Category Archives: Encryption

Eric Holder says ‘worrisome’ tech companies are eyeing encryption

Posted on by

For the second time in as many weeks, a senior U.S. government official has warned that widespread use of encryption could harm investigations.

In a speech to the Global Alliance Conference Against Child Sexual Abuse Online conference in Washington, D.C., U.S. Attorney General Eric Holder said its worrisome that companies are introducing systems that thwart the ability of law enforcement to quickly access a smartphone when a child is in danger.

We would hope that technology companies would be willing to work with us to ensure that law enforcement retains the ability, with court-authorization, to lawfully obtain information in the course of an investigation, such as catching kidnappers and sexual predators, he said, according to a transcript provided by the U.S. Department of Justice.

It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy, he said.

Holders remarks echo those made last week by FBI Director James Comey, who told reporters that quick access by law enforcement to the contents of a smartphone could save lives in some kidnapping and terrorism cases.

The warnings come as Apple and Google are rolling out capabilities that enable millions of smartphone users to protect information on their devices so that no one, aside from someone in possession of a password, can access the data. Even the OS makers and phone companies wont have access.

Apples iOS 8 allows users to encrypt some information on their phones while the next version of Googles Android OS, Android L, will enable full-phone encryption by default.

Carney accused smartphone companies of offering encryption as something expressly to allow people to place themselves beyond the law.

Some see the government requests as not without irony. Interest in encryption has been heightened by revelations from former U.S. National Security Agency contractor Edward Snowden that several U.S. government programs are sucking up details on the communications of millions of people.

Read more:
Eric Holder says 'worrisome' tech companies are eyeing encryption

Holder urges tech companies to leave device backdoors open for police

Posted on by

Attorney General Eric H. Holder Jr. said on Tuesday that new forms of encryption capable of locking law enforcement officials out of popular electronic devices imperil investigations of kidnappers and sexual predators, putting children at increased risk.

It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy, Holder said at a conference on child sexual abuse, according to a text of his prepared remarks. When a child is in danger, law enforcement needs to be able to take every legally available step to quickly find and protect the child and to stop those that abuse children. It is worrisome to see companies thwarting our ability to do so.

In his comments, Holder became thehighest government official to publicly chastise technology companies for developing systems that make it difficult for law enforcement officials to collect potential evidence, even when they have search warrants. Though he didnt mention Apple and Google by name, his remarks followed their announcements this month of new smartphone encryption policies that have sparked a sharp government response, including from FBI Director James B. Comey last week.

Federal, state and local law enforcement officials have complained loudly that the companies are undermining efforts to fight crime, including terrorism. Apples newest mobile operating system, iOS 8, is so thoroughly encrypted that the company says it cannot unlock iPhones or iPads that use it. Googles Android operating system plans to begin using encryption automatically, for all users unless they specifically opt out, in a version to be released in October. (It will take months or years for that feature to reach most Android users.)

Company officials have said stronger encryption better protects the privacy of users by toughening the security of the devices against a wide range of intrusions, by governments, criminals or curious hackers. American technology companies have been particularly eager to demonstrate their commitment to user privacy in the aftermath of the revelations by former National Security Agency contractor Edward Snowden, detailing the extensive reach of government surveillance.Apple and Google did not respond to requests for comment Tuesday.

Holder was speaking to the Global Alliance Against Child Sexual Abuse Online, meeting in Washington, when he raised the issue of preserving government access to electronic devices.

Recent technological advances have the potential to greatly embolden online criminals, providing new methods for abusers to avoid detection, Holder said. In some cases, perpetrators are using cloud storage to cheaply and easily store tens of thousands of images and videos outside of any home or business and to access those files from anywhere in the world. Many take advantage of encryption and anonymizing technology to conceal contraband materials and disguise their locations.

He called on companies to work with us to ensure that law enforcement retains the ability, with court-authorization, to lawfully obtain information in the course of an investigation, such as catching kidnappers and sexual predators.

Even with the new forms of encryption, government officials maintain access to several sources of data related to the use of smartphones, including the records of calls and texts kept by cellular carriers and the device backups that most smartphones make on remote cloud services, such as Apples iCloud. Police with search warrants also are free to use third-party tools to try to crack the encryption on smartphones or other devices. Courts can potentially order users to furnish passcodes that will unlock devices as well.

Craig Timberg is a national technology reporter for The Post.

Go here to read the rest:
Holder urges tech companies to leave device backdoors open for police

CloudFlare reveals ‘Universal SSL’: Free, headache-free encryption for websites

Posted on by

More and more websites are looking to enable SSL encryption to protect their visitors from eavesdroppers and hackers. Now web infrastructure company CloudFlare will make it a bit easier by adding that feature to the free version of its hosting service.

Revelations about government snooping and Googles decision to prioritize sites with encryption turned on in its search results have given SSL a big push.

