Streisand effect at work. If certain apps are banned, the criminals will know exactly which apps are safe to use. So I am working out what we can do to help customers that are concerned over security.
Andrews & Arnold and PGP
A&A have always supported use of PGP/GPG and customers can (and do) send encrypted emails. We sign emails we send from the accounts system. Staff have GPG installed and have keys signed by the company key which I control. Sadly few customers use this, and so staff are perhaps less on-the-ball than they could be, but we are working on improving that too.
I think we can do more though. What I am trying to work on now is a way for customers to tell us that they want encrypted emails from us. We would use the https access to the accounts system to manage this which has some degree of traceable trust but it would mean uploading a public key to us (or perhaps referencing a key server). We'd need to make this simple, and perhaps even have an API, as some people may wish to issue new keys every day and delete old ones in order to thwart the RIPA requirement to hand over keys if you have them.
The challenge I then face is how we manage that preference as we have various systems that send emails as well as staff that could send emails directly. We would need some way for every system to know to use encryption and which key to use. Now, for staff sending emails we can almost certainly integrate this in with the ticketing system as a "direct" email is relatively rare, but that is not ideal. I suspect that it will take some time to ensure every system and every script that sends emails understands this, unless we run an intermediate outgoing mail server for it.
I am interested in the best practice way of managing this though. I am sure this cannot be an uncommon problem. Should we run a key server? Should we put keys in shared SQL databases? We are only talking public keys so not a huge security issue. Maybe some combination of the two. Any advice welcome.
FireBrick and IPsec
The FireBrick products already support IPsec, and any day now we expect to have the EAP elements that will allow things like iPhones and Androids to remote connect to a FireBrick and allow VPN access to your office, etc. Once that is done we will progress on to TL, https and ssh, obviously.
One of the key features of the FireBrick, and one of the main reasons it has taken so long to get these features in place, is that this is written from scratch.*
What this means is that we know there are no back doors in the code. Almost any small router that does https or even IPsec has bought in the code or used open source. It is large and complex and may even be a "binary blob" so it is hard to be sure that it has no back doors. Open source is generally safer as it can be reviewed, and people do, but how do you know the code you downloaded is that reviewed and correct code exactly unless you check it yourself? Well, in our case, we know because it has been written in-house. There is not even a third party operating system below it, we wrote that too. We even use a processor with no hidden boot ROM code and no binary blob device drivers for peripherals (both of which are quite common these days in some types of processor). We even make the FireBricks in the UK and load the code in to them ourselves. All code is signed by us, and our boot loader checks the signature to ensure no rogue code can be issued with back doors added.**
I think it is incredibly rare for any manufacturer to be able to say that. And if some UK law is passed that could compel us to add back doors we would stop.***
Even so, suggestions welcome.
* Some of you may have heard the long standing truth that one should never try and design an encryption system yourself or behind closed doors. They have to be one subject to wide scrutiny to be any good. This is true, but is not the same an implementing these algorithms, which can be done behind closed doors, and the standards provide lots of good test data for doing just that.
** Technically, with physical access and a JTAG interface someone could load other code, but that is highly unlikely and would require that physical access to the FireBrick.
*** In practice we would probably set up in a saner country and make and ship from there, or possibly just emigrate there as the UK really would have lost the plot by then.