Russia Wants To Ban the Use of Secure Protocols Such As TLS 1.3, DoH, DoT, ESNI (zdnet.com) 59
An anonymous reader writes: The Russian government is working on updating its technology laws so it can ban the use of modern internet protocols that can hinder its surveillance and censorship capabilities. According to a copy of the proposed law amendments and an explanatory note, the ban targets internet protocols and technologies such as TLS 1.3, DoH, DoT, and ESNI. Moscow officials aren't looking to ban HTTPS and encrypted communications as a whole, as these are essential to modern-day financial transactions, communications, military, and critical infrastructure. Instead, the government wants to ban the use of internet protocols that hide "the name (identifier) of a web page" inside HTTPS traffic.
Same old same old (Score:4, Insightful)
Isn't that the same discussion that is currently going on in most western countries, too?
Re:Same old same old (Score:5, Informative)
> Isn't that the same discussion that is currently going on in most western countries, too?
China is already blocking ESNI. Western tyrannies are more mad about E2E encryption. They believe a warrant gives them the power to find rather than the power to look (American Secessionists in the 1770's used cyphers too).
That being said, the 9th Circuit totally vindicated Snowden recently and found that none of the NSA spy program was needed to stop any crimes. Traditional police work did that.
What the Court didn't address is the use of NSA programs for parallel construction, political advantage, and blackmail operations, which is why it really exists.
Re:Same old same old (Score:4, Interesting)
> Isn't that the same discussion that is currently going on in most western countries, too?
China is already blocking ESNI. Western tyrannies are more mad about E2E encryption. They believe a warrant gives them the power to find rather than the power to look (American Secessionists in the 1770's used cyphers too).
That being said, the 9th Circuit totally vindicated Snowden recently and found that none of the NSA spy program was needed to stop any crimes. Traditional police work did that.
What the Court didn't address is the use of NSA programs for parallel construction, political advantage, and blackmail operations, which is why it really exists.
The government argued that if the program was illegal, the evidence used in a terrorism case would be suppressed, and terrorists would go free. They didn't want their terrorism case dropped. The court basically said the program wasn't authorized by such and such law because of technical reasons, and might be unconstitutional (if not authorized by something else), and the real kicker: it doesn't matter, no evidence suppressed, and convictions upheld, nothing changed. Yup, the evidence obtained with fisa warrants through that illegal phone-metadata program is still valid, and assholes are still in prison. The government won, there is nothing left to argue unless there are more appeals, more cases etc. You tell me how any of that is unfair or abusive or wrong, because if it was, that court did not hand you the ruling you were hoping for.
That is not a vindication of Snowden. In layman's terms, the NSA moves a Splunk indexer from their own data center to the phone company's, goes through the exact same fisa process they did in that case in question, and they've solved the technical problem the 9th circuit found going forward. But they've already done that, they previously ended the program in question. They absolutely do have access to phone metadata. The such and such law I previously mentioned - it inarguably DOES authorize them to keep doing what they do - collect intelligence, from a wide variety of sources, in a regulated manner. They did that, they still do.
So what travesty did Snowden reveal? Spy agencies collect intelligence. No. Shit. What abuses, what harm, what unfairness did he bring to light? Are convictions being overturned? Cases being thrown out of court? What wrongs have been righted? He hasn't been vindicated because broke the law and fled to our adversaries, and not one single god damned thing has changed in any meaningful way. The NSA does what it does, the FISA court does it's thing, the FBI is still trucking. Now you can argue that you just have more work to do, and the REAL real point was just to raise awareness, but look at yourself, you're digging through someone's trash, looking for some wrong to justify your guy dumping their stuff in the street in the first place, going AHAH, this postcard has a winking emote at the end of it, totally justified!!1
Re: (Score:3)
Sure, spy agencies do collect intelligence. But in the US it's not legal for them to do so on American citizens. That kind of information collection is in the purview of law enforcement, and traditionally requires a court warrant. That the law was being violated by these agencies is the travesty. That is the abuse.
Re: (Score:2)
I should have added, specifically it's illegal for them to gather intelligence on American citizens on US soil.
Re: (Score:2)
I should have added, specifically it's illegal for them to gather intelligence on American citizens on US soil.
That's an oversimplification of a complicated subject. They can, but it's regulated differently.
https://www.nsa.gov/about/faqs... [nsa.gov]
The executive order, however, prohibits the collection, retention, or dissemination of information about U.S. persons except pursuant to procedures established by the head of the agency and approved by the Attorney General.
And from 50 USC 1861, the law the court was referring to in this supposed Snowden vindication thing
(2) An investigation conducted under this section shall
Re: Same old same old (Score:2)
Re: (Score:2)
Isn't that the same discussion that is currently going on in most western countries, too?
It is. The Russians are doing the same evil, but they are at least honest about it. In the west, the ones that desperately want the capabilities to spy on everybody online directly lie instead and offer various pretexts about what this is supposedly for. No lie stupid or immoral enough.
