back to article Oi, UK.gov, your Verify system looks like a MASS SPY NETWORK

Government “identity assurance” programme Verify contains "severe privacy and security problems" including a major architecture flaw that could lead to "mass surveillance" – according to an academic paper. Verify was created by the Government Digital Service (GDS) to underpin the online identification of users performing …

  1. Anonymous Coward
    Anonymous Coward

    Looks like, walks like, talks like...

    It is nice to see UK being 10 years technologically behind Eastern Europe and 15+ behind Benelux, Scandinavia and the Baltic states.

    I used the equivalent Bulgarian system for 5 years or thereabouts as it was the only means to get to my bank account (switched to a bank issued token later on as less hassle).

    0. It also has (same as the similar systems in nordics, etc) acceptance outside govt and use outside govt.

    1. There was no federated hub as there is no reason for a f*** federated hub. A x509 cert is more than sufficient to identify a user.

    2. There were multiple possible lookup access levels to pull data on the user from the LDAP maintained by 3rd party providers depending on who you are. _NONE_ usable for impersonation as the private key was with the user and never left the crypto token.

    3. It was good for access to a range of services (nearly 10 years ago) including tax and the digital signature (standard detached x509 sig) was deemed good enough for anything and everything - including title deeds and court documents.

    4. Even that far back it was at least 1024 RSA if not even 2048.

    5. The authentication was upon connection via https via client certs so no MiMs, no hijacking, etc.

    So my congratulations to the great technological achievement of the UK govt digital service. You have now failed to be only 10 years behind Bulgaria (as their service was actually working and was not backdoored). No comment on where we stand relative to the Baltics or Scandinavia as the difference there is like the difference between a go cart and the USS Enterprise.

    As far as the hub - other countries have delivered this without a backdoor, so having the backdoor in the design looks like it was intended for the exact purpose being denied for PR reasons.

    1. Anonymous Coward
      Anonymous Coward

      Re: 0.

      Lists start with the first point. Don't be a dick.

    2. Doctor Syntax Silver badge

      Re: Looks like, walks like, talks like...

      "You have now failed to be only 10 years behind Bulgaria (as their service ... was not backdoored)."

      I think you've spotted the reason why they consider themselves in advance of Bulgaria.

    3. Anonymous Coward
      Anonymous Coward

      Re: Looks like, walks like, talks like...

      I used the equivalent Bulgarian system for 5 years or thereabouts as it was the only means to get to my bank account

      Is it just me or...

    4. Anonymous Coward
      Anonymous Coward

      Re: Looks like, walks like, talks like...

      I think the point is that X509 certificates are not something which end-users are capable of either understanding or handling safely.

      Sure, you can have an enrolment process which the user can be walked through, and their browser then contains this magic key and certificate. But (a) it only sits in that one browser, so is useless from a different device, and (b) if the browser is compromised, the identity is compromised.

      Enrolling from multiple devices just multiplies the attack surface. This means that there is plausible deniability: if someone does something bad using your certificate, there is plenty of scope for you to argue that you didn't do it because someone got into your PC or smartphone.

      Even for X509 enrolment there must be some form of identity verification. That's the idea behind having people like Experian involved: you can set up some out-of-band verification based on the data they hold on you, or making a phone call, or a personal visit to show your passport, or whatever. They *could* then give you an X509 certificate. But equally they can give you some other, more practical and secure way to prove your identity - whether that be a physical challenge-response token, or a key which you load into a Google Authenticator app for 2FA, or some other future TBA technology.

      Any of those is much more practical for day-to-day use than an X509 browser certificate (that is: both safer and easier to use)

      The point of a federated system is that you can choose an identity provider which you trust, and which gives you whichever tools you prefer to use, without being forced to use one particular provider or one particular technology.

      And if there is a demand from end-users for X509 certificates, nothing stops one or more of those identity providers offering it. But I'd say that for 99.9% of users it's not the right choice.

