Assumption: Evil powers still cannot break SSL that works as it should with random data and unknown private keys without centuries or millennia of computer time..
End-to-end encryption only works if the endpoints themselves are doing the encryption. Let's take a few examples:
Social media: Person A posts something online. The endpoints, the real endpoints, are Person A and all of Person A's followers. Is there encryption between Person A and all of Person A's followers? No, not currently, and that is the problem. If there were encryption between these endpoints, the evil powers would pull out their hair. Instead they short-circuit things, compromise the world thanks to Facebook, and get an easy in to everything. They are performing a traditional man-in-the-middle. Encryption, without compromises, is the key.
Instant messages: I send message to Google (Google Talk, Hangout, etc.) and they froward it on to my friends instantly. Are the endpoints doing encryption? No, not usually, and even with Off-The-Record functionality that Google provides, it is still plaintext along the way. This is the problem. It needs to be encrypted by the endpoints.
Skype: Same as above. The service in the middle is the problem.
There are some easy solutions for some of these.
First, the best solution is to be your own service provider somehow. When federation really makes this happen properly and we each control our content with others we trust directly then that will be neat. Maybe we can still use things like OpenID to help handle that authentication in the meantime, but keep in mind that delegating trust to one party means that if another party compromises them then all bets are, again, off. We each need to provide our own trust directly to others so that end-to-end encryption can happen. If the other ends are ever compromised, revoke their trust and then handle things going forward, but at least it's possible to know and handle that situation. I think the right way for this to happen involves our own services becoming insanely simple to deploy, and then running them at home, each of us being our own little provider. I know... too hard for the common user today, but so was accessing data via the Internet twenty years ago.
Second, in the meantime some of these services can be fixed right now. Run Pidgin to connect via Google Talk, or AIM, or ICQ, or anything else that's person-to-person, and implement the Off-The-Record plugin in there. Hooray! True end-to-end encryption. The service provider just sees crap in between, which is SSLized crap, and that's the end of their involvement even if the power scum that force them will take their data at gunpoint. Since he party in the middle has no keys, they have no data. Suddenly the evil powers must start attacking individuals instead of intermediaries which is much harder for them to do.
By the way, never use the same password, or even minor variations on passwords, on any two things, ever. Just don't. When you do, you make it trivial to take everything with the weakest link compromised. Which link will be attacked by anybody really caring? The weakest of course. Make them all strong, and different. LastPass is a good, secure option if you cannot manage passwords on your own without any intermediary (yes, it's work).
Wow.... microsoft claiming it's not safe in some way to run third party stuff in their overly-secure browser? What a shocker when Google shows the IE JavaScript engine really is that bad. I'm really surprised they didn't welcome the enhancement of their own performance by an order of magnitude with open arms even though it shows that they can't code.
Doesn't the MPAA dope know that there is no LEGAL basis for anything (DMCA included) until it gets through Congress? Surely, with all of the $$$ spent by him and his organization for the lobbyists, he knows this and it is simply a load of crap to discourage the easily-persuaded. What grade is it when children learn about the separation of power, checks and balances, everything else in our government? But this guy has to preach complete lunacy when the same processes to create the ridiculous DMCA are capable of undoing what was previously done unconstitutionally...
Good grief. Hypocrisy in a cause is probably a good reason to do away with the cause.
I think it is ironic that M$ is working on a technology to help with "unsafe data pathways." How will a M$ product keep its content off of M$ products? The DRM that does not allow content. Sounds like a good way to keep it safe.
Slashdot Mirror
Assumption: Evil powers still cannot break SSL that works as it should with random data and unknown private keys without centuries or millennia of computer time..
End-to-end encryption only works if the endpoints themselves are doing the encryption. Let's take a few examples:
Social media: Person A posts something online. The endpoints, the real endpoints, are Person A and all of Person A's followers. Is there encryption between Person A and all of Person A's followers? No, not currently, and that is the problem. If there were encryption between these endpoints, the evil powers would pull out their hair. Instead they short-circuit things, compromise the world thanks to Facebook, and get an easy in to everything. They are performing a traditional man-in-the-middle. Encryption, without compromises, is the key.
Instant messages: I send message to Google (Google Talk, Hangout, etc.) and they froward it on to my friends instantly. Are the endpoints doing encryption? No, not usually, and even with Off-The-Record functionality that Google provides, it is still plaintext along the way. This is the problem. It needs to be encrypted by the endpoints.
Skype: Same as above. The service in the middle is the problem.
There are some easy solutions for some of these.
First, the best solution is to be your own service provider somehow. When federation really makes this happen properly and we each control our content with others we trust directly then that will be neat. Maybe we can still use things like OpenID to help handle that authentication in the meantime, but keep in mind that delegating trust to one party means that if another party compromises them then all bets are, again, off. We each need to provide our own trust directly to others so that end-to-end encryption can happen. If the other ends are ever compromised, revoke their trust and then handle things going forward, but at least it's possible to know and handle that situation. I think the right way for this to happen involves our own services becoming insanely simple to deploy, and then running them at home, each of us being our own little provider. I know... too hard for the common user today, but so was accessing data via the Internet twenty years ago.
Second, in the meantime some of these services can be fixed right now. Run Pidgin to connect via Google Talk, or AIM, or ICQ, or anything else that's person-to-person, and implement the Off-The-Record plugin in there. Hooray! True end-to-end encryption. The service provider just sees crap in between, which is SSLized crap, and that's the end of their involvement even if the power scum that force them will take their data at gunpoint. Since he party in the middle has no keys, they have no data. Suddenly the evil powers must start attacking individuals instead of intermediaries which is much harder for them to do.
By the way, never use the same password, or even minor variations on passwords, on any two things, ever. Just don't. When you do, you make it trivial to take everything with the weakest link compromised. Which link will be attacked by anybody really caring? The weakest of course. Make them all strong, and different. LastPass is a good, secure option if you cannot manage passwords on your own without any intermediary (yes, it's work).
Anyway, just some thoughts.
Wow.... microsoft claiming it's not safe in some way to run third party stuff in their overly-secure browser? What a shocker when Google shows the IE JavaScript engine really is that bad. I'm really surprised they didn't welcome the enhancement of their own performance by an order of magnitude with open arms even though it shows that they can't code.
1957, so the 47th anniversary.
Except bandwidth, or is it processing power...whatever allowed the 0.2 second /.ing, count that out.
Who put the dupe in the dupe, du-dupe, du-dupe, who put the spam in the spam-er-am-er-ding dang...
(to the Barry Mann tune of "Who Put the Bomp")
When you get struck by lightning, that may be an increase in mega hurtz.
Once that happens, you will be sued for changing their proprietary technology, violation of the DMCA.
*sigh*
Doesn't the MPAA dope know that there is no LEGAL basis for anything (DMCA included) until it gets through Congress? Surely, with all of the $$$ spent by him and his organization for the lobbyists, he knows this and it is simply a load of crap to discourage the easily-persuaded. What grade is it when children learn about the separation of power, checks and balances, everything else in our government? But this guy has to preach complete lunacy when the same processes to create the ridiculous DMCA are capable of undoing what was previously done unconstitutionally... Good grief. Hypocrisy in a cause is probably a good reason to do away with the cause.
I think it is ironic that M$ is working on a technology to help with "unsafe data pathways." How will a M$ product keep its content off of M$ products? The DRM that does not allow content. Sounds like a good way to keep it safe.