I wonder what this means for Tor, Hemlis, and similar alternative encryption-communication services... They also don't specify what level of encryption they cracked, so I guess... all of them? Sheesh.

I hate the New World Order, because it's run by men. Weak, greedy, amoral men.

I found out last year that the Tor was originally sponsored by the U.S. Naval Research Lab. As of 2012, 80% of the Tor Project's $2M annual budget comes from the United States government. I never knew of Hemlis till you mentioned it. Thanks for the info.

This isn't really new, except that Snowden's documents confirm what everybody strongly suspected.

All of the encrypted communications mentioned use SSL, or TLS, and although strong crypto is supported it's more likely that weaker variants will be used almost all the time. This is partly from wanting to support older browsers, partly from not upgrading server keys and config when older ciphers are broken.

There are additional problems protecting communication from the NSA if they are really after you and not just indiscriminately gathering your data.

I would point out that Usama bin Laden did a rather good job though.

http://www.abc.net.au/news/2013-09-06/new-snowden-documents-say-nsa-can-break-common-internet-encrypt/4940138

"When I worried on Twitter that we could not trust encryption now, technologist Lauren Weinstein responded with assurances that it would be difficult to hide 'backdoors' in commonly used PGP encryption – because it is open-source. Openness is the more powerful weapon." - Jeff Jarvis

http://www.theguardian.com/commentisfree/2013/sep/06/nsa-surveillance-welcome-end-secrecy

None of the news I've seen on this make it clear just what is going on. Is SSL/TLS compromised? Have the NSA simply gotten access to the servers of major corporations storing people's data? Is this simply about weaknesses in closed crypto implementations people trust?

IOW, which common encryptions can the NSA break, and is that because they have found ways to access the information before or after encryption, because they have found ways to get the encryption keys/seeds, because they've found flaws in specific implementations of some algorithms (which ones?), or because they've found flaws in basic assumptions of some algorithms (again, which ones?)

The more clued-up articles I've read make it sound more likely this is about the NSA having a wide array of coercive tools and backdoors at their disposal, not so much that they can decrypt, say, SSL on the fly at will.

Hmm, how comforting.

"Intelligence agencies" asked them to remove the specific details, and they did so (see the article I linked above)

Now I have no specific knowledge of what the NSA can or can't do either, but can speculate (holds finger up in air):

- SSLv3 and old TLS versions are compromised. Newer versions are better, but most web sites still support the compromised ones. With a man in the middle attack you can force the negotiation to use the compromised standards, and in some cases you can even persuade it to use the "plaintext" option (!?!?). In addition, some of the ciphers supported have flaws, like MD4/MD5/SHA1. Everyone is supposed to be moving off the weaker ciphers and using larger keys to mitigate known attacks, but not everybody has done so, or even knows or cares that they should.
- NSA have access to servers in the U.S., confirmed by multiple sources.
- NSA have access to data being transmitted, basically anywhere.
- Although the crypto systems themselves are probably better than you assume, there are trust issues - in many cases the vendors or certificate authorities have provided private keys. If you were able to replace these compromised keys with your own, that problem could be mitigated.

Your assumption is pretty much spot on, there are a wide variety of backdoors, known bugs, flawed implementations etc., but the ability to decrypt a particular well implemented SSL connection is not guaranteed for anyone (as far as I know).

@oritteropo

I'm hoping it really is mainly procedural means the NSA have. Already before this, I've been operating under the assumption anything I haven't personally encrypted using keys controlled only by me is not secure. Used to be I only went the whole mile when I felt it was necessary, now I'm starting to move as much of my net presence into the dark as I can, out of principle more than any immediate need. But if strong crypto is compromised, as some now worry... Things get ugly.