Better Crypto: Did Snowden Succeed?

by Miguel de Icaza

Snowden is quoted on Greenwald's new book "No Place to Hide" as wanting to both spark a debate over the use of surveillance and to get software developers to adopt and create better encryption:

While I pray that public awareness and debate will lead to reform, bear in mind that the policies of men change in time, and even the Constitution is subverted when the appetites of power demand it. In words from history: Let us speak no more of faith in man, but bind him down from mischief by the chains of cryptography.

[...]

The shock of this initial period [after the first revelations] will provide the support needed to build a more equal internet, but this will not work to the advantage of the average person unless science outpaces law. By understanding the mechanisms through which our privacy is violated, we can win here. We can guarantee for all people equal protection against unreasonable search through universal laws, but only if the technical community is willing to face the threat and commit to implementing over-engineered solutions.

Last week Matthew Green asked:

Only time will be able to answer whether as a community the tech world can devise better and simpler tools for normal users to have their privacy protected by default.

Snowden has succeeded in starting an important discussion and having software developers and their patrons react to the news.

At Xamarin we build developer tools for Android and iOS developers. It is our job to provide tools that developers use on a day to day basis to build their applications, and we help them build these mobile applications.

In the last year, we have noticed several changes in our developer userbase. Our customers are requesting both features and guidance on a number of areas.

Developers are reaching to us both because there is a new understanding about what is happening to our electronic communications and also response to rapidly changing requirements from the public and private sectors.

Among the things we have noticed:

  • Using Trusted Roots Respectfully: For years, we tried to educate our users on what they should do when dealing with X509 certificates. Two years ago, most users would just pick the first option "Ignore the problem".
    Today this is no longer what developers do by default.
  • Certificate Pinning: more than ever, developers are using certificate pinning to ensure that their mobile applications are only talking to the exact party they want to.
  • Ciphersuite Selection: We recently had to extend the .NET API to allow developers to force our networking stack to control which cipher suites the underlying SSL/TLS stack uses. This is used to prevent weak or suspected ciphersuites to be used for the communications.
  • Request for more CipherSuites: Our Mono runtime implements its own SSL/TLS and crypto stacks entirely in C#. Our customers have asked us to support new cipher suites on newer versions of the standards.

Sometimes developers can use the native APIs we provide to achieve the above goals, but sometimes the native APIs on Android and iOS make this very hard or do not expose the new desired functionality, so we need to step in.

Posted on 21 May 2014


News from the .NET World

by Miguel de Icaza

Some great announcements today from the Microsoft world.

#1 Open Source ASP.NET stack

The first one is that Microsoft's next generation web stack (ASP.NET vNext) is open source from the ground up, and runs on Mono on both Linux and Mac.

There are plenty of other design principles in this new version of ASP.NET. I provide a translation from Microsoft speak into Unix speak in parenthesis:

  • Cloud-ready out of the box (this is code name for "can run with different versions of .NET side by side").
  • A single programming model for Web sites and services
  • Low-latency developer experience (Refresh on browser recompiles)
  • Make high-performance and high-productivity APIs and patterns available - enable them both to be used and compose together within a single app.
  • Fine-grained control available via command-line tools and standard file formats.
  • Delivered via NuGet (package manager, similar to Node's NPM or Ruby Gems).
  • Release as open source via the .NET Foundation.
  • Can run on Mono, on Mac and Linux.

Update: And the software is live at http://github.com/aspnet

Client Libraries to Microsoft Services

They are shipping a number of new components to talk to their online services, and they all have a license suitable for being used from platforms other than Windows.

Posted on 12 May 2014