
As Feds Demand the Keys, Preparing for the Death of Public-Key Encryption - ColinWright
http://lauren.vortex.com/archive/001062.html
======
downandout
This kind of thing makes me think the Snowden disclosures actually emboldened
the NSA in some ways. Their nightmare scenario occurred, and nothing happened.
Nobody even got fired or "resigned". The public's tepid reaction has brought
_our_ nightmare scenario to life - we taught secretive government agencies
that they can now do anything they want without fear of public backlash. These
kinds of requests can now dramatically increase, with neither judges,
politicians, or the NSA itself living in fear of anyone.

~~~
fab13n
What you say is true, but misses an important consideration: yesterday, only
tinfoil hats believed they couldn't trust third-party companies with their
privacy. Today, everyone knows that the only way to have privacy is to handle
it personally, from their local computer.

The whole PRISM scheme worked because people supposed the government respected
their privacy. Now that it's been proven false, I expect people to use local
encryption schemes, were third parties can't give a key they don't have. I
expect people to become careful about which certification authority signed
their SSL key, and to use self-signed certificates whenever practical.
Targeted spying will remain possible, but indiscriminate surveillance PRISM-
style would become impractical.

Unless they know how to crack TLS, but we have no reason to believe this as of
today.

~~~
downandout
_> Today, everyone knows that the only way to have privacy is to handle it
personally, from their local computer._

I agree with you, but I think you have far too much faith in ordinary
Americans. I invented some widely used anti-phishing technology, and I can
tell you that spending a few months analyzing actual incidents where otherwise
intelligent people did ridiculously unsafe things on the Internet will give
you a new perspective on the tech savvy of the general population. Unless we
(the tech community) make strong security both transparent to the user and
enabled by default, the feds will be seeing everything they do. Sadly, most of
them seem OK with that.

~~~
fab13n
OK, I should have written "everyone that matters"; the point is to have a
critical mass of expensive-to-eavesdrop communications, so that the NSA cannot
routinely exploit much more than teenager gossips traded through Facebook.

Moreover, even if only the 10% best informed people use PRISM-proof
communications, it's a safe bet that NSA's alleged targets (whatever the
current definition of "terrorist" might be) are among them, so the argument
that they're doing that to catch "terrorists" doesn't hold water anymore.

I believe the tech community is concerned about this, because it threatens the
robustness of Internet. Today, nobody in the business can pretend with a
straight face that top-level certification authorities are trustworthy; so I
expect the next generation of security protocols, the successors of the
(transparent and enabled by default) SSL, to treat governments as opponents.

I also believe that companies will change their security patterns, e.g. stop
trusting American third parties such as Microsoft if they have competitors
with political connections in Washington.

~~~
lttlrck
Define "everyone that matters"

------
a3_nm
> Public-key cryptography as we know it today may be rapidly approaching the
> end of its useful lifespan.

No evidence in the article substantiates this bold statement.

\- "pressuring major Internet firms to provide their "master" SSL keys for
government surveillance purposes": this demonstrates a weakness of centralized
public-key infrastructures, it does not follow that public-key cryptography is
doomed. (See: web of trust.)

\- wiretaps, snooping, etc.: everyone is welcome to grab a copy of the
ciphertext, this does not prove that cryptography is futile -- quite the
contrary.

\- "concerns about the security of widely used cipher algorithms and a range
of other associated exploits": vague.

\- "it is prudent to at least assume that intelligence agencies around the
globe may still be working several steps ahead of public "state of the art" in
crypto tech": unfalsifiable.

\- "forced the hands of chip manufacturers to include "special goodies" for
surveillance purposes": I am willing to fear deliberate plausibly deniable
weaknesses on accelerated hardware implementation of crypto primitives, e.g.,
PRNGs, but it seems very hard to believe that implementations of public-key
crypto using general purpose instructions could be somehow identified by the
CPU and somehow tampered with in a way which would be non-obvious somehow.

\- "when governments really want to target someone, they'll find some way to
compromise the associated computers directly -- either through phishing or
other malware attacks, or via in-person "black bag" jobs to physically alter
systems as they might feel appropriate": humans are the weakest part of
cryptosystems, and if they have physical access then they win; nothing new
here.

In conclusion:

> I believe it would be fully appropriate for us to be considering alternative
> methodologies for data protection that are sufficiently outside the existing
> public-key "box"

Public-key cryptography is a tool. It certainly does not form, in itself, a
full "methodology for data protection", but nothing in the article justifies
that has lost any usefulness in its current form.

~~~
toddsiegel
Agreed. Public-key cryptography is fine. Entrusting third parties to protect
your privacy is dying.

This is something I have been thinking about a lot lately. Users need to take
more responsibility for guarding their own privacy. I think there are a lots
of business opportunities here: easy to use tools that keep control entirely
in Alice's and Bob's hands and public key cryptography is certainly part of
the solution.

~~~
christo
The fact that the agencies have to apply pressure to obtain keys proves that
the crypto is working.

Therefore, if you have, use and keep secret your own keys, the best-resourced
intruders cannot practicably get your data.

Of course, [http://xkcd.com/538/](http://xkcd.com/538/)

~~~
ctdonath
AKA rubber hose cryptanalysis: [http://en.wikipedia.org/wiki/Rubber-
hose_cryptanalysis](http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis)

------
wahsd
Something that people have apparently not quite connected is that these
developments are incremental steps towards and can already be considered
within the spectrum of mind reading. The only reason that that a majority of
today's people do not recognize the situation as squarely in mind reading
territory based on examples from literature and popular culture is that the
the technical limitations still retrain government, with great frustration.

Although the same heeds of danger did not suffice in the early 20th century,
we are facing the same mechanics that led to the world war. We are at a nexus
of an ugly transition into the consequences of the information age the same
way that humanity would ultimately face demise at the nexus of the
consequences of industrialization leading up to the World War, first and
second part.

The problem is a generational one; the baby boomer generation, with it's
industrial age mindset is incapable from internalizing the consequences of
their unprincipled actions.

~~~
jka
Precisely, I agree that this is the logical direction in which this is
heading.

I think there's an implicit but rarely stated understanding - in silicon
valley in particular - that there's value beyond traditional monetary capital
in collecting and storing personalized information about individuals, groups,
and organizations - i.e. security, profiling, recruitment and research value.

Background checks for hires, selection and identification of possible good
candidates for roles, psychological profiles, etc could all - theoretically -
be extracted given enough information. For now it is - allegedly - being used
purely to identify and track bad elements, but these dubious 'values' exist in
the data regardless (and, notably, also for attackers).

Knowing the intent of individuals and what they plan to do would clearly be
massively valuable as well - PKD 'pre-crime' springs to mind, and I think Eric
Schmidt was _strongly_ signalling to the world that Google is hunting this
value aggressively during this 2010 interview:

[http://www.businessinsider.com/eric-schmidt-we-know-where-
yo...](http://www.businessinsider.com/eric-schmidt-we