[abainbridge]

Say a smartphone app ran both an https client and server. For users to send each other messages, they connect to each others servers. That's end to end encryption, right? And looks identical to the type of encryption they'd still allow right? What have I missed?

[abainbridge]

I guess once it gets popular, they just force Apple and Google to remove it from the apps store. So it has to be a web site with all the http server running in javascript/web assembly. I guess you still need a central server to let clients find each other in the first place. They could block that at the DNS level.

[grey-area]

I'd use bank accounts, PayPal or money transfer with small transactions and a one time pad to signal. They'll never ban bank accounts and it'd be hard to find signals amongst the noise. Or you could just use pgp and paste it into whatever app you want. Pandora's box has been opened, its remarkably naive to try to ban secrets at the same time as hoarding an unprecedented number of signals.

Obviously you can't intercept signals from someone using outlawed encryption, a one time pad or no direct messages. I'm not sure the stated goal (stop evil terrorists) is the real goal though - reading almost all communications and selective leaks is just such a useful tool for things like subverting democracy, throwing elections and controlling politicians.

[cr0sh]

> reading almost all communications and selective leaks is just such a useful tool for things like subverting democracy, throwing elections and controlling politicians.

Maybe someone out there needs to air her dirty laundry secrets that she's projecting on the rest of the population?

[cr0sh]

> I guess you still need a central server to let clients find each other in the first place.

Would you? Couldn't you have a list of servers stored in localstorage, and bake the initial list in a bunch of seed copies?

Alternatively, use pastebin or imgur or something like that for your "central store" to pull from initially, then store everything in localstorage after.

[aoeusnth1]

The follow up bill which makes it mandatory to have government spyware on all https servers?

[abainbridge]

They can't do that because it would require major open source web servers to be forked. There's no way they're going to persuade operators in other countries to run UK government spyware.

[klibertp]

> They can't do that

Well, it works for China, so I don't see why it wouldn't elsewhere.

As a techie, I'd like to believe that there are limits to what can be passed as law, but the history shows that it is not so. Just because something is technically impossible doesn't mean it can't be required by law, with all the consequences for not complying. It's uterly futile to go against the people in power with technology or even science alone. The best you can hope for is for you and me, personally, avoiding problems. For a time.

[ocschwar]

Kazakhstan already did it. All they have to do is force browsers to accept a CA that then MITMs everything.

[midnitewarrior]

Yes, UK can just enforce that all SSL certs come from their CA. If they find an invalid SSL cert, they come arrest you, shut you down, or confiscate your equipment (or all 3!)