Better Crypto: Did Snowden Succeed?

Snowden is quoted on Greenwald's new book "No Place to Hide" as wanting to both spark a debate over the use of surveillance and to get software developers to adopt and create better encryption:

While I pray that public awareness and debate will lead to reform, bear in mind that the policies of men change in time, and even the Constitution is subverted when the appetites of power demand it. In words from history: Let us speak no more of faith in man, but bind him down from mischief by the chains of cryptography.

[...]

The shock of this initial period [after the first revelations] will provide the support needed to build a more equal internet, but this will not work to the advantage of the average person unless science outpaces law. By understanding the mechanisms through which our privacy is violated, we can win here. We can guarantee for all people equal protection against unreasonable search through universal laws, but only if the technical community is willing to face the threat and commit to implementing over-engineered solutions.

Last week Matthew Green asked:

Only time will be able to answer whether as a community the tech world can devise better and simpler tools for normal users to have their privacy protected by default.

Snowden has succeeded in starting an important discussion and having software developers and their patrons react to the news.

At Xamarin we build developer tools for Android and iOS developers. It is our job to provide tools that developers use on a day to day basis to build their applications, and we help them build these mobile applications.

In the last year, we have noticed several changes in our developer userbase. Our customers are requesting both features and guidance on a number of areas.

Developers are reaching to us both because there is a new understanding about what is happening to our electronic communications and also response to rapidly changing requirements from the public and private sectors.

Among the things we have noticed:

  • Using Trusted Roots Respectfully: For years, we tried to educate our users on what they should do when dealing with X509 certificates. Two years ago, most users would just pick the first option "Ignore the problem".
    Today this is no longer what developers do by default.
  • Certificate Pinning: more than ever, developers are using certificate pinning to ensure that their mobile applications are only talking to the exact party they want to.
  • Ciphersuite Selection: We recently had to extend the .NET API to allow developers to force our networking stack to control which cipher suites the underlying SSL/TLS stack uses. This is used to prevent weak or suspected ciphersuites to be used for the communications.
  • Request for more CipherSuites: Our Mono runtime implements its own SSL/TLS and crypto stacks entirely in C#. Our customers have asked us to support new cipher suites on newer versions of the standards.

Sometimes developers can use the native APIs we provide to achieve the above goals, but sometimes the native APIs on Android and iOS make this very hard or do not expose the new desired functionality, so we need to step in.

Posted on 21 May 2014 by Miguel de Icaza
This is a personal web page. Things said here do not represent the position of my employer.