The gigantic, last-minute deal that will govern UK and European Union trade relations in the post-Brexit future has ended just in time. But some security researchers noted some intriguing aspects of the deal, including references to the now-defunct 23-year-old Netscape Communicator email software and recommendations for outdated encryption standards.
The mention occurs in a series of regulations relating to “encrypt[ing] messages containing DNA profile information ”between countries, which must be done using a specific set of encryption protocols.
The open standard without MIME as an extension to the SMTP email standard will in fact be deployed to encrypt messages containing DNA profile information. The s / MIME protocol (V3) allows for signed receipts, security tags and secure mailing lists … The underlying certificate used by the s / MIME engine must comply with the X.509 standard …. processing for MIME encryption operations … are as follows:
the sequence of operations is: first encrypt and then sign,
the AES (Advanced Encryption Standard) encryption algorithm with a key length of 256 bits and RSA with a key length of 1,024 bits must be applied for symmetric and asymmetric encryption, respectively,
the SHA-1 hash algorithm must be applied.
The s / MIME functionality is built into the vast majority of modern email software packages, including Outlook, Mozilla Mail, as well as Netscape Communicator 4.x and operates among all major email software packages.
The real impact of this on major EU or UK daily operations is likely to be small. Netscape Communicator is simply mentioned as an example of a “modern email software package” that supports / MIME (together with Outlook and Mozilla Mail). However, the use of outdated encryption standards is a little more worrying, as Hackaday points out – the SHA-1 hash algorithm was effectively broken in 2017, while 1024-bit RSA encryption is vulnerable to brute-force attacks by more powerful modern computing.
The language itself may be older than it sounds. As the BBC reports, the same text also appears in a 2008 EU document, which seems to indicate that lawmakers who are mending the huge 1,256-page treaty may have recycled some old text without reading it too closely. In fact, as professor Bill Buchanan (one of the first to notice outdated requirements) commented to the BBC, “this looks like a standard copy and paste of old standards, and with little understanding of the technical details”.
But even so, it is not clear why the EU felt that Netscape Communicator 4 (an application last updated in 2002, followed by several generations of Netscape applications in 2008, which also all it was later discontinued in March 2008) was a useful email application to quote from a June 2008 account. It is entirely possible that the 2008 recycled text itself was borrowed from an even earlier time, when Netscape was still relevant.
None of this is likely to destroy the state of the complex geopolitics between the European Union and the United Kingdom. If you intend to eliminate the old legislation, using outdated cryptographic standards or email applications for something like DNA results looks better than, say, commercial fees. But given the size of the Brexit business and the impact it will have on the UK, the EU and the entire international community, it would be nice to see that it was founded on something a little stronger than Netscape Communicator 4.