Thailand: ICT Ministry seeking access to internet users’ emails and logins

[kotsak]

I guess we will never see HTTPS implemented on this forum any time soon

[tuanku]

another uneducated and poorly thought out plan

email security SSL etc is designed to keep peoples private sensitive personal communication -----PRIVATE and secure-----, not just in Thailand but across the globe on the WWW, many email providers/hosting companies (like mine) will not allow unsecured traffic to and from their servers

Although the source for the OP is somewhat unreliable I will call this for what it is (if true) - completely and utterly ridiculous and unworkable, you gotta wonder who is coming up with this stupidity

Don't be bashful, has to be Mr. T for you, doesn't it?

[realenglish1]

What the regime does not understand is that global corporations considering Thailand will opt out because of this rule

Thailand will loose big on business.

[jackh]

I am so happy I decided years ago NOT to settle in Thailand. If I was there now, I would be getting my house in order so I could move out of that country as fast as possible. This latest development is only the tip of the iceberg. They will go after foreign bank accounts next.

[tuanku]

How to sign-out from Thaivisa, and clear my data.

Not permitted. You are member for life, in fact quite a few dead people are still members.

[Winniedapu]

What an article. Scaremongery at its finest.

However, if there is any truth at all in the 'leak', and this has been suggested by anyone in anyway involved with IT security, the very mention of 'banning SSL' is mind-boggling and the person should be removed from their area of work immediately.

Point of note, none of my business email accounts will work without encryption, none of my cloud access either and this is not ISP controlled par se.

It's the only sensible approach. Nobody should think like the Chairman and say 'if I don't do anything wrong I have nothing to fear' - that's BS

For example, given what everybody understands the honesty to be in the police and army, if they can break https, how long is it before money goes missing from online bank accounts?

Lockdown is the only smart option. VPN to an overseas server using a secure protocol (OpenVPN is a bit harder to crack than https) and always use it, don't re-use passwords (use a strong password manager with a strong password). And never ever use Facebook because they cannot be trusted, I don't know about Line. In general social media is a really bad idea, though Thais cannot survive without peer approval and to be honest, social media can fuel the fightback against the Chairman.

And lets hope Anonymous kicks the Chairman's bottom as they did before but eased up when their demands were met, Bad idea with Thais.

W

[Srikcir]

First of all, the fact that the article talks about SSL (instead of TLS) shows that some people do not really understand what they talk about. Fact is that SSL - not only V2, but also V3 - is viewed as cracked as it has to many security flaws in it and some organisations like the PCI SSC (Payment Card Industry Security Standards Council) have ordered all members to disapprove the use of SSL for their websites and TLS 1.1 is the current MINIMUM level required for such transactions.

Second, I would advise all readers to check their browser security settings and ensure that they unclick the SSL V2, SSL V3 and TLS V1.0 options in their security settings. All "important" websites such als mail, banking, facebook etc. DO connect through TLS V1.1 or higher nowadays and using "secure" connections through SSL is like NOT having encrypted links at all.

Third, all that would happen if the ISP's would disallow the use of encrypted connections through SSL/TLS would be that you could not connect to your websites anymore. In no way could the ISP's read your data, TLS V1.1 and TLS V2.0 as of today are not yet broken security protocols, only SSL is.

Fourth, as another poster said, I do not believe that any reputable website provider (facebook, banks, microsoft etc) will change their websites to allow unencrypted connections for countries that decide to disallow the use of encryption.

Edit: Lost point 3 when posting, added again

You offer some useful information regarding SSL protocol. But "no matter which method you choose for initiating the connection, TLS or SSL, the same level of encryption will be obtained when talking to the server and that level is determined by the software installed on the server, how that is configured, and what your program actually supports."¹

The article is not about broken or cracked SSL. It is about the Thai government demanding access to people's personal and financial internet connections. Such capability would give the government the capability to securely hack users accounts no matter how secure a website might be. Changing from SSl to TSl would be like changing locks in a door but giving a 3rd party the keys to the new lock. Security is still defeated.

Yes, the article focuses on SSL but the Prayut regime can easily amend bills in a day that will be passed unopposed by its rubberstamp NLA . The current proposed bill is under review by NLA means it can simply change SSL to cover any and all security protocols. In the past the Prayut regime has even indicated it wants access to VPN passwords as well. This would mean that all corporate intrrcompany/intracompany communications would be open to government inspection.

1 https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html

[schondie]

These guys are control freaks, i have no idea where its going to stop but there really has never been any freedom of speech here . Thais need to wake up , as the country and their future is being lost at a wholesale rate.

