The mammoth, last-minute deal that will govern the United Kingdom and European Union’s trade relations going forward post-Brexit has been finalized in the nick of time. But some security researchers have noted some puzzling aspects of the deal, including mentions of the defunct, 23-year old Netscape Communicator email software and recommendations of outdated encryption standards.
Just in case you forget what Netscape Communicator 4.0 looked like … pic.twitter.com/573xNdN3ZH
— Prof B Buchanan OBE (@billatnapier) December 26, 2020
The mention occurs in a series of regulations concerning “encrypt[ing] messages containing DNA profile information” between countries, which must be done using a specific set of encryption protocols.
The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. The protocol s/MIME (V3) allows signed receipts, security labels, and secure mailing lists… The underlying certificate used by s/MIME mechanism has to be in compliance with X.509 standard…. The processing rules for s/MIME encryption operations… are as follows:
the sequence of the operations is: first encryption and then signing,
the encryption algorithm AES (Advanced Encryption Standard) with 256 bit key length and RSA with 1,024 bit key length shall be applied for symmetric and asymmetric encryption respectively,
the hash algorithm SHA-1 shall be applied.
s/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x and inter-operates among all major e-mail software packages.
The actual impact of this on major day-to-day operations of either the EU or the UK will likely be small. Netscape Communicator is simply mentioned as an example of a “modern e-mail software package” that supports s/MIME (alongside Outlook and Mozilla Mail). However, the use of outdated encryption standards is a bit more concerning, as Hackaday points out — the SHA-1 hash algorithm has effectively been broken as of 2017, while 1024-bit RSA encryption is vulnerable to brute force attacks by more powerful modern computing.
The language itself may be older than it looks. As the BBC reports, the same text also appears on a 2008 EU document, which seems to indicate that the lawmakers cobbling together the massive 1,256-page treaty may have recycled some old text without reading it too closely. Indeed, as professor Bill Buchanan (one of the first to notice the outdated requirements) commented to the BBC, “this looks like a standard copy-and-paste of old standards, and with little understanding of the technical details.”
But even then, it’s not clear why the EU felt that Netscape Communicator 4 (an app last updated in 2002, and succeeded by several generations of Netscape apps by 2008, which had also all subsequently been discontinued in March 2008) was a useful email application to cite in a June 2008 bill. It’s entirely possible that the recycled 2008 text was itself borrowed from an even earlier time, back when Netscape was still relevant.
None of this will likely shatter the state of the complex geopolitics between the European Union and the United Kingdom. If you’re going to crib old legislation, using outdated cryptographic standards or email apps for something like DNA results seems better than say, trade tariffs. But given the size of the Brexit deal and the impact it’ll have on the UK, the EU, and the entire international community, it’d be nice to see that it was founded on something a little stronger than Netscape Communicator 4.