back to article Vodafone Germany looks to provide end-to-end encryption with SIM signatures

German SIM card manufacturer G&D has announced that it will be supplying Vodafone Germany with an end-to-end security system based on the phone SIM. Emails, documents and VPN connections are signed and encrypted by the SIM so that the user doesn’t have to enter a password or use a security token. The service will not be …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Exceptional cases indeed

    "but in exceptional cases a government agency can request a legal intercept and Vodafone will provide access"

    So, in summary they'll hand over your communications at the drop of a hat to supposedly lawful (yet probably warrant-less) requests from the nose-pokers of "friendly" intelligence agencies. And with the near unlimited budget of the state sponsored hackers, you have to wonder how long it would take the "unfriendly" governments to compromise the encryption routine.

    So all in all, just a bit of additional security theatre for Angela Merkel's phone.

    1. Anonymous Coward
      Anonymous Coward

      Re: Exceptional cases indeed

      My exact thought. In GSM the provider has your SIM private key so anyone who compromises the provider or anyone who can serve the provider an appropriate court order will be granted full access to all of your comms.

      Frankly a trivial 5 line signer app using self-signed x509 certs (leveraging the existing java APIs to access them) or gpg keys (using the readily available classes to access these) is more secure.

  2. Crisp Silver badge

    The service will not be offered to individual subscribers

    Why? Is my privacy worth less?

    1. Vimes

      Re: The service will not be offered to individual subscribers

      It's worth nothing as far as the authorities are concerned. Zip. Zilch. Zero. Nada.

      As for phone hacking, if you intercept the calls of a handful of people you get - albeit reluctantly - taken to court. If you do the same to hundreds of thousands of your own customers across the country as part of a senior role at a national telco then you end up in government.

      Just ask Ian Livingston. He was heavily involved in the Phorm trials involving illegal interception of communications and yet he was chosen by Cameron as a trade minister.

      Not that I have any more respect for Labour - they were in power at the time of the trials and one of their own was a non-executive director at BT - but shouldn't something have been learned from the mistakes made in hiring Coulson?

    2. Anonymous Coward
      Anonymous Coward

      Re: The service will not be offered to individual subscribers

      > Why? Is my privacy worth less?

      I have to admit that bit did puzzle me.

      Why would they make the distinction?

      If it's a service that people want and they can offer it at a price that people will pay, why on earth wouldn't they do it?

      1. Vimes

        @Skelband Re: The service will not be offered to individual subscribers

        If it's a service that people want and they can offer it at a price that people will pay, why on earth wouldn't they do it?

        Perhaps because big corporate and government contracts will generate more money for them at the beginning of this scheme than a handful of customers that happen to be early adopters?

        The various companies seem to have profited quite nicely from the spying. Why else would some of them be so willing to go further than the law demands?

        If they can similarly profit from giving people a sense of privacy - that they helped to strip away in the first place - then no doubt they'll do this too.

        Follow the money. Commercial organisations are there to generate profit, not to serve the public good.

  3. Bob Gender

    Any chance of an objective comparison of this with Apple's "burn the admin keys and superglue the locks" privacy infrastructure?

    http://www.digitaltrends.com/mobile/apple-imessage-ios-lightning-icloud-security/#!ziK6Q

    No, didn't think so. Much easier to use words like fanboi and pretend that Apple does nothing special that might make their customers choose to buy their products over the weak crap from others.

    1. Anonymous Coward
      Anonymous Coward

      That seems a poor article that skips over the places where things can be subverted, presumably to give you the warm and fuzzes about security. For example the article claims that messages are encrypted with a public key, and that the corresponding private key never leaves the iOS device. They also claim that the service is store and forward, so the message is deleted after delivery. If that's true, then it should be completely impossible to restore any iMessages. As it is possible to restore iMessages, they must be stored somewhere in Apple's cloud, and therefore accessible.

      1. Bob Gender

        Ah, so they're lying, got ya.

        Feel free to read the source itself, if you want.

        http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf

        I searched for El Reg's story on this but it must have slipped through the cracks. Or do I mean "not fit their childish agenda".

  4. Paul Crawford Silver badge

    Why?

    Given that there are plenty of cases of phones being compromised, thus the data can easily be had before any crypto, what do you get from this that is so important? Also given the carries are (or can be forced to) cooperate with any country you are in, the possibility of them doing it to your phone cannot be ruled out.

    So better to use a rooted phone, with care, and some open-sourced app? Of course, the fundamentals problem still applies, of Bob & Alice knowing each other's true keys when most of the SSL certificate authorities are dubious.

    Or go back to exchanging microfilm hidden in odd places. Maybe not that secure, but probably too costly to simple be hoovered up "in case we need it in 5 years".

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019