However, cost and complexity have meant that before Monday fewer than 0.4 percent of websites were encrypted, according to CloudFlare. It aims to boost that with Universal SSL, which works regardless of budget or technical know-how, the company said. The two million sites that today use the free version of CloudFlares service will be the first that are able to take advantage of the feature.

Having encryption may not seem important to a small blog, but its critical to advancing the encrypted-by-default future of the Internet, according to CloudFlare. Every byte thats protected makes life more difficult for those who wish to intercept, throttle, or censor the web, the company said in a blog post on Monday.

For sites that didnt have SSL before, CloudFlare will use its Flexible SSL mode by default. That means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a sites server will not. Site owners need to install a certificate on their web servers to encrypt that segment, as well. To help, CloudFlare will publish a blog post with instructions.

A bonus with Universal SSL is that the feature is compatible with SPDY, a protocol used to speed up web traffic by minimizing latency.

As with many free services there are some limitation compared to paid plans. The main one in this case is that Universal SSL only works with modern browsers, which excludes about 20 percent of web requests. To get support for all browsers, users need to sign up for CloudFlare Pro (which costs from $20 per month), Business or Enterprise.

See the rest here:
CloudFlare reveals 'Universal SSL': Free, headache-free encryption for websites

CloudFlare aims to simplify SSL encryption with free service

Posted on by

Having encryption is critical to advancing a more secure future of the Internet, according to CloudFlare

More and more websites are looking to enable SSL encryption to protect their visitors from eavesdroppers and hackers. Now web infrastructure company CloudFlare will make it a bit easier by adding that feature to the free version of its hosting service.

Revelations about government snooping and Google's decision to prioritize sites with encryption turned on in its search results have given SSL a big push.

However, cost and complexity have meant that before Monday fewer than 0.4 percent of websites were encrypted, according to CloudFlare. It aims to boost that with Universal SSL, which works regardless of budget or technical know-how, the company said. The two million sites that today use the free version of CloudFlare's service will be the first that are able to take advantage of the feature.

Having encryption may not seem important to a small blog, but it's critical to advancing the "encrypted-by-default future" of the Internet, according to CloudFlare. Every byte that's protected makes life more difficult for those who wish to intercept, throttle, or censor the web, the company said in a blog post on Monday.

For sites that didn't have SSL before, CloudFlare will use its Flexible SSL mode by default. That means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's server will not. Site owners need to install a certificate on their web servers to encrypt that segment, as well. To help, CloudFlare will publish a blog post with instructions.

A bonus with Universal SSL is that the feature is compatible with SPDY, a protocol used to speed up web traffic by minimizing latency.

As with many free services there are some limitation compared to paid plans. The main one in this case is that Universal SSL only works with modern browsers, which excludes about 20 percent of web requests. To get support for all browsers, users need to sign up for CloudFlare Pro (which costs from US$20 per month), Business or Enterprise.

Send news tips and comments to mikael_ricknas@idg.com

Tags online safetysecurityCloudFlareencryption

View original post here:
CloudFlare aims to simplify SSL encryption with free service

CloudFlare Pushes More Encrypted Web

Posted on by

Whether a website sells salon appointments or stolen credit-card numbers, Matthew Prince wants to protect it.

Prince, chief executive of CloudFlare, a San Francisco cybersecurity and network company, is allowing customers to encrypt connections to their sites for free. Prince, 39 years old, says the offer could extend encryption to roughly two million websites that use the free version of CloudFlares service.

Encryption would create hurdles for both fraudsters and governments, security experts said. Hackers would have a more difficult time spoofing legitimate websites. Intelligence agencies could be challenged to figure out what protesters are reading online.

The move is an important step in making encrypted connections standard, said Morgan Marquis-Boire, a security researcher at the University of Torontos Citizen Lab. People in Vietnam would be able to feel a little safer about reading a blog critical of the government, he added.

Christopher Soghoian, principal technologist at the American Civil Liberties Union, added, Its huge.

CloudFlares move is the latest effort by Silicon Valley to harden the Internet against both spies and cybercriminals since former National Security Administration contractor Edward Snowden last year revealed the extent of government surveillance, and tech-company cooperation. In April, Google announced it would give bonus points in its search-ranking algorithm to websites that use encryption.

Today, fewer than three million of one billion websites use encryption, according to surveys from Netcraft, which monitors Internet traffic. Many media sites including wsj.com dont use encryption for their homepages because it doesnt work with some advertising networks.

Encryption scrambles data and communication with the page, preventing hackers from stealing credit-card numbers in transit or spying on which pages are accessed. It also lets users know they have reached the website they intended to reach. If a site uses encryption, its web address will start with https instead of http, and a colored padlock will appear next to the address.

Encryption is primarily used by larger website operators. Small operators use it less frequently because of the cost.

Prince says he reached deals with the companies that issue encryption certificates to reduce the cost. But he said the offer will hurt CloudFlares bottom line.

Here is the original post:
CloudFlare Pushes More Encrypted Web