Ways to hide
Besides financial or identity theft, many people are concerned about governments or law enforcement eavesdropping on their communications. Whether you’re a journalist criticising a brutal regime or a whistleblower that’s got hold of an Excel spreadsheet detailing exactly how much the company is wasting on motivational Powerpoint designs you should be cautious as to what you send over the wire, and how you send it.
Thanks to public key cryptography, it’s (barring several implementation barriers, as we’ll see later) possible for two parties that have never met to communicate in secret— that’s without having to agree a private key in advance. The mathematics behind public key cryptography (see Feature, p50, LXF189) has been around since the ‘70s, but is only recently starting to be used wholesale ( see the End to End Encryption box, below).
People have had at their disposal the tools required to generate key pairs, use them to encrypt an email and paste the result into any standard mail client— but they don’t. It’s not hard ( seep33) but in a world where we expect so much from a few clicks, it doesn’t fly. Plus one requires the other party to play ball. What if, confounded by the decryption process they reply, frustrated, spaffing sensitive information in clear text?
In this sense the web has done a better job at encryption. HTTPS enables us to communicate privately with websites, and we’ve been doing it since the mid-90s. Ideally, HTTPS performs two duties: authentication, which guarantees the website you’re communicating with is indeed the one you think it is and confidentiality, which guarantees that information, even if it were intercepted, remains secret. But even that system is far from perfect, since it relies on implied trust of a Certificate Authority, and there have been reports of rogue CAs finding their way into major web browsers’ trust lists. Beyond that several attacks on the protocols (BEAST, CRIME) and underlying protocols (Xiaoyun Wang’s 2005 attack on MD5) have showed that it’s no silver bullet. Nonetheless, it’s the best we have, and it’s more secure than sending passwords and card numbers in the clear. Browser extensions, such as HTTPS everywhere, ensure that you’ll always visit the https version of a website, where one exists. Thanks to LetsEncrypt ( https://letsencrypt.org) it’s free and easy for anyone to enable HTTPS on their websites.
The Tor network has received a great deal of interest, partly due to being given the shadowy sounding title ‘The Dark Web’ by media pundits. Tor began as a US Department of Defence project and a great deal of its funding still comes from there and other government sources. Given the eyebrows this naturally raises it’s looking to diversify its funding. The Tor Project, though, is run independently from its funding and according to time-honoured open source principles, so we shouldn’t really be worrying about governments meddling with the Tor codebase at source.
That doesn’t mean that governments aren’t interested in breaking Tor communications, because they very much are. In February this year, it emerged that researchers at Carnegie Mellon had partially de-anonymised the network, and that they had turned over their findings to the FBI. It’s believed that the attack involved setting up a number of Tor nodes and correlating traffic between them, in what is known as a Sybil attack. The fruits of this operation came in November 2014, when Operation Onymous saw widespread and co-ordinated action against users and operators of darknet marketplaces. Tor was never meant to protect against these activities, and it remains one of the most vital tools for privacy activists. ( Find outhowtosetituponp40).