      1. Ben Tasker

        Re: Looks like, walks like, talks like...

        The point of a federated system is that you can choose an identity provider which you trust,

        I'm being slightly pedantic, but, Given the providers involved, I think it's more a case of choosing the provider you distrust least. Take a look at the list

        Barclays

        Digidentity

        Experian

        GB Group

        Morpho

        PayPal

        Post Office

        Royal Mail

        Verizon

        I'll admit to having had to google digidentity, Morpho and GB group (which means they're distrusted by default - I know nowt about them). Are there any on that list you could say you actively trust? I'm not sure I could.

        I think I'd need to default into choosing whichever company I felt already had sufficient information on me (as it's too late to change that).

    5. cantankerous swineherd

      Re: Looks like, walks like, talks like...

      you think https is secure? obv not a regular reader...

  2. Jimmy2Cows Silver badge

    Not a flaw...

    Government “identity assurance” programme Verify contains "severe privacy and security problems" including a major architecture flaw that could lead to "mass surveillance" – according to an academic paper.

    That's not a bug. That's a feature. A very much intended, planned and designed feature.

    Danezis questioned the reason behind why the system was designed with a single point of failure, but said no explanation has been provided.

    The reason is simple. It is entirely deliberate. No way they're going to change it though, or admit it even could be a design flaw. The best you'll get is a canned statement about how it has been designed to be entirely secure with end-to-end encryption, and there's been no evidence of any compromise, intrusion or security breach in the system since it began operations.

    Interestingly, the American version of an identity system, the Federal Cloud Credential Exchange, shares similar design flaws, according to the paper. But Danezis said there is no evidence the systems have been deliberately designed in this way by intelligence agencies.

    Of course there's no evidence. This common "flaw" is a deliberate feature allowing spooks to compromise the system at will and will have been planned to leave no trace. Hard to imagine it isn't being abused in exactly this way, given the Fed's thirst for privacy invasion and mass data collection.

  3. Wolfclaw
    Big Brother

    "There is no evidence the systems have been deliberately designed in this way by intelligence agencies." and Hitler and his mates were bloody nice blokes, just misunderstood, who liked to chillax on a weekend having a joint or two.

    Of course it was designed like this, this type of thing is a gold mine to spooks to find a person !

    1. Anonymous Coward
      Anonymous Coward

      Never attribute to malice what can be explained by incompetence.

      1. Anonymous Coward
        Anonymous Coward

        "Never attribute to malice what can be explained by incompetence."

        Except where the entity concerned has hundreds of years of track record of just such malice (QE1 had an extensive spying network on her subjects. Given how many of them were in the pay of Spain, though, she at least had a point. A number of Conservative MPs seem to be in the pay of the US neocons, but one imagines they are not the ones being followed.)

      2. Anonymous Coward
        Anonymous Coward

        Never attribute to malice what can be explained by incompetence.

        I am a strong advocate of Hanlon's Razor, but have worked on enough Government projects to know that there are special cases were malice can be assumed.

        1. Paul Crawford Silver badge

          Re: Never attribute to malice what can be explained by incompetence.

          You also forget the 3rd possibility - that both malice and stupidity is involved.

          1. Rob

            Re: Never attribute to malice what can be explained by incompetence.

            It's GDS so we could probably assume it's mostly stupidity going by their previous history.

          2. Anonymous Coward
            Happy

            Re: Never attribute to malice what can be explained by incompetence.

            I would add a codicil, "except where the mistake grossly benefits the people who made it."

            Privacy is like democracy - Governments like to pretend they want us to have it but the opposite is true.

    2. Anonymous Coward
      Anonymous Coward

      there is no evidence the systems have been deliberately designed in this way by intelligence agencies.

      The evidence has been destroyed (maybe also the designers)

  4. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      A voluntary, single purpose plastic card with name, signature and a photo which need not be carried (or even possessed) unless voluntarily engaging in that single purpose is not much of an issue.