Unfortunately it's not just the present Thai rulers that are control freaks, it's virtually all the ruling classes in all countries that fear the internet. I believe they fear it as there's the possibility that their dirty little secrets will be exposed or it can be used to organise protests against them when they become unpopular.

It's no different to the past, and probably the present, when government agents opened peoples' post or randomly listened in on their phone calls.

[Kabula]

Getting very concerning. Step after step towards N.Korean-style information control. Will democracy ever return to Thailand?

Democracy has been an illusion!

In a Democracy the people have 100% control.

Governments worldwide have always had the power to control the people.

For those who did not believe it and didn't pay tax they lost their property and ended up behind bars.

Government vs the people is like a Corporation when the senior partner who has the most shares and has the power to sell everything, hire the Police to block the door and the minority partner sits on the curb outside watching their life's hard work evaporate!

[Oxx]

... but Facebook uses HTTPS. There would be rioting in the street if Thai people weren't allowed to spend several hours a day on Facebook.

Incidentally, I suspect that much of the article is red herring. The junta has already mandated ISPs to install monitoring software which cracks HTTPS encryption. From Prachatai, January last year:

"Thailand’s Ministry of Information and Communication Technology (MICT) is developing and testing software to intercept internet communications which uses a secure protocol in order to better intercept and block lèse majesté content, according to a leaked document."

http://prachatai.org/english/node/4706

[renaissanc]

This is going too far.

[Swiss1960]

First of all, the fact that the article talks about SSL (instead of TLS) shows that some people do not really understand what they talk about. Fact is that SSL - not only V2, but also V3 - is viewed as cracked as it has to many security flaws in it and some organisations like the PCI SSC (Payment Card Industry Security Standards Council) have ordered all members to disapprove the use of SSL for their websites and TLS 1.1 is the current MINIMUM level required for such transactions.

Second, I would advise all readers to check their browser security settings and ensure that they unclick the SSL V2, SSL V3 and TLS V1.0 options in their security settings. All "important" websites such als mail, banking, facebook etc. DO connect through TLS V1.1 or higher nowadays and using "secure" connections through SSL is like NOT having encrypted links at all.

Third, all that would happen if the ISP's would disallow the use of encrypted connections through SSL/TLS would be that you could not connect to your websites anymore. In no way could the ISP's read your data, TLS V1.1 and TLS V2.0 as of today are not yet broken security protocols, only SSL is.

Fourth, as another poster said, I do not believe that any reputable website provider (facebook, banks, microsoft etc) will change their websites to allow unencrypted connections for countries that decide to disallow the use of encryption.

Edit: Lost point 3 when posting, added again

You offer some useful information regarding SSL protocol. But "no matter which method you choose for initiating the connection, TLS or SSL, the same level of encryption will be obtained when talking to the server and that level is determined by the software installed on the server, how that is configured, and what your program actually supports."¹

The article is not about broken or cracked SSL. It is about the Thai government demanding access to people's personal and financial internet connections. Such capability would give the government the capability to securely hack users accounts no matter how secure a website might be. Changing from SSl to TSl would be like changing locks in a door but giving a 3rd party the keys to the new lock. Security is still defeated.

Yes, the article focuses on SSL but the Prayut regime can easily amend bills in a day that will be passed unopposed by its rubberstamp NLA . The current proposed bill is under review by NLA means it can simply change SSL to cover any and all security protocols. In the past the Prayut regime has even indicated it wants access to VPN passwords as well. This would mean that all corporate intrrcompany/intracompany communications would be open to government inspection.

1 https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html

With all due respect to you and the article you quote, the main issue is not the "software installed on the server", but "what your program actually supports". As I wrote in my point two, go to your browsers security setting and DISALLOW the use of SSL V2, V3 and TLS 1.0. Then the server on the other side WILL have to initiate a TLS V1.1 or V2 connection which at present is NOT broken yet and NOT hacked yet. If the website would tell you that they do NOT support your required connection, then you better keep away from that website.

All major financial players in Switzerland (and I assume all over Europe) have informed their customers, that they will NOT suppport SSL anymore and that customers have to update their browsers (i.e. Internet browser < V9 will not be accepted anymore as they do NOT support TLS. If you install Chrome, it will by default only allow TLS (but also 1.0 which should be disconnected by you).

when you write " the Thai government demanding access to people's personal and financial internet connections." then I will happily provide the Thai government with the links to my mail (hotmail) or give them the URL of my Swiss bank, but without password they will NOT be able to hack into my personal data. Now we are talking about secure passwords or - in the case of banks - the use of dual-factor login procecures like tokens, OTP or biometric devices for login.

