The huge last-minute agreement that will govern the UK and the European Union’s trade relations with the future government after Brexit has been finalized over time. However, some security researchers have noticed some bizarre aspects of the deal, including Netscape Communicator’s missing 23-year-old email software and recommendations for outdated encryption standards.
The mention appears in a series of regulations regarding ‘encrypt[ing] messages containing DNA profile information ”between countries, which must be done using a specific set of encryption protocols.
The open standard s / MIME as an extension of the de facto e-mail standard SMTP will be used to encrypt messages with DNA profile information. The protocol s / MIME (L3) allows signed receipts, security labels and secure mailing lists … The underlying certificate used by the s / MIME mechanism must comply with the X.509 standard …. The processing rules for s / MIME encryption operations … are as follows:
the order of the operations is: first encryption and then signed,
the encryption algorithm AES (Advanced Encryption Standard) with 256 bit key length and RSA with 1,024 bit key length is applied for symmetric and asymmetric coding respectively,
the hash algorithm SHA-1 will be applied.
s / MIME functionality is built into the vast majority of modern e-mail software packages, including Outlook, Mozilla Mail as well as Netscape Communicator 4.x, and works seamlessly with all major e-mail software packages.
The real impact of this on the major day-to-day operations of the EU or the UK is likely to be small. Netscape Communicator is simply cited as an example of a ‘modern e-mail software package’ that supports s / MIME (along with Outlook and Mozilla Mail). However, the use of outdated coding standards is a bit more worrying, as Hackaday point out – the SHA-1 hash algorithm has been effectively broken since 2017, while 1024-bit RSA encryption is vulnerable to brute force attacks by more powerful modern computers.
The language itself may be older than it seems. As the BBC reports, the same text also appears on an EU document from 2008, which shows that the legislators who put together the massive 1,256-page treaty were able to recover old text without reading it too closely. Indeed, as Professor Bill Buchanan (one of the first to notice the outdated requirements) told the BBC: “It looks like a standard copy-and-paste of old standards, and with little understanding of the technical details.”
But even then, it’s not clear why the EU believes that Netscape Communicator 4 (an app last updated in 2002 and followed by several generations of Netscape apps by 2008, which also everyone which was discontinued later in March 2008) was a useful e-mail program to indicate in a June 2008 bill. It is quite possible that the recycled 2008 text itself was borrowed from an earlier time, when Netscape was still relevant.
None of this is likely to break the state of complex geopolitics between the European Union and the United Kingdom. If you’re going to enroll in old legislation, using outdated cryptographic standards or email programs for something like DNA results looks better than, say, trade rates. But given the size of the Brexit agreement and the impact it will have on the UK, the EU and the entire international community, it will be nice to see that it is based on something stronger than Netscape Communicator 4.