Re: (Score:1)
As a sidebar I'd much rather be killed
Re: (Score:2)
Well, in the US they will just identify some of the "three felonies per day" everybody does (and online surveillance is one of the things that makes that easier) and lock you up for the rest of your life. I would say that is even less desirable. Although, because those in power in the US still pretend to some degree that the country is "free" and that you have "rights", the level of provocation you have to give is significantly higher. It is basically the same thing though.
Re: (Score:2)
.."three felonies per day" everybody does..
Um.. what are you talking about, exactly? I've never heard that before, it sounds like a meme..
Re: (Score:3)
Well, we limit and hinder freedom in order to preserve the American Way of Life, which is about freedom. Ya, it does sound stupid when said out loud. In Russia you could always say that the preservation of the Russian Way of Life is about maintaining autocratic governance and vodka production, so it's not nearly as hypocratical to restrict some types of encryption.
Re: (Score:2)
Exactly. In some ways it is worse, but in others it is a lot more clear and honest what is expected of you. Both systems deeply suck though and both systems seem to ultimately want total control of their citizens.
I'll give this a try ... (Score:2)
The Russian ... government wants to ban the use of internet protocols that hide "the name (identifier) of a web page" inside HTTPS traffic.
In Soviet Russia, Internet browses you.
[ Will become a U.S. government effort as well in 3... 2... 1... ]
Re: I'll give this a try ... (Score:1)
False Sense Of Security (Score:2)
Don't fall for this. Russia drawing attention to this because they've already broken those protocols and don't want people moving to different communication methods that they don't completely control.
Re: (Score:3)
Wait?! So stay on the "already broken" protocols that they completely control? Is this the 4D chess I keep hearing about?
Re: (Score:3, Informative)
That is exceptionally unlikely, for numerous reasons. Stupid conspiracy theory is stupid.
Re: (Score:2)
Re: (Score:2)
And we should use what instead? Even if they did break it, if you dont have any altearnative at least it will protect you from maybe your neighbor or generic fools.
Oh well (Score:2)
back to uuencode and Rot-13. /s
I would think (no of course I didn't read the article) that every time they ban some "secure" protocol, there would be another 10 or 20 they didn't know about.
Looks like random fragmentation of the Internet is on the books for the 2020s.
At some point I'm pretty sure every country will have it's own Internet, and any time traffic has to leave that zone, there will be AI and plenty of government employees watching every bit to make sure it's "OK".
Re: (Score:1)
Re: (Score:2)
Well that sucks. Now we have to burn all books.
Re: (Score:2)
Also we know all about Fahrenheit 451, and we're on the lookout for it. We know it's an cautionary tale; we also know there are some who mistakenly think it's an instruction manual. Usually the same ones who think Ayn Rand writes 'instruction manuals'.
Re: (Score:2)
Ayn Rand fans: https://www.newsweek.com/jk-ro... [newsweek.com]
It's Russia (Score:4, Insightful)
Russia's appetite for oppression is consistently outmatched by the ability of the Russian people for successful disobedience.
Russian nerds will find a way.
Re: (Score:2)
> nerds will find a way... for successful disobedience
Russia: circumvents encryption to avoid censorship
Japan: animated porn to avoid pixelation
Re: (Score:1)
Re: (Score:2)
Russia's appetite for oppression is consistently outmatched by the ability of the Russian people for successful disobedience.
Russian nerds will find a way.
In the USA they just shrug and say "that's that, then".
Re: (Score:2)
Censorship doesn't have to be anywhere close to perfect to be effective. Applying a layer of inconvenience is enough. Yes, the people could go and look at foreign news sites and media if they wanted to put in half an hour of effort - but that's a lot of time to spend looking for news, when the state-approved media requires only seconds.
Re: (Score:3)
Russia's appetite for oppression is consistently outmatched by the ability of the Russian people for successful disobedience. Russian nerds will find a way.
It only works up to a point. In the past two years, China has actually made it impossible to use a VPN. The great firewall was upgraded with an actually smart software that detects obscured traffic and closes the connection in a couple seconds. All my colleagues in China have switched to using local email accounts simply because they cannot reach gmail. There is no VPN provider - and these used to be a sizable market - that has figured out in two years how to circumvent that.
Circumventing the govt restricti
Why bother changing the law (Score:4, Insightful)
Dictator Putin just does what he wants anyway regardless of any legal framework and anyone who contradicts him ends up in hospital suffering from nerve agent poisoning. Or just shot in the street because of a "mugging".
Re: (Score:2, Funny)
What Putin does is mostly peaceful.
Re: Why bother changing the law (Score:1)
Donald, is that you ?
Re: (Score:1)
Re: (Score:2)
Not saying it was aliens... (Score:2)
Moscow officials aren't looking to ban HTTPS and encrypted communications as a whole, as these are essential to modern-day financial transactions, communications, military, and critical infrastructure. Instead, the government wants to ban the use of internet protocols that hide "the name (identifier) of a web page" inside HTTPS traffic.
Translation: "We're not saying we want to ban HTTPs, but... we want to ban HTTPS."
Re: (Score:2)
Yeah this law requires a minor workaround at most - if you have a local DNS server that gets its list from something other than one of the banned services (such as by sneakernet if nothing else), you can do all the first-world-secure browsing you want.
That doesn't help when you're using SNI (Score:4, Informative)
Using a different DNS doesn't help - that's the entire point of banning TLS 1.3. Hiding your DNS is only helpful if you're also using TLS 1.3.
With TLS 1.1 and 1.2, the hostname is sent in the flea because the server needs to know which site you want to connect to before it can use that site's certificate to start setting up encryption.
Re: (Score:2)
Ah true...working around that would require a VPN-over-HTTPS to a server that also looks like a regular website that would pass a lot of traffic both ways (running on the same port as the VPN service!), which will be much more difficult.
Re: (Score:2)
Actually it would also require traffic padding to make the traffic patterns match a regular user's pattern as well, so that secret VPN users can't be identified by traffic pattern analysis.
Re:That doesn't help when you're using SNI (Score:4, Funny)
With TLS 1.1 and 1.2, the hostname is sent in the flea
I'm itching to point our your entertaining autocorrect error.
Re: (Score:2)
Larger packets are sent with RFC 1149.
Re: (Score:2)
More likely, there will be no workaround. Russia's market isn't large enough to force behavioral changes in software maker's behavior so I'm guessing things will just stop working and web browsing will just break for a whole country.
Thanks to one random firewall, I have now seen what happens when you block TLS 1.3: The endpoints ended up just refusing to make a connection:
Goes along with Russia's interference (Score:2)
"We assess that President Vladimir Putin and the senior most Russian officials are aware of and probably directing Russia's influence operations aimed at denigrating the former U.S. Vice President, suppo
Comment removed (Score:4, Insightful)
I wonder why DoH is in that list (Score:2)
Couldn't they simply run their own DoH server and let Mozilla include it as the only one? I mean Mozilla blindly trusts Cloudflare there for no public reason. Yandex or any other Russian company is not really less trustworthy than Cloudflare.
I fear the Internet is destined to be fractured (Score:2)
In Soviet Russia... (Score:1)
ECH is dumb (Score:3)
I fully support secure transports for name resolution so long as its done at the proper layer and not just a power grab like Mozilla's DoH scheme.
Yet this business of obscuring destinations (ECH et el) because the destination happens to be linked to a massive shared hosting provider is not something I support for a number of reasons.
1. The utility of the obfuscation is unknown and unknowable to the user providing no useful indication of privacy. Any advertised support for ECH et el is therefore less than worthless. Users simply don't know if the IP address is at the time shared by no other sites at all or a million public ones. Likewise users have no information on the distribution of content. If you are going to surf political porn sites and all the hosting provider does is host political porn sites the fact of what you are doing is not meaningfully protected... and again you have no way of knowing this.
2. Obscuring where packets are from or to are not part of the deal of the Internet. If you require this level of privacy you should be using an overlay network explicitly designed to provide it. (e.g. Tor)
3. It has been demonstrated even when using a fully secure connection if you are browsing a public site exactly what you are browsing can be determined with high accuracy.
4. This technology creates perverse incentives which benefit large hosting providers to the determent of small operators or organizations hosting sites on a non-shared environment.
5. When coupled with Mozilla power grab bypassing system naming services it becomes impossible to administratively filter traffic for security or content without incurring collateral damage unless heavy handed MITM schemes are employed.
Mass surveillance concerns associated with server name/public key identity transmitted in the clear could have easily been addressed with anonymous key agreement schemes whose parameters are double checked after certificate authentication to alert the user of privacy breach and prevent higher layer requests from being transmitted. This would have provided more protection across the board rather than limiting applicability only to large hosting providers.
Re: (Score:2)
I fully support secure transports for name resolution so long as its done at the proper layer...
What is the proper layer? HTTP has established itself as a universal, robustly implemented do-all protocol at this point -- it seems like a fine enough layer to do things at.
... and not just a power grab like Mozilla's DoH scheme.
I guess you feel this a power grab because you think Mozilla wants exclusive access to data that currently the ISP has. If that's accurate, you should know that DoH is an open protocol and doesn't give any power to Mozilla.
We've needed to move this power away from ISPs for a long time. They've shown again and again their willingness to
Re: (Score:2)
What is the proper layer? HTTP has established itself as a universal, robustly implemented do-all protocol at this point -- it seems like a fine enough layer to do things at.
The operating systems naming stack is the proper layer.
I do not prefer HTTP for D-NS because it adds unnecessary complexity without providing any substantive value in return. There is already TCP support for DN-S which is sufficient if you intend to use a stream transport.
Personally I prefer DN-S over DTLS to minimize latency and server side resource consumption yet I don't really care either way... D.NS over (D)TLS, DoH... whatever. So long as TLS is used and protocol does not allow for DDOS amplificatio