FREAK, Logjam, DROWN All a Result of Weaknesses Demanded By US Gov't

itwbennett writes: You need look no further than the FREAK and Logjam attacks in 2015 and the DROWN attack announced just this week to get a sense of 'the dangers of deliberately weakening security protocols by introducing backdoors or other access mechanisms like those that law enforcement agencies and the intelligence community are calling for today,' writes Lucian Constantin. But this isn't a new problem. 'One approach [the government] used throughout the 1990s [to keep encryption under its control] was to enforce export controls on products that used encryption by limiting the key lengths, allowing the National Security Agency to easily decrypt foreign communications,' says Constantin. 'This gave birth to so-called 'export-grade' encryption algorithms that have been integrated into cryptographic libraries and have survived to this day.'

"Government's Fault" is a bit of a reach

[xxxJonBoyxxx]

I remember the 1990's crypto wars. But we've also had plenty of time to refactor our code, create secure-by-default installations and disable insecure implementations. In fact, as an industry, we've done it before for SSL 2.0, MD5, SSL 3.0, RC4 and now SHA1.

Re:What about "Import Grade"

[mi]

stupid laws that do not protect anyone from anything

Of course, they do protect — encryption is a weapon and you try to limit access to your best stuff. Yes, the enemies may still be able to get some of it, but your efforts make it harder for them.

Cryptography advances outside of the US made the point moot by early nineties, and the export-restrictions were dropped. But they weren't "stupid" — except, maybe, for the very last year or two.

The article's emphasis is all wrong — the vulnerabilities are due to poor design of SSL2 and the coding practices of OpenSSL developers leading to poor implementation of the rest. Neither of these problems is due to the government's export-restrictions.