I should apologise that this blog is not (currently) served over https. It's on my to-do list, but that list is pretty stupidly long. (As an aside I don't look forward to the day when I have nothing to do. The idea of just putting my feet up is horrible. It feels like I've had at least 50% more things to do than I have time to do since about 2007; but the upshot is that I genuinely don't think I've been bored once in the last 7 years.)
Anyway, recent comments by Phil Zimmermann – the creator of email encryption software PGP – struck me as particularly (if unsurprisingly) smart. The upshot is yet another timely argument against David Cameron's frankly embarrassing stance on end-to-end encryption: Hackers are always going to be able to get around whatever security you put up, but if your data is properly encrypted it doesn't matter if they get access to your servers. So those Sony emails and movie scripts, for example, would never have been leaked if they'd been stored encrypted.
This article is worth a read, as is Phil's original blog post.
In related news, BWM recently patched their ConnectedDrive software after a flaw was identified by a third party. The shocking part of the story is that prior to this patch the software was using unencrypted plain text HTTP to send and receive data! Given that the software operates door locks (among other functions) it is mind-boggling to me that its developers didn't choose HTTPS in the first place.
A culture of 'encrypt by default' needs to be instilled.
More on this: Anton Chuvakin points out that, of course, even with encrypted data, key management becomes the challenge: http://www.bbc.co.uk/news/business-31048811
If they can steal your keys you’re still in trouble. But encryption… “present[s] obstacles which, while not insurmountable, hamper [any hackers’] progress”
On encryption http://t.co/2urMGA56Mm