      TFTFY

      ...and NO - "existing" is NOT an acceptable "purpose". I do NOT need a government issued "card" to exist. Or to step outside. Or...

      1. This post has been deleted by its author

        1. PrivateCitizen

          hmm

          I think this is over-reaction vs over-reaction. You took offence at the AC's response to a single statement of your post when it wasnt really a criticism of you.

          "Ideals aside, though, I don't see a practical problem with a non-databased plastic card scheme, that was not obligatory but offered benefits. Infact, I hold foreign ID which is more or less like this."

          This is evidence you both agree. The crucial bit is that it is voluntary/not-obligatory.

          This was the fail of the UK ID card scheme. For it to work, it had to be obligatory for all UK citizens to spend money because they are citizens. As described, it would have created an offence of not-carrying the ID card just to make sure there was no doubt about how obligatory it was.

  5. 0laf
    Trollface

    GDS

    I wouldn't worry to much if GDS have set it up. It'll look good on an iPad but GCHQ won't be able to find anything on it.

  6. Anonymous Coward
    Anonymous Coward

    Yeah but....

    "But Danezis said there is no evidence the systems have been deliberately designed in this way by intelligence agencies."

    On the other hand, was there any evidence they didn't, absence of evidence not being evidence of absence etc etc? The current government would probably run a "Post your selfie, win a lucrative government contract!" contest if they thought it had a fighting chance of boosting the surveillance haystack.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yeah but....

      Quite. If the spooks cant even effectively conceal their interactions with those governments which operate on their our behalf, then we need to come up with a new name for them.

      "High Visibility Shysters?"

  7. This post has been deleted by its author

  8. Peter Prof Fox

    Catch-22

    How can somebody un-link?

    My mum just got a credit card statement for somebody else delivered to her address. WTF! Now we need to tell the bank to make sure that all the sharing of credit information is undone. It is just the uselessness of the Co-op bank but her carer could have the paper away and 'register residency' in two shakes. Now the poisoned data is probably 'more valid' than my no-internet-or-any-other footprint mum. (Carer is 100% honest actually but...)

    See how the system is opaque yet still centralised and all 'nothing to worry your little head about'.

    1. Anonymous Coward
      Anonymous Coward

      Re: Catch-22

      I know a few people who have been fucked over by their ex in a vaguely similar manner. Whilst together they shared an address (and sometimes, worse, a joint account). Spending was kept reigned in for the most part, but the joint account creates an association between the two of them.

      Relationship breaks, and the now-ex goes back to spendthrift-ness racking up giant debts. The joint account had been closed (so wasn't touched), but that association still knackers the responsible partner's credit rating for a time.

      Again, trying to get that sorted gets responses like "That's just how the system works"

      You wouldn't think it was so uncommon that they wouldn't have thought to take it into account. In fact a cynic might argue that the increased interest fees as the result of being slightly riskier are the only reason it hasn't been planned for.

  9. Arachnoid
    Holmes

    In any post regarding security issues

    Its funny [or is it alarming?] to see so many AC posts...........

    1. Anonymous Coward
      Anonymous Coward

      Re: In any post regarding security issues

      Both?

      1. Sir Runcible Spoon
        Black Helicopters

        Re: In any post regarding security issues

        Personally I think it indicates a certain naive charm :)

        1. Arachnoid

          Personally I think it indicates a certain naive charm

          Is that because its a colloquial Regtard-ness or a total Retard-ness ?

  10. Graham Marsden
    Big Brother

    "Damn...

    "... they spotted it."

    - HM Government.

  11. Mike 137 Silver badge

    "no explanation has been provided"

    The simplest one is that GDS has conclusively demonstrated via a succession of projects that they couldn't design their way out of a wet paper bag. Any other explanation needed?

  12. John Smith 19 Gold badge
    Gimp

    Just *addicted* to the centralized, encryption stripped, way of doing things.

    Your data in their hands.

    Forever.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like