Changing your browsers ability away from SSL to TLS is like having open doors or locking it when leaving the house.

btw: it would be nice if ThaiVisa would also support https only

[manhood]

Once this junta and so called government has lost the right way in a democracy and never will be able to go, it is now trying to keep their people under the heel and bondage with all possible reprisals.
And Thailand’s junta learned from their neighbors! The way is let prefigured in a country that is steered rather dictatorial and therefore is not going into a democracy.

[Jonathon]

Looks like the time to leave is drawing near.

[Swiss1960]

Incidentally, I suspect that much of the article is red herring. The junta has already mandated ISPs to install monitoring software which cracks HTTPS encryption. From Prachatai, January last year:

"Thailand’s Ministry of Information and Communication Technology (MICT) is developing and testing software to intercept internet communications which uses a secure protocol in order to better intercept and block lèse majesté content, according to a leaked document."

http://prachatai.org/english/node/4706

... if that would be possible, it would have been done already by Russian / Chinese hackers and we would know it, because we would read loads of articles about hacked banking websites et al.

again: at present, TLS 1.1 and TLS 1.2 are still deemed to be secure and NOT hacked, this is the view of ALL major security players in the security market. Hacking these protocols through the ISP (meaning hacking the data while in transit from your computer to your desired website) is therefore NOT possible as of yet.

If I would have to develop SW to "intercept" communication, I would start to infect all major Thai websites with MIM /MIB (Man In the Middle / Man In the Browser) malware, I would design them i.e. as "Malvertising" (Advertising with Malware included) and ensure drive-by download (you do not even have to download it yourself). However, the issue THEN is to manage the hundreds of thousands or millions of affected computers and have big enough data bases and fast enough computers with highly developped search patterns in order to ensure that you catch the "bad boys" in time. At present, not even the CIA / NSA / whatever in the US of A has all that would be needed for such a task.

btw: 10y work as IT Security Manager implementing security frameworks such as ISO 27xxx and PCI DSS V3.x for a Swiss financial institution would be my reference and experience

[chilli42]

Makes you wonder what pending national crisis they might be preparing themselves for.

[KKr]

I seem to remember newspaper reports that, about 15 years ago, local internet providers were told to open their servers for Russian Authorities or get out of the business.
It created a (short) wave of criticism but, guess what, internet has been thriving there as much as in many other places.

Now something similar is news for TV?

[mtls2005]

What an article. Scaremongery at its finest.

Some international press, respected Thai bloggers and domestic watch-dog organizations have been commenting on the eight (8) draft bills that the NLA have been working on, camouflaged as "The Digital Economy", for several months.

https://thainetizen.org/

https://thainetizen.org/2015/01/digital-economy-cyber-security-bills-en/

https://asiancorrespondent.com/2015/02/thailands-new-and-frankly-terrifying-cyber-laws-part-1-introduction/

Some of these address "cyber-security" while others update the Computer Crimes Act of 2007.

I'd submit that the changes will actually put Thailand in a much more repressive state than either PRC or DPRK, and will give the authorities here powers that even the NSA/GCHQ would be envious of.

[dageurreotype]

Sounds ominous but the government hardly seems to be a model of competance,ditto the rest of the country,so wether they could actually do this i would be highly surprised.

It's not so much the junta are able to carry this through (which I rather doubt), but that they are actually considering it. Why? What's the end game? Any sane and rational person would wonder how a looming N Korea style scenario would pan out here in Thailand. Never happen. The Thais, for all their being kept in ignorance won't stand for it. But the perception it's wanted by the current mob remains and puts them in an increasingly bad light.

[Oxx]

... if that would be possible, it would have been done already by Russian / Chinese hackers and we would know it, because we would read loads of articles about hacked banking websites et al.

again: at present, TLS 1.1 and TLS 1.2 are still deemed to be secure and NOT hacked, this is the view of ALL major security players in the security market.

Of course it's possible. The only question is how much time and money is required to do it. America's NSA has been doing it for years. There's also commercial software (the name of which eludes me for the moment, but which Thailand has bought) which claims to do the same thing for other tyrannical regimes and others.

Edited May 31, 2016 by Oxx

[Swiss1960]

I seem to remember newspaper reports that, about 15 years ago, local internet providers were told to open their servers for Russian Authorities or get out of the business.

It created a (short) wave of criticism but, guess what, internet has been thriving there as much as in many other places.

