vacancies advertise contact news tip The Vault
Countdown to 2019 and win big with the HEXUS Epic Giveaway [x]
facebook rss twitter

Privacy Alert: ITU secretly approves Deep Packet Inspection

by Alistair Lowe on 6 December 2012, 09:24

Quick Link: HEXUS.net/qabp3n

Add to My Vault: x

We reported last week that there were fears of the ITU heading off-the-rails as the UN branch entered into closed door talks, with rumours that the group would propose to manage data flow and security for the world-wide web.

The first confirmation of fears to emerge from talks has been the adaptation of the 'Requirements for Deep Packet Inspection in Next Generation Networks' standard, 'Y.2770'. This standard provides a means for ISPs and governments to inspect the actual content of user traffic and not just packet headers for the purposes of data routing.

ITU - The new global threat?

ITU - The new global threat?

By standardising DPI, the ITU has made it easier for the mass-production of cost-effective packet inspecting hardware and its integration into a network. The standard even includes provision for bypassing encryption, by allowing the capture of exchanged keys. Unlike other web standards authorities, the ITU has made no attempt to analyse the impact of DPI misuse or to offers provisions for guaranteeing user data privacy.

Though standard policy for the ITU, the draft of the DPI document was not released into the public domain, allowing no chance for feedback from many ISPs, large web firms or rights groups.

Keep an eye out for the published standard on the ITU homepage, when it ultimately emerges in the public domain.



HEXUS Forums :: 6 Comments

Login with Forum Account

Don't have an account? Register today!
The standard even includes provision for bypassing encryption, by allowing the capture of exchanged keys.
That's not how asymmetric key encryption works, knowing the public key doesn't help you at all. The session key is encrypted by said public key so can only be read by the private key holder i.e. the website.
watercooled
The standard even includes provision for bypassing encryption, by allowing the capture of exchanged keys.
That's not how asymmetric key encryption works, knowing the public key doesn't help you at all. The session key is encrypted by said public key so can only be read by the private key holder i.e. the website.

I was about to say the same thing. It's no good without the private keys. I've even had to explain this to fellow sysadmins before when they sent me an SSL certificate to use on a site and refused to handover the private key… because it was private. Facepalm.
This is a pretty interesting explanation on why it will not work if you have strong enough encryption…
Skip to 2:30, http://www.youtube.com/watch?v=YEBfamv-_do
watercooled
That's not how asymmetric key encryption works, knowing the public key doesn't help you at all. The session key is encrypted by said public key so can only be read by the private key holder i.e. the website.

+1 :) sounds like we need to post the whole Alice and brian with the message in the locked box and a pair of padlocks :)

even if you can see the padlocks you dont have the keys!
Yeah, so it turns out that in this case Mallory is an idiot.