The final agreement that creates the deal that comes into force between the EU and the UK the day after tomorrow took a long time to be negotiated – but not as long as some of the text suggests.
Now it has been revealed, by someone who actually went to the trouble of reading all the way through the 1,200 pages of dense officialese (pdf), that some of the references to technical software give the impression a first draft of the text was written at some point in the early 1990s, more than quarter of a century ago.
The passage in question is tucked away on page 921 of the document, and concerns, of all things, encryption of confidential documents using the open standard s/MIME.
“s/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x and inter-operates among all major email software packages,” the document states.
As the BBC reports, the last major release of Netscape Communicator took place in 1997, and both it and Mozilla Mail are now considered defunct.
The document also recommends using 1024-bit RSA encryption and the SHA-1 hashing algorithm, which are both outdated and vulnerable to cyber-attacks, according to those in the know.
“It’s clear that something is amiss in the drafting of this treaty, and we’d go so far as to venture the opinion that a tired civil servant simply cut-and-pasted from a late-1990s security document,” according to the tech site Hackaday.
The mistake was outed by Professor Bill Buchanan, an expert in cryptography at Napier University in Edinburgh.
“I believe this looks like a standard copy-and-paste of old standards, and with little understanding of the technical details,” he told the BBC. “The text is full of acronyms, and it perhaps needs more of a lay person’s explanation to define the requirements,” he suggested.
Although SHA-1 and 1024-bit RSA “were a good selection a decade or so ago, they are no longer up to modern security standards,” he added.
In the meantime, the text has been approved by the 27 permanent representatives of the member states to the EU, as well as by the British parliament just yesterday, without anyone having spotted anything odd.
The Home Office in London told the BBC the text was more of a legal than an operation or technical document. “We currently use the latest technology to share this data, which is properly protected and in line with the guidance from the National Cyber Security Centre,” a spokesperson said.
“So will the lawmakers of Europe now have to dig for ancient software as mandated by treaty?,” wondered Hackaday. “We hope not, as from our reading they are given as examples rather than as directives. We worry however that their agencies might turn out to be as clueless on digital security as evidently the civil servants are, so maybe Verizon Communications, current owners of the Netscape brand, could be in for a few support calls.”