Now something similar is news for TV?

What an article. Scaremongery at its finest.

Some international press, respected Thai bloggers and domestic watch-dog organizations have been commenting on the eight (8) draft bills that the NLA have been working on, camouflaged as "The Digital Economy", for several months.

https://thainetizen.org/

https://thainetizen.org/2015/01/digital-economy-cyber-security-bills-en/

https://asiancorrespondent.com/2015/02/thailands-new-and-frankly-terrifying-cyber-laws-part-1-introduction/

Some of these address "cyber-security" while others update the Computer Crimes Act of 2007.

I'd submit that the changes will actually put Thailand in a much more repressive state than either PRC or DPRK, and will give the authorities here powers that even the NSA/GCHQ would be envious of.

Unfortunately, it is news as it is an issue that is coming up more and more, just some examples from the past:

• Saudia Arabia and UAE (and other countries) trying to force RIM (blackberry) to give them access to the local blackberry servers, enabling them to read all encrypted mails
• US homeland security forcing all US companies to give them access to their data through the secret courts (VISA, MasterCard, major hotel chains etc.)
• PGP was created based on the US regulations with regards to encryption, since no encryption using more than 40bit was allowed at that time by the NSA (40 bit and less could be cracked easy). PGP was soon thereafter released as open source project based in (I think) Sweden and for a very long time, for US citizens and companies it was a criminal act to use it.
• In 2011, it was revealed that the NSA together with the British GCHQ have included backdoors in the Juniper firewalls, using a rogue programmer in the company.
• within the last two years, it was revealed how every government spy agency spies on each other, i.e. the Brits using the internet cables between Europe and the US, or listening into phones (including "befriended" governements) etc
• It is well known that Security companies with contracts within the US government will have to provide backdoors for their products in order to even get the chance to be included in a US government project.
• just the last example is the US government forcing Apple (and for sure other companies) to develop and handover tools for hacking into smart phones. And that is not all, the US is actually thinking about new laws requiring ALL US sold security products (firewalls, encryption etc) to have backdoors installed for the use of the government.

Therefore, people who now moan or cry about the idea of the Thai government: be advised that your own government might already be steps ahead of what the Thais think about.

[johng]

There's also commercial software (the name of which eludes me for the moment, but which Thailand has bought) which claims to do the same thing for other tyrannical regimes and others.

Wikileaks hacking team

[MZurf]

Incidentally, I suspect that much of the article is red herring. The junta has already mandated ISPs to install monitoring software which cracks HTTPS encryption. From Prachatai, January last year:

"Thailand’s Ministry of Information and Communication Technology (MICT) is developing and testing software to intercept internet communications which uses a secure protocol in order to better intercept and block lèse majesté content, according to a leaked document."

http://prachatai.org/english/node/4706

... if that would be possible, it would have been done already by Russian / Chinese hackers and we would know it, because we would read loads of articles about hacked banking websites et al.

again: at present, TLS 1.1 and TLS 1.2 are still deemed to be secure and NOT hacked, this is the view of ALL major security players in the security market. Hacking these protocols through the ISP (meaning hacking the data while in transit from your computer to your desired website) is therefore NOT possible as of yet.

If I would have to develop SW to "intercept" communication, I would start to infect all major Thai websites with MIM /MIB (Man In the Middle / Man In the Browser) malware, I would design them i.e. as "Malvertising" (Advertising with Malware included) and ensure drive-by download (you do not even have to download it yourself). However, the issue THEN is to manage the hundreds of thousands or millions of affected computers and have big enough data bases and fast enough computers with highly developped search patterns in order to ensure that you catch the "bad boys" in time. At present, not even the CIA / NSA / whatever in the US of A has all that would be needed for such a task.

btw: 10y work as IT Security Manager implementing security frameworks such as ISO 27xxx and PCI DSS V3.x for a Swiss financial institution would be my reference and experience

Certainly seems you know what you're talking about - thanks for the info. I've been trying to find out if my browser (Opera) uses TLS as default but am unable to confirm it. I have also been unable to deselect SSL. Maybe the latest versions of all major browsers have no longer SSL as an option?

PS. I know this is a bit off topic but I think important for all of us to know more about.

Edited May 31, 2016 by MZurf

[Khon Kaen Dave]

Soon it will get so bad,that one will have to check the loft to see if there is someone up there with a tape recorder.

This smacks of the Statis in East Germany pre wall destruction days.

