try telling that to the US Gov't.

--
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
1. Re:Copyright issues != terrorism by Eudial · 2008-06-22 04:16 · Score: 5, Funny
  
  " Although copyright issues really have little to do with national security... "
  
  Try telling that to the US Gov't.
  You're getting the lawmaker newspeak confused. Smoking pot is terrorism, piracy is the same as child pornography and paedophilia.
  
  --
  GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Re:And all other x countries that does wiretapping by ettlz · 2008-06-22 05:49 · Score: 4, Funny

How many actually uses PGP for their e-mails?
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.7 (GNU/Linux) hIwDupFG1SObtBMBBACAyUZAEDruQO9RlkZ5aGkGYRxv2oxqKdTgg0Glo1ZJk/nF YS2HUhpzP7r3sVjTQ5h4RDRxUKOGllrFappta3kOfVU7KAS6HSrhmZ3IRU0VJvQP LTusUO8cVjmon4YB44sMeUksLB/g7Ylm3LuF9abAd8yXH4lNn1OzgExAVtTbf8kf IS4qtvlxiltgtqYqGw1N8JbFREuKrfyepkKshNxV3w== =+MLj -----END PGP MESSAGE-----
The gvmts legislating themselves out of options by mlwmohawk · 2008-06-22 06:46 · Score: 3, Insightful

As more and more wiretapping laws and eavesdropping systems come on line, the more and more the technology movers will make it impossible.
Every last thing is going to be encrypted, IM, web, email, etc. The more of this crap they pull, the more they will be unable to do. If they break the encryption, we'll make it better.