Cryptography

Internet service providers (ISP) acting on behalf of the Iranian government have recently begun blocking encrypted internet services that rely on the secure sockets layer (SSL) protocol, curbing the use of virtual private networks (VPN), a number of email providers, and other communication tools ahead of next week’s parliamentary elections.

A total SSL blockage would prevent the use of any online service whose address begins with ‘https,’ thus cutting off internet users in Iran from one of the Web’s most widely used and trusted encryption connections.

It’s always slightly disorienting and confusing when a story about something as esoteric as weak encryption keys produced by poor random number generators makes its way into the real world and begins scaring the citizens. This can lead to confusion and worry about whether everyone’s online banking sessions and purchases of Canadian pharmaceuticals are safe. To help allay those concerns, here are some things you need to know about the new research on weak RSA keys and its implications.

If all of the noise about weak RSA keys and compromised cryptosystems in the last few days has done anything, it’s to confirm what many in the cryptography community have known for quite a long time: When it comes to implementing cryptosystems, there are a whole lot of people doing it wrong. However, experts say the new research showing large numbers of repeated and weak crypto keys is a good reminder of not only how hard it is to get this stuff right, but also how many different ways it can go wrong.

Mozilla officials are preparing to send a letter to the certificate authorities that are part of its root CA program, warning them about issuing so-called man-in-the-middle certificates for systems that the CA does not actually own. The message comes on the heels of an incident in which Trustwave, a CA, issued a certificate that enabled a corporate customer to eavesdrop on the SSL-protected sessions of its employees.

In the last couple of years, Google and some other Web giants have moved to make many of their services accessible over SSL, and in many cases, made HTTPS connections the default. That’s designed to make eavesdropping on those connections more difficult, but as researchers have shown, it certainly doesn’t make traffic analysis of those connections impossible.

Researchers at a German university have broken the encryption of the two main standards used to protect calls from satellite phones, giving them the ability to intercept conversations that are meant to be private. The attacks on the GMR-1 and GMR-2 standards are thought to be the first such work against the satellite phone ciphers.

In the face of mounting evidence that the CA system is inherently flawed, Google officials are in the process of making changes to the way Chrome handles certificate revocations, and no longer will be using online revocation checks. Instead, Chrome will use the existing update system in the browser to accomplish this task.