Defeating encryption: the battle of governments against their people
Technologists hoped the “Crypto Wars” of the 1990s – which ended with cryptographers gaining the right to legally develop strong encryption that governments could not break – was behind them once and for all. Encryption is a fundamental part of our modern life, heavily relied on by everything from online banking and online shopping services to the security our energy infrastructure.
However, from comments by the French and German governments about creating a European initiative to circumvent encryption through to the Apple vs FBI case, in which Apple had to publicly and vociferously defend the right to strong unbreakable encryption, it is very clear the war over encryption is not over, and that there are many battles yet to come. Just in the last few days, UK Home Secretary Amber Rudd has accused WhatsApp of providing “a place for terrorists to hide” and declared that “we need to make sure our intelligence services have the ability to get into encrypted WhatsApp.” This comes a little over two years after the former British Prime Minister David Cameron had said in the wake of the Charlie Hebdo attacks: “are we going to allow a means of communications where it simply is not possible to [listen in]? My answer to that question is: no, we must not.” Seven months later the Prime Minister officially withdrew his comments, a representative from the Prime Minister’s office announcing “We accept and completely recognise the importance of encryption” and promised it would not be banned.
In our latest report “Who’s that Knocking at My Door? Understanding Surveillance in Thailand”, we analyse how the Thai government is pursuing its own attempt to circumvent encryption.
What stands out in the case of Thailand is the use of low cost methods that could have maximum impact. Our report examines, on the one hand, the ability to intercept communications through the close relationship between the government and ISPs. On the other hand, we see the Thai government’s ability to decrypt secure communications and traffic without having to invest in expensive technologies.
The different methods used to circumvent encryption include downgrade attacks, conducted to spy on emails that would normally go through the secure protocol SSL. Screen captures we have obtained from sources in Thailand showed that emails sent out from email clients (instead of webmail) were redirected through port 25, a port that is unencrypted by default. This would allow the government to read the emails that have otherwise been encrypted (using another protocol like PGP). Considering the close relationships between Thai telecommunication companies and the government, which we document in the report, there is a potential that the government could demand that such an attack be conducted by an ISP.
Another method that the Thai government is able to use to circumvent encryption is misuse of the root certificate. The Thai government has their own root certificate which could potentially be misused to obtain information such as communications and passwords on websites normally secured with the https protocol. This is a real risk for Windows users since Microsoft trusts the Thai national root certificate by default, unlike any other company (for example, Apple, Google Chrome and Mozilla do not trust it). We do not know why there is a disparity between Microsoft’s policy and those of Apple and others and we are seeking further information from each of these companies. However, what this means is that if the certificate is misused to trust an insecure website, Windows users will not receive a warning message - and they will have no reason to think they are navigating a potentially insecure website.
Because Google Chrome defers to the operating system for certificate authorities it means that even a Chrome user will be at risk if they are using the Windows operating system.
Root certificate misuse and downgrade attacks are two types attacks that target encryption protocol deployed by default. Users do not have to ‘switch on’ those types of encryption and are indeed often unaware of them. This is precisely the type of encryption Privacy International advocates, where privacy is not a feature that needs to be switched on but is an integrated part of the technology that the user does not even necessarily know exists.
Privacy International calls for companies to collaborate in an open and transparent manner on security issues such as root certificate authorisation. Companies providing operating systems, browsers and mail clients must give adequate warning to users that a connection is untrusted.
In the case of Thailand we believe their history of internet surveillance means no company should trust their root certificate.