If a country like the UK decided to ban end-to-end encryption, how would they even enforce it? I understand that they could demand big companies like Apple stop providing such services to their customers and withdraw certain apps from the UK App Store. But what’s stopping someone from simply going online and downloading an app like Session? I mean, piracy is banned too, yet you can still download a torrent client and start pirating. What would a ban like this actually prohibit in the end?

  • @cecilkorik@lemmy.ca
    link
    fedilink
    English
    4
    edit-2
    1 day ago

    It’s not only obvious, it’s already done worldwide. Deep packet inspection evolved into HTTPS inspection and corporate/enterprise firewalls can detect and hijack attempts to establish encrypted connections already, as a “feature”. So do government firewalls in totalitarian countries. Of course they (probably) can’t do this secretly and transparently, because of the man-in-the-middle protections built into SSL, so they simply make the actual encrypted connection themselves on the client’s behalf, and give the client a different encrypted connection signed by their own certificate authority, which they force you to accept.

    In this situation, you have two choices: You accept the certificate, and you accept that the owner of the intermediate certificate will be inspecting your “encrypted” connection. If you don’t accept the certificate, then your connection is blocked and you have to find some other way to encrypt and hide your traffic without it being intercepted, because it won’t let you go direct end-to-end. Usually, at the moment, this is not that hard for the tech-savvy to avoid, it doesn’t even require something as secretive as steganography, it’s usually simply a matter of tunneling through a different protocol or port. Although those approaches are still obvious, and can easily be detected and either blocked in real-time or flagged for investigation after-the-fact if they have any interest in doing something about it. Corporations or countries that want to lock down their networks further can simply block any ports or protocols that would allow such tunneling or inspection-evasion in the first place.

    Deep packet inspection already allows any non-encrypted traffic to be clearly identified. If you don’t want any encrypted traffic to sneak through, you can safely assume anything that can’t be clearly identified is encrypted and block it. Depending on how strict you want to be about it, you start essentially whitelisting the internet to known, plaintext protocols. If it’s not known and plaintext, just block it. Problem solved. Encryption gone, until people start building (possibly hidden) encryption on top of those plaintext protocols, which is inevitable, and then you update your deep packet inspection to detect the encrypted fields inside the plaintext protocol and block them, and the back-and-forth battle continues.

    Encryption is probably a false panacea against a major state-level adversary anyway, especially if they have plausible access to network infrastructure, but that’s a whole different can of worms and unless you’re a serious revolutionary/terrorist probably beyond the useful scope of most people’s realistic concerns.

    • @sanpo@sopuli.xyz
      link
      fedilink
      21 day ago

      Man, deep packet inspection is some crazy stuff.

      Good implementation can identify the type of traffic within seconds with scarily good accuracy.

      Quite a few countries actually implement this in their national ISP’s infrastructure to block VPNs, so the citizens can’t access non-approved websites.