In his essay 'A Few Thoughts on Cryptographic Engineering' Matthew Green, a cryptographer and research professor at Johns Hopkins University, asks "how the hell is NSA breaking SSL?" If this is news to you, following the Edward Snowden revelations in The Guardian, then you obviously haven't read the New York Times piece about the NSA 'Bullrun' briefing sheet which quite plainly states that the agency has been circumventing exactly the type of encryption protection of everyday Internet communications that we take for granted, such as SSL (Secure Sockets Layer).

Of course, as Green has hinted at here, it's not the fact that SSL is being broken (or rather sidestepped, although it amounts to the same thing ultimately) that's in doubt but rather the precise method by which it is being circumvented. I'm not going to repeat all of the possibilities here, Green goes through them in some detail in his paper and I would humbly suggest you follow the link and do likewise. It's seriously interesting stuff, even for the non-ITSec geeks amongst you. But it's not all bad news, at least the Snowden revelations are increasing public awareness of the snooping and this in turn is driving IT vendors to double down on efforts to improve and extend encryption efforts to enhance data privacy.

"Whether implementing stronger encryption algorithms or adding it where it wasn't previously used, vendors are raising the bar for attackers (good and bad) attempting to orchestrate data breaches" says Michael Sutton, vice president of security research for cloud based security provider Zscaler, continuing "despite these efforts, it is likely that the NSA and other intelligence organisations will continue to succeed in their eavesdropping efforts, not because they are breaking SSL, but because they are bypassing it." This occurs either because encryption is often not employed end-to-end or due to legal efforts to obtain encryption keys. The revelations that the NSA was tapping directly into fibre optic cables outside of Google and Yahoo! data centres for example, was being done as an effort to tap into a weak link in the security chain where data was not encrypted when being transferred between data centres. Likewise, court documents have revealed NSA efforts to force companies to turn over private encryption keys. As Sutton concludes "the strongest encryption algorithms in the world are of little use when not turned on or if the keys are handed over."

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

The dystopian fantasies of yesteryear are now a reality. We’ve allowed the coming of an age where the civil liberties our forefathers fought so hard for are being eroded by the day. Freedom of Press, Freedom of Speech and Freedom of Assembly are mere ghostly images of their original intent. We’ve woken up to an Orwellian Society of Fear where anyone is at the mercy of being labeled a terrorist for standing up for rights we took for granted just over a decade ago.

Edited 2 Years Ago by happygeek: spam deleted

Glad to see this question beina asked finally. Implies ALL the standard encryption schemes on the internet are compromised.

I'm no expert. But it may be because NSA has installed malware on Windows and Macintosh, Windows' servers are widely within use and when having these malware in them, it's much easier to bypass the SSL if, for example, you connect Windows 8.1 to Windows Server 2013. Both having malware in them, doesn't matter if you use SSL or not, second stream will probably be created, unencrypted and will be (by it's content) exact duplicate of the main encrypted stream, and the unencrypted one will be sent to NSA.

Edited 2 Years Ago by RikTelner

because spud-head engineers don't truely know what "safe" means.

the NSA can do whatever the F they want.

I've known the system was compromized for a long time now, and MS is only making it worse.
this is one reason I don't use the new kernel and still use XP64 for development.
(I know using XP or even linux doesn't make me much safer from them)

Edited 1 Year Ago by Tcll

The article starter is a financial contributor. Sponsored articles offer a bounty for quality replies.