Moved site to HTTPS only

Noticed the following tweet the other day:

Thought this would be a perfect time to switch my website to HTTPS only. Previously I have played around with using my own CA, trusting this CA on any computer I use, and then I can generate my own certificates as and when I feel like it.  This is generally alright for personal use, but for public use there is little benefit doing this rather than just using self signed certs.

I found letsencrypt fairly easy to use, the only problem was I had to bring Apache down for a few minutes while I requested a cert – this is a minor thing, but I do host a few other websites on the same VPS I use for my website, so something to bear in mind.  The expiry time seems pretty short too, only extending 3 months into the future by default.

Anyway, it beats paying for a cert 🙂

David Cameron wants to ban encryption

Yes, apparently so.

For those of you who can’t be bothered reading the article, David Cameron would like to ban all forms of encryption that the UK intelligence agencies (MI5/GCHQ) can’t crack.  As far as the Snowden leaks show, that will include things like PGP, OTR Messaging, ZRTP, and also proprietary applications like WhatsApp, iMessage and Skype, although apparantly the latter has already been cracked by the NSA[1]http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data, and who knows about the other two, as they’re closed source and can’t be peer reviewed.

In the UK we have already lost the right to not incriminate ourselves due to oppressive RIPA legislation[2]https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000#Controversy, we are currently one of the only countries in Western Europe to implement internet censorship[3]http://12mars.rsf.org/2014-en/, and seem to be losing our right to privacy in general.  These measures seem to be getting pushed through parliament under the guise of ‘protecting our country from terrorist attacks’, if so, where is the proof that these measures have actually prevented any terrorist attacks?

Personally I encrypt as much of my data as I can, I carry an encrypted android phone & tablet, my laptop is encrypted, I use PGP when I can.  If the government were to make it illegal to encrypt stuff in a way that would prevent them accessing it, I’d probably still use the same tools.  I don’t think I could trust them to not muck up – remember the lost MoD hard drive, amongst others[4]https://en.wikipedia.org/wiki/List_of_UK_government_data_losses?

What’s the point in having intentionally weak encryption?

What about people who want to use Open Source encryption methods (me for one) – forcing all encryption to have a backdoor would all but render the encryption useless, unless we removed the backdoor, which would then be illegal.

What about an employee or foreign diplomat that is travelling across borders, is Mr Cameron saying that they’ll be unable to protect their company or state secrets?  What about Mr Cameron’s state phone, will it be rigged with a method of decrypting?  If so, what if foreign intelligence agencies gain the power to read the encrypted data?

It also sounds like he isn’t a big fan of Tor – the anonymity tool.  Yes it certainly seems to cause GCHQ and the NSA a massive headache, but it positive uses far outweigh the negatives. Things like whistleblowing, political activism in oppressed regimes like North Korea, China and Iran, and also protecting their own agents working abroad from detection are all vitally important to protecting our freedom, and the freedom of others.  We can’t ban something just because it might be used for evil, if we did we’d have no internet or telephone as they might be used by terrorists to collaborate, we’d have no vehicles as they could possibly transport drugs, and we’d not be allowed to leave our homes in case we tried to rob a shop. All of these things are absurd, and so would outlawing encryption.

So David, do you think you could leave the [important] technical decisions to some of your [hopefully] more intelligent advisors?