Most common encryption protocols are useless against NSA surveillance

[SJshah]

Most common encryption protocols are useless against NSA surveillance

A new leak appearing in The Guardian and The New York Times today details the NSA and GHCQ efforts to circumvent, undermine, and crack various forms of web encryption, based on documents leaked by Edward Snowden. If the details in the document are accurate, the HTTPS and SSL encryption used by most email and banking services offers little to no protection against NSA surveillance.

The articles detail a decade-long NSA project to attack encryption standards from every angle, employing server farms for brute-force decryption, using malware to intercept messages before encryption could take place, and working from within the tech industry to ensure the adoption of protocols that would be easier to circumvent. In one 2006 incident, the NSA even became sole editor of an encryption standard, able to insert backdoors and workarounds at will. The resulting code was often suspected of government tampering, but never proven until now.

As a result, a 2010 GHCQ memo says, "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable." The decryption effort was particularly important to the UK's surveillance efforts, as it allowed them to make sense of the torrents of encrypted data they collected from tapping into undersea web cables. Without some method of decoding the data, collection would have been useless.

The leaked documents also show an aggressive effort to collect and store decryption keys for the NSA's Key Provisioning Service, which the documents say is capable of decrypting many messages outright. The keys are reportedly gathered through both legal and extra-legal means, although experts told the Times it was likely the agency was hacking into corporate servers to obtain many of them.

It also answers many of the questions raised by the NSA's PRISM program. After the details of the program leaked, companies lined up to deny bulk decryption of user data, leading many to wonder how the NSA was able to access the data without the companies' help. While today's leaks don't answer the question definitively, they help explain many of the contradictions involved, and raise troubling new questions about the encryption standards protecting everything from private emails to credit card transactions.

Read more: Most common encryption protocols are useless against NSA surveillance, new leak reveals | The Verge



So it turns out that SSL encrytion is useless if you want to privately store and access your personal data online. Even internet banking is vulnerable which I find quite frustrating.

Questions which have been raised in my mind are the legalities of these techniques carried out by intel agencies. How is this legal? Why have the public not been informed about these vulnerabilities? What do they use this vast amount of data that they gather for?

 

[Rox]

US is a paranoid country. First they go about attacking other countries and when they know that there would be a backlash, they resort to such pathetic moves by spying in to every tom, dick and harry's personal data in the name of security. So they peeped your bank accounts too, how pathetic is that.

US citizens should stop using the internet, your government is screwing you over infinite times.

 

[ikon]

So it turns out that SSL encrytion is useless if you want to privately store and access your personal data online. Even internet banking is vulnerable which I find quite frustrating.

Not entirely. We know too little details - we don't know the specifics of attacks involved (technically, procuring a vast array of certificates through "extra-legal means" renders all encryption done with involvements of those certs ineffectual, but it's not a crypto break).

The exploits that allow to decrypt "cold data" are, of course, of greater concern (it seems to me that the standard that got tampered with and resulted in this mess was a random-number generator thing, and those are notoriously important) but it seems to me that not all is lost.

Technologically, there are routes to recovery.

Politically, recovery will be way harder to attain, and it is political change world requires to ensure greater transparency so that such stuff never happens again.


P.S.:
I now feel bad about sometimes dismissing worries of some of my colleagues as "paranoia". In the end, they were more right than wrong...

 

[blkhtr007]

The NSA is probably going to have a limited role and reduced budget in a few years from now, Not only has the ACLU followed suit against them but one of the most powerful lobbying groups the NRA has, as well as Google and Microsoft. The creator of the Patriot Act is even against what the NSA is doing.

 

[ikon]

We might also see adoption of more robust crypto, that is hard to subvert by "tweaking the constants just so"

 

[blkhtr007]

With the ability to collect massive amounts of data and their large number of workers, they could easily have supercomputers the size of a desktop that put anything that is publicly listed to shame. All you have to do is wiretap and hack the emails of companies like Intel,IBM,AMD and NVIDA,schools like MIT as well the top researchers of computer science in the world. And you can amass tons of research that is being kept secret. So you do not have to spend hardly anything on research costs. And with their budget they could be making their own 5nm GPU's using graphene to reach speeds of 1Thz instead of the normal 1Ghz that chips are using today. And since they are making the products themselves they do not need to spend extra on buying from a company that has to price to make up for cost of making the device+research costs as well as to turn a profit.

 

[SJshah]

[video=youtube;T8aXx3K_lKY]http://www.youtube.com/watch?v=T8aXx3K_lKY[/video]

 

[blkhtr007]

But how do you know that a vpn company isn't getting a nice paycheck to hand over the encryption keys and data?