How the hell is the NSA breaking SSL?

happygeek 3 Tallied Votes 919 Views Share

In his essay 'A Few Thoughts on Cryptographic Engineering' Matthew Green, a cryptographer and research professor at Johns Hopkins University, asks "how the hell is NSA breaking SSL?" If this is news to you, following the Edward Snowden revelations in The Guardian, then you obviously haven't read the New York Times piece about the NSA 'Bullrun' briefing sheet which quite plainly states that the agency has been circumventing exactly the type of encryption protection of everyday Internet communications that we take for granted, such as SSL (Secure Sockets Layer).

Of course, as Green has hinted at here, it's not the fact that SSL is being broken (or rather sidestepped, although it amounts to the same thing ultimately) that's in doubt but rather the precise method by which it is being circumvented. I'm not going to repeat all of the possibilities here, Green goes through them in some detail in his paper and I would humbly suggest you follow the link and do likewise. It's seriously interesting stuff, even for the non-ITSec geeks amongst you. But it's not all bad news, at least the Snowden revelations are increasing public awareness of the snooping and this in turn is driving IT vendors to double down on efforts to improve and extend encryption efforts to enhance data privacy.

"Whether implementing stronger encryption algorithms or adding it where it wasn't previously used, vendors are raising the bar for attackers (good and bad) attempting to orchestrate data breaches" says Michael Sutton, vice president of security research for cloud based security provider Zscaler, continuing "despite these efforts, it is likely that the NSA and other intelligence organisations will continue to succeed in their eavesdropping efforts, not because they are breaking SSL, but because they are bypassing it." This occurs either because encryption is often not employed end-to-end or due to legal efforts to obtain encryption keys. The revelations that the NSA was tapping directly into fibre optic cables outside of Google and Yahoo! data centres for example, was being done as an effort to tap into a weak link in the security chain where data was not encrypted when being transferred between data centres. Likewise, court documents have revealed NSA efforts to force companies to turn over private encryption keys. As Sutton concludes "the strongest encryption algorithms in the world are of little use when not turned on or if the keys are handed over."

Brandt_1 0 Newbie Poster

The dystopian fantasies of yesteryear are now a reality. We’ve allowed the coming of an age where the civil liberties our forefathers fought so hard for are being eroded by the day. Freedom of Press, Freedom of Speech and Freedom of Assembly are mere ghostly images of their original intent. We’ve woken up to an Orwellian Society of Fear where anyone is at the mercy of being labeled a terrorist for standing up for rights we took for granted just over a decade ago.

Con Bradley 0 Newbie Poster

Glad to see this question beina asked finally. Implies ALL the standard encryption schemes on the internet are compromised.

CimmerianX 197 Junior Poster

Use GPG. The private key is in your own hands and can not be 'handed over' by any 3rd party.

RikTelner 20 Posting Pro in Training

I'm no expert. But it may be because NSA has installed malware on Windows and Macintosh, Windows' servers are widely within use and when having these malware in them, it's much easier to bypass the SSL if, for example, you connect Windows 8.1 to Windows Server 2013. Both having malware in them, doesn't matter if you use SSL or not, second stream will probably be created, unencrypted and will be (by it's content) exact duplicate of the main encrypted stream, and the unencrypted one will be sent to NSA.

Tcll 66 Posting Whiz in Training Featured Poster

because spud-head engineers don't truely know what "safe" means.

the NSA can do whatever the F they want.

I've known the system was compromized for a long time now, and MS is only making it worse.
this is one reason I don't use the new kernel and still use XP64 for development.
(I know using XP or even linux doesn't make me much safer from them)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.