[Swiss1960]

... if that would be possible, it would have been done already by Russian / Chinese hackers and we would know it, because we would read loads of articles about hacked banking websites et al.

again: at present, TLS 1.1 and TLS 1.2 are still deemed to be secure and NOT hacked, this is the view of ALL major security players in the security market.

Of course it's possible. The only question is how much time and money is required to do it. America's NSA has been doing it for years. There's also commercial software (the name of which eludes me for the moment, but which Thailand has bought) which claims to do the same thing for other tyrannical regimes and others.

You are right with above, TLS V1.1 and above will sooner or later be cracked and then these flaws could be used to order an ISP to intercept, decrypt, store and deliver the content to the government. But at present this is not possible!!! And by the time it will be possible, we probably have TLS V3 or V4 available which will have secured the leaks.

The SW you are referring to is probably the SW called RCS (remote control system) developed by an Italian company "Hacking Team" or any of the spy products that a German SW company developped and sold to at least the German and Swiss government for spying on computers. But the difference is that such SW must be installed on individual computers and NOT an ISP servers!!!

Please do not mess up things. I have been dealing with such issues for 10 years, I have read about and analyzed dozends of hacks which have affected our credit card customers and I dare say, I know what i am talking about.

[Swiss1960]

... if that would be possible, it would have been done already by Russian / Chinese hackers and we would know it, because we would read loads of articles about hacked banking websites et al.

again: at present, TLS 1.1 and TLS 1.2 are still deemed to be secure and NOT hacked, this is the view of ALL major security players in the security market. Hacking these protocols through the ISP (meaning hacking the data while in transit from your computer to your desired website) is therefore NOT possible as of yet.

If I would have to develop SW to "intercept" communication, I would start to infect all major Thai websites with MIM /MIB (Man In the Middle / Man In the Browser) malware, I would design them i.e. as "Malvertising" (Advertising with Malware included) and ensure drive-by download (you do not even have to download it yourself). However, the issue THEN is to manage the hundreds of thousands or millions of affected computers and have big enough data bases and fast enough computers with highly developped search patterns in order to ensure that you catch the "bad boys" in time. At present, not even the CIA / NSA / whatever in the US of A has all that would be needed for such a task.

btw: 10y work as IT Security Manager implementing security frameworks such as ISO 27xxx and PCI DSS V3.x for a Swiss financial institution would be my reference and experience

Certainly seems you know what you're talking about - thanks for the info. I've been trying to find out if my browser (Opera) uses TLS as default but am unable to confirm it. I have also been unable to deselect SSL. Maybe the latest versions of all major browsers have no longer SSL as an option?

PS. I know this is a bit off topic but I think important for all of us to know more about.

Best is to go to google and search for "disable SSL in xxxxxx" and replace xxxxxx with your browser name. there are websites that give examples for chrome, IE and firefox, as far as I know you can not do such thing in Edge at present (edge coming with Windows 10, that is why I use Chrome only), am sure you find someting for Opera also.

P.S.: There are many other vulnerabilities more dangerous than SSL, i.e. not updating your OS with latest security patches, having older JAVA versions on your system and never cleaning the old versions out (there is a reason why Chrome does NOT support JAVA plugins anymore) or - unfortunately we see this to many times - computers and smartphones with NO or with outdated security / antivirus software.

But the biggest thread is still the computer user clicking on everything, specially when it says "FREE"... - in German, those people are called DAU ("Duemmster Anzunehmender User which translates roughly to "most stupid imaginable user")

[emilymat]

How to sign-out from Thaivisa, and clear my data.

Your comments would be quite mild to what is being transmitted beyond the Junta's jurisdiction , frankly they are slow learners , this they will eventually find out, what we all could do is use a book of code and just use that. now there's an idea.

You should have bid for Hitlers Lorenz machine on E bay. That would have made a good start!

[Jonmarleesco]

I'm amazed they're bothering with seeking any kind of permission; they usually just elect to stick their oar in to anything and everything that shouldn't concern them. Well, back to the old way: pen, paper and envelope. The P.O. will be happy.

[Swiss1960]

I'm amazed they're bothering with seeking any kind of permission; they usually just elect to stick their oar in to anything and everything that shouldn't concern them. Well, back to the old way: pen, paper and envelope. The P.O. will be happy.

Use special security envelopes.. otherwise some fancy P.O. scanners will read / copy your mails without even bothering to open the envelope..

[elgordo38]

Hard to believe, just when you think they can't possibly stick their feet any further down their throats...

Yes hard to believe but things were just to quiet lately on this subject. I had a feeling that something was going on behind the scenes. Just another step in he total control of the populous.