There’s been yet another revelation about Internet spying by US and UK intelligence agencies, thanks to the leaks by Edward Snowden, but this one has much larger implications for the information security community.
According to a report published by The Guardian and New York Times newspapers, in conjunction with ProPublica, the NSA has succeeded in cracking the most common encryption algorithms used on the Internet. It doesn’t say which, although SSL seems the most likely candidate. It also doesn’t say whether the agency is capable of decryption in real time, nor does it reveal whether the attack is some clever cryptanalysis that breaks the algorithm itself or is some other attack against digital certificates.
A number of security experts have started to feel that SSL’s usefulness may be drawing to a close, at least in its present state. To find that it is essentially broken, though, is going to concentrate a lot of minds in the security community.
Less surprising, and just as worrying, is the way the NSA has been active in subverting security standards. This is nothing new – it’s been trying to weaken the encryption available to ordinary people since the sorry debacle over the Clipper Chip, back in 2000. But the now-revealed information that the NSA has been covertly crippling standards – even using such august organisations as the National Institute of Standards and Technology (NIST) to do its dirty work – is a new spin.
And, once again, a number of large Internet firms are going to have to trot out their carefully coached spokespeople to deny that they have been collaborating with the authorities by providing access to data. The documents are highly suggestive that organisations such as Google and Facebook have gone beyond unwilling co-operation with the law, which is how they have painted themselves so far.
There’s one particularly interesting snippet in the new revelations – a statement that the NSA has access to data from a “major Internet peer-to-peer voice and text communications system”. That is a perfect description of Skype. It’s important to point out that Skype hasn’t been specifically named. However, its technology was built on peer-to-peer technology, back in the days when it first emerged from Estonia. When Microsoft bought the firm, it moved a number of key servers to its own facilities, through which a larger proportion of customers’ communications were subsequently routed. The Guardian noted that Microsoft had previously collaborated with the NSA “to circumvent encryption on the Outlook.com email and chat services”.
Encryption is not dead – far from it. Even Snowden himself states that strong encryption still works. But this latest set of leaked documents is likely to have two effects. First, organisations – and those individuals that care – will need to re-evaluate how they use the Internet, what data they trust to it, and how they protect that data. And second, there is likely to be a significant erosion in trust in the technology that now underpins most business and communication on the planet. Many new firms and products will appear claiming to offer ‘NSA-proof’ services – but how do you know that they are not collaborating with the NSA or GCHQ? Or that their products have not been fatally flawed through the use of compromised protocols and algorithms?
The NSA claims, in its own documents, that the weakened technologies still work as advertised for users – it’s only the NSA (and its partners) that know the secret of the exploitable flaws. But that’s ‘security through obscurity’, which has never worked. If weaknesses have been introduced, how long before criminals or the cyberwar arms of other governments discover them? These activities have left us all more vulnerable.