Don't get me wrong. i like the EFF, in fact, i've contributed and gotten the full set of stickers and lovely note, but there are times that i kinda wonder if they're thinking clearly.
Take, for instance, a note they published yesterday Several Facts about Google. They note that they're very happy with the fact that Google is testing out HTTPS connections for gmail, since that means that the connection between you and Google is secure. That's very nice. Granted, SMTP, the method of delivery of your mail, is generally unencrypted, but that's probably beside the point. Kind of like how it's great to have a locking mailbox, but your mailman can still get mugged or just bury your mail in his backyard.
The other part that really had me scratching my head was that they were pushing to have Google use HTTPS for searches.
Again, i really like EFF, but i really wish they'd consider what they're asking for.
HTTPS means a secure connection. That means that so long as you're holding a connection open, you've got a mutual, trusted handshake between you and the box you're talking to. That's important to think about so make sure you remember that.
When you make an HTTP request to Google, the first thing that happens is that your request goes to a DNS balancer. This machine tries to figure out the closest server to you and hands you off to that machine. That machine is probably a VIP or "Load balancer" who's job it is to hand you off to a machine that can actually service your request. How you walk that path is kind of dependent on a lot of things like how busy a given server is. All of these hand-offs are done in nanoseconds because none of these needs to keep the "line" open. In fact, with some things, you may not even get to google because you wanted something that exactly matched what someone else just asked for (like "Ed McMahon Memorial" or something). That's called Caching and it means even faster delivery of data to you.
When you switch to HTTPS, however, you introduce a good deal of security and a lot of extra steps. Your machine will only exchange information with a machine that identifies itself correctly. It also means that every request and response has to be encrypted and signed and then checked and decrypted.
Think of it this way, let's say you wanted to get a quart of milk. Currently you go to a local grocery store, and grab a jug. (We'll pretend that milk is free and unlimited, so you don't have to worry about checking out.) That's pretty much how HTTP works.
HTTPS means driving to an approved Milk Distributor, showing your ID at the door, calling the FDA to ensure that the person you've shown your ID to is who he says he is, handing him a cryptogram that contains your request for a jug of milk, he walks into the store, and sometime later returns with a locked safe which he hands you. You depart, drive home, enter the combination to unlock the safe and pull out your jug of milk. That, of course, presumes that nobody else wanted milk, eggs, meat, or laundry detergent that day and you had to wait in line to talk to the clerk.
Why would you have to wait in line to talk to the clerk? Well, because he costs a lot more than the fridge (even though he's basically walking up to said fridge to grab the milk), and even if you're the most successful grocery store on the planet, you can only realistically afford so many highly trained, FDA approved clerks. Plus, you have to pay for new training for them every year.
i'm sorry EFF, but that's just a really dumb idea. Particularly since your fridge, err, computer could still be seized and the store's receipts , err, search engine's logs can also be subpoenaed.
There are lots of existing ways that you can cover your tracks should you need to. Just ask anyone in China or Iran how to do it. But for the bulk of us, i think we can live my life with my milk in a normal, non-reinforced carton.
-
callous2009-06-27 18:09:41You are right, it's a technical pain. However, I believe the reason why it's desirable isn't for people who will likely be being subpoenaed, but instead for the rest of the population who seek to avoid having their queries sucked up and data-mined by a Carnivore-like system, or actively filtered through a mom-in-the-middle attack. BRB doorbell! OHHhhh, another safe!
-
jrconlin2009-06-27 19:48:59Of course, that presumes that unlink the unmarked room at the AT&T hub, Carnivore only works by examining routed traffic. Yeah, I can see the man-in-the-middle issue, but do you really want Google/Yahoo/Microsoft working like your bank and asking for several rounds of passwords every 10 minutes?
-
callous2009-06-27 21:10:49The AT&T room problem is similar in concept to the telegram companies just conveniently routing all traffic to NSA... who then casually called up their buddies at IBM and had them whip up the most impressive now-unclassified computer of the time to grind through it all. We cannot suppose what resources were applied, or at what stage of implementation it got awkward with the whistle-blowing. I've been running an HTTPS connection from multiple machines, often concurrently, to Gmail for at least several months now and only get prompted for a password occasionally. Perhaps this is a different technical issue, or some kind of horrible security gaff. To be honest, I haven't thought it through.
-
jrconlin2009-06-27 21:32:24I suck at making points. I guess what I was trying to say was that https doesn't really solve a security problem if there are ways around it. All it does is say "The connection between this computer and some other computer is trusted and the information being passed is encrypted". Once it gets beyond that particular pipe, it's no longer secure. If I have mail I want to secure, I'm not going to use HTTPS, i'm going to encrypt it on my client and send it using something like PGP. Likewise, if I'm interested in doing searches of a potentially questionable or "of interest", I'm going to employ existing devices (like Tor or a series of remote proxies, with cookie scramblers) to make those requests difficult to backtrace. Both of those don't require Google to have to spend billions setting up millions of secure machines for the planet to talk to.
-
Andrew S2009-07-04 11:24:32In the actual real world, https does solve the security problem of the government slurping down all of our net traffic at peering points. It raises the cost for governments to monitor internet traffic dramatically. I'm glad that EFF is looking at things that affect the real world. As for Google, I'd bet that they could implement SSL for all connections for ~$10 M, and since it's easily to parallelize, cost will go down with # cores per server. The real losses would be due to performance. If it added on average an extra 500 ms latency, searches would go down about 1%, and revenue would drop around $60M/year. Of course, another reality is that with large companies that have their ssl private keys on thousands of proxy servers, there's no doubt that the NSA would compromise the important ones (all it takes is one compromised sysadmin or server), and it's unlikely that google would create lots of ssl keys for the same site just to make this attack more difficult.
