link for a simplified version of my post.
Well according to everything I've read, they will still allow SSL/TLS, otherwise the faith in online banking would become non-existent overnight; they appear to be targeting metadata
(i.e. message headers) as opposed to content
- at least publicly. Additionally, they seem to be targeting corporations rather than individuals, thereby pulling genuine "end to end" encryption out of the hands of the masses
, rather than trying to implementing a blanket ban.
The obvious question is: what counts as "end to end" encryption, considering that with SSL/TLS the IP packet payload is encrypted, but the IP packet headers are not?
SSL (e.g. HTTPS)
With SSL transmissions such as HTTPS
, the Internet routers very obviously have to read the IP packets in order to route the data, but they can't read anything else.
With secure mail transports such as SMTPS
, the same thing applies: the transmission
is encrypted, but the actual data is plain text once it pops out the other end, i.e.
the memory space of the running mail server software.
Additionally, with HTTPS
the transmission is between your computer and the target website only
(generally); with email - which relays messages from one email server to another until it reaches its destination - you cannot
guarantee that each hop between mail relays is encrypted, or even authenticated.
Not only that, but any mail server can siphon the messages which pass through it, both headers and
content. Technologies such as PGP and S/MIME ensure that the content
of an email message sent by you to someone else is encrypted, authenticated and therefore secure, however the email headers
are still plain text because the mail relay has to read them in order to route mail messages between relays.
VPNs such as OpenVPN also use SSL to create a tunnel between your computer and the VPN exit node, thereby giving an additional layer of protection. Once the data reaches the exit node, it is restored to its original form, whatever that might be. Again, banning VPNs is out of the question since the business community make extensive use of them.
Data At Rest
This is data sitting on storage on a computer of some kind (laptop, smartphone, tablet or workstation). On that device, the storage may be generally encrypted independently of all other security mechanisms. Additionally, individual applications such as email and SMS programs (which store messages locally on the device) may implement their own encryption mechanism (such as a password-protected database) to secure those messages.
So in reality, is true
end-to-end encryption on the public Internet really even available, if the headers of every email you send are still readable? If every SMS you send can be siphoned off of the cell towers anyway?
At this time I would say no
, however it is vitally important that an individual must a)
recognise that data and network security is built up in layers using tools built for this job or that, and b)
build for themselves a very clear picture of what exactly
it is they are trying to achieve (or avoid).