Your Company Needs You (and Your Password)

Govt of India wanted to ban HTTPS and SSH in 2001? [Updated]

Update : We did more research and this proposal was proposed in 2001 and not actually implemented. This proposal was from 2001 can be verified using google search with custom date range. However our point stands. It is too easy to propose and get access to internet disabled, as can be seen from ongoing blocking of websites. Had this proposal passed we would not have had the internet revolution we are seeing today as no ecommerce, ticketing, or banking site would have worked with these regulations.

An accident averted? Well, sometimes we have to thank the government for *not acting* on proposals; for the world would have been very different with such bans.

————–

There is a proposal to block access to Internet as we know it in India and if it goes through you can say good bye to Gmail, Facebook and every form of secure communication you have had on the internet.

Here is the proposal. http://www.dot.gov.in/isp/guideinternationalgateway.htm

Please see

II. LEVEL OF ENCRYPTION

Individuals/Groups/Organisations are permitted to use encryption upto 40 bit key length in the RSA algorithms or its equivalent in other algorithms without having to obtain permission. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organisations shall do so with the permission of the Telecom Authority and deposit the decryption key, split into two parts, with the Telecom Authority.

This proposal means thatBigBrother-YourCountryNeedsYou

  1. You can not use HTTPS in its default form. The default for HTTPS keys is 512. Please see http://www.openssl.org/docs/apps/genrsa.html#item_numbits
  2. You can not use SSH in its default form. The default key length for SSH is 1024 or 2048. http://www.openssh.org/faq.html#2.6

Why is this bad?

  1. Most software companies use SSH as a daily flow of their life. This means that most software which people use daily will break.
  2. You use HTTPS everyday. For example Gmail changed default to always use http in 2010. Because they cared about your privacy. Facebook recommends that you always use https. With the default key length of 512, you would be breaking the law.
  3. Lets say that everyone changed their defaults to always use key lengths of 40 bit. (Which is not going to happen). This is what wikipedia says about 40 bit key lengthsA typical home computer in 2004 could brute-force a 40-bit key in a little under two weeks, testing a million keys per second; modern computers are able to achieve this much faster. Using free time on a large corporate network or a botnet would reduce the time in proportion to the number of computers available.[1] With dedicated hardware, a 40-bit key can be broken in seconds. The Electronic Frontier Foundation’s Deep Crack, built by a group of enthusiasts for US$250,000 in 1998, could break a 56-bit Data Encryption Standard (DES) key in days,[2] and would be able to break 40-bit DES encryption in about two seconds.[3]

So all your banking passwords, your credit cards, your private data is breakable in seconds. I am sure that the internet doesn’t have any crackers who want to steal your passwords.

[Guest article contributed by Shabda. He is cofounder of Agiliq, a company that builds amazing apps. Their blog talks about many technical topics but reading them may be soon illegal as they plan to use HTTPS.]

[Notes from Editorial team: Apologies for the confusion, as the above DoT link didn’t carry any date and there was a lapse from Pluggd.in editorial team in verifying the content accuracy. Similar discussion/emotions were seen at HackerNews and we’d like to again apologize to our readers for the confusion caused.]

Leave a Reply