FREAK regulation leaves us less secure

The liberals, anarchists, and socialists are all telling us how Obama’s new Internet regulation plan is such a great idea. They say we need to trust government bureaucrats to keep us better off, making the Internet more like the DMV, instead of managed by corporations which are evil because they invest, compete, and create incentives were better, faster Internet for us, makes more money for them.

We are reminded this week that government doesn’t work, and will in fact not make you better off online.

Government regulation of cybersecurity has resulted in an important security hole today.

Pictured with this post is the Hitler bunker’s own Enigma machine. The mythology around cryptography is that the way you read encrypted messages is to crack the code, in the way that the US and UK war efforts cracked Enigma and the Japanese codes.

Government bought into this faddish thinking as well. Back in the 90s government stepped in and regulated the flow of cryptographic software in this country, calling the math a ‘munition.’ So they regulated the Internet, and as a result every US provider of software was required to distribute ‘export-grade’ cryptography that even back then was at risk of being broken.

Flash forward to today, and it turns out those export-grade codes are now easily broken. In fact, the server’s own private keys can be completely taken apart in hours, meaning all of the communications by that server, using that code can be read. Few browsers attempt to use those old codes though, so it was thought to be dead issue.

Here’s where all the thinking back then was wrong, though. The code is only as strong as the protocol you use to govern the code’s usage. We broke Enigma in part because the Germans used nice, regular form filings, giving us easy known-plaintext attacks on their codes. That is, each message they sent started with the same letters, so we could use trial-and-error to crack the messages, and even built large machines (early analog computers) to do just that.

Well, it turns out the protocol software surrounding website encryption also has issues, and as a result attackers are tricking web servers and browsers to use ‘export-grade encryption’, breaking down the whole system, and leaving us at risk.

Government was wrong in its thinking about encryption. Government was wrong in its thinking about regulation, as well, since restricting encryption exports merely moved encryption research and software development outside of the US, to Canada and to Europe. But we continue to pay the price today for meddling government, in the form of a bunch of software patches that must be developed and deployed at great expense to all of us.

What unforeseen consequences will we have of Obama’s cybersecurity executive orders, or Obama’s Internet regulation plans now? We might not find out for 30 years.