NSA Has Found Ways To Beat The Encryption...

...That Is Supposed To Protect EVERYTHING YOU Do Online
articiansays...

I wonder what this means for Tor, Hemlis, and similar alternative encryption-communication services... They also don't specify what level of encryption they cracked, so I guess... all of them? Sheesh.

I hate the New World Order, because it's run by men. Weak, greedy, amoral men.

lurgeesays...

I found out last year that the Tor was originally sponsored by the U.S. Naval Research Lab. As of 2012, 80% of the Tor Project's $2M annual budget comes from the United States government. I never knew of Hemlis till you mentioned it. Thanks for the info.

articiansaid:

I wonder what this means for Tor, Hemlis, and similar alternative encryption-communication services... They also don't specify what level of encryption they cracked, so I guess... all of them? Sheesh.

I hate the New World Order, because it's run by men. Weak, greedy, amoral men.

oritteroposays...

This isn't really new, except that Snowden's documents confirm what everybody strongly suspected.

All of the encrypted communications mentioned use SSL, or TLS, and although strong crypto is supported it's more likely that weaker variants will be used almost all the time. This is partly from wanting to support older browsers, partly from not upgrading server keys and config when older ciphers are broken.

There are additional problems protecting communication from the NSA if they are really after you and not just indiscriminately gathering your data.

I would point out that Usama bin Laden did a rather good job though.

http://www.abc.net.au/news/2013-09-06/new-snowden-documents-say-nsa-can-break-common-internet-encrypt/4940138

rebuildersays...

None of the news I've seen on this make it clear just what is going on. Is SSL/TLS compromised? Have the NSA simply gotten access to the servers of major corporations storing people's data? Is this simply about weaknesses in closed crypto implementations people trust?

IOW, which common encryptions can the NSA break, and is that because they have found ways to access the information before or after encryption, because they have found ways to get the encryption keys/seeds, because they've found flaws in specific implementations of some algorithms (which ones?), or because they've found flaws in basic assumptions of some algorithms (again, which ones?)

The more clued-up articles I've read make it sound more likely this is about the NSA having a wide array of coercive tools and backdoors at their disposal, not so much that they can decrypt, say, SSL on the fly at will.

newtboyjokingly says...

I recall in the mid 90's when Carnivore became public knowledge, they could already decrypt the best public encryption available, but it was cost prohibitive and took lots of computing power (well, lot's for the time, probably less than a cell phone has today). With the computing power they have today, they could decrypt every email in real time and never break a sweat.
I'm more sad that this is news than I am that it's happening, because it tells me that 'they' can get away with anything for as long as 'they' want as long as 'they' don't constantly remind the sheeple what they're doing. Apparently if it's not in the news that week, it just isn't happening to most people.
It's called memory retention people. Try it!
This is why I've been sending encrypted pie recipes for years with the heading 'infected monkeys ready for release'. They can't possibly know exactly what variant of apple pie triggers the real release of my airborne monkey aidsbolapox, so their decryption is useless against those who (think we) understand what's happening.

oritteroposays...

"Intelligence agencies" asked them to remove the specific details, and they did so (see the article I linked above)

Now I have no specific knowledge of what the NSA can or can't do either, but can speculate (holds finger up in air):

- SSLv3 and old TLS versions are compromised. Newer versions are better, but most web sites still support the compromised ones. With a man in the middle attack you can force the negotiation to use the compromised standards, and in some cases you can even persuade it to use the "plaintext" option (!?!?). In addition, some of the ciphers supported have flaws, like MD4/MD5/SHA1. Everyone is supposed to be moving off the weaker ciphers and using larger keys to mitigate known attacks, but not everybody has done so, or even knows or cares that they should.
- NSA have access to servers in the U.S., confirmed by multiple sources.
- NSA have access to data being transmitted, basically anywhere.
- Although the crypto systems themselves are probably better than you assume, there are trust issues - in many cases the vendors or certificate authorities have provided private keys. If you were able to replace these compromised keys with your own, that problem could be mitigated.

Your assumption is pretty much spot on, there are a wide variety of backdoors, known bugs, flawed implementations etc., but the ability to decrypt a particular well implemented SSL connection is not guaranteed for anyone (as far as I know).

rebuildersaid:

None of the news I've seen on this make it clear just what is going on. Is SSL/TLS compromised? Have the NSA simply gotten access to the servers of major corporations storing people's data? Is this simply about weaknesses in closed crypto implementations people trust?

IOW, which common encryptions can the NSA break, and is that because they have found ways to access the information before or after encryption, because they have found ways to get the encryption keys/seeds, because they've found flaws in specific implementations of some algorithms (which ones?), or because they've found flaws in basic assumptions of some algorithms (again, which ones?)

The more clued-up articles I've read make it sound more likely this is about the NSA having a wide array of coercive tools and backdoors at their disposal, not so much that they can decrypt, say, SSL on the fly at will.

rebuildersays...

@oritteropo

I'm hoping it really is mainly procedural means the NSA have. Already before this, I've been operating under the assumption anything I haven't personally encrypted using keys controlled only by me is not secure. Used to be I only went the whole mile when I felt it was necessary, now I'm starting to move as much of my net presence into the dark as I can, out of principle more than any immediate need. But if strong crypto is compromised, as some now worry... Things get ugly.

Send this Article to a Friend



Separate multiple emails with a comma (,); limit 5 recipients






Your email has been sent successfully!

Manage this Video in Your Playlists




notify when someone comments
X

This website uses cookies.

This website uses cookies to improve user experience. By using this website you consent to all cookies in accordance with our Privacy Policy.

I agree
  
Learn More