this is in science because there is a science to encryption.
i have been on the world wide web for about as long as it has existed, and have studied most of the changes to technology as it has progressed, and
have been a little quiet about UCE (user controlled encryption) because i wanted to understand its implementation before i commented on it.
in recent weeks a stream of high profile hacks have taken place across the net, some of the giants of the web have had there server networks
compromised, user passwords stolen and commercial secrets stolen, this has been the reason for the calls from some governments around the world to
push for "cyber warfare" capabilities and for legislation to allow "sharing" of user information.
when you can plainly see a broken system, you design a new one, you don't continue using the broken system, and remove peoples rights to privacy,
because someone else is breaking the law.
this is why UCE is looking like a candidate for securing web sights, critical infrastructure and makes user passwords very difficult to "harvest"
a milestone in the evolution of UCE is when it is secure enough to supply the software to others to use, this signifies that the "logic" of the
encryption is correct.
so far UCE has been in the wild for 6 weeks, and to date it has not been compromised, and now it looks like the software will be supplied "white
label" to universities so they may use it for their students and staff,
this means the logic of the encryption model will be open to scrutiny and investigation by some of the best universities around the world.
it is this reason that leads me to believe we are witnessing the "birth" of a new para-dime in internet security,
that could help remove the ability to harvest centrally stored password hashes, and allows for "always up to date" software because of the delivery
mechanism of the software over HTTPS using the functionality of HTML5.
one reason why so many recent hacks have worked is something called a zero day exploit,
and unless every server or PC on the planet, updates software or updates to the latest "patch" there is a way for hackers to gain access to sensitive
in security terms "patching" and updating can be time consuming and "testing" of patches before deployment into the working environment is required in
case unexpected results stop the server from functioning as expected.
that is why a UCE is more secure and less expensive to maintain, the system can deploy patches and updates AT the back-end (server) and "push" out
updated software every-time the user connects to the service.
this means no updates that can crash your system, no patches that require extensive testing before deployment.
these are no small changes to the "web security model"
instead of relying on every server to be up to date and patched to achieve security, the security comes from the service being delivered in a secure
manner, (this does not mean you can be sloppy with updates)
the fact that this technology doesn't require a "local install" of software also means that you are not required to know "how" complex encryption
works, and also means that you dont need to know "how" to set it up to be secure.
"if something is simple to use and effective" it will be adopted and enjoyed by a large segment of the population, and if it is as fast or faster than
current technology it will become the "standard" other will have to compete with.
UCE uses the "local" pc to handle the "heavy encryption" and the passwords are handled by the user not the server, this means that there is no
password list to target, and access is "end to end" making it much more difficult to gain unsecured access. because the server doesnt have the
encryption keys the data is useless to hackers if they break in and large password resets for huge numbers of users in not required.
so how does it work,
User controlled encryption is where the user "holds" the encryption key,
and the server holds the "encrypted" files, the server cannot access the files, and neither can hackers if they gain access.
a user goes to a web sight with UCE and the web page requests an encrypted secure connection to be established between the server and the user, this
HTTPS encryption allows for the secure delivery of an encryption program to the web browser, this program then loads "inside" the web browser, and
encrypts everything coming and going from the end users PC over the encrypted HTTPS connection
so both the "connection" and the transferred "files" are encrypted
because the connection is encrypted, and because the files being transmitted are encrypted,
it makes it exceedingly difficult for anyone to gain access to your computer or your transmitted files.
so if this model was deployed across the web, users would be more secure, their personal information would be
more secure, and because the software is distributed every-time a user needs it, its always up to date, removing the need for extensive compatibility
by offering the software as "white-label" (unbranded) it would seem that the software and encryption is secure enough so that even with a copy of the
code the users are still safe. (open to be scrutinised)
if this is the case then UCE can be used to solve "most" of the security problems that allow hackers to gain access,
and can be used to secure critical systems infrastructure and private user data with no central password store to be a target.
instead of a cat and mouse game with security UCE promises secure end to end encryption to the masses,
and in doing so would also bring security to the large giant internet companies.
this technology looks like it could change the way we access and store information on the web and if it is supplied to universities it means the UCE
encryption methods are secure enough to be put to test by some of the luminaries
of the security world.
i look forward to a future where we dont keep hearing about massive security breaches where user data is stolen,
that is the promise of UCE. a secure safe and easy to use security model that could be deployed world wide.
no more cat and mouse and no more bad legislation, that is the reason i think UCE will become the standard of privacy and security in the very near
future, because it is simple and it fixes many of the problems of the current security models.
so instead of going to cyber war or removing the rights of net citizens why dont we just secure the net with UCE?
edit on 24/2/13 by XPLodER because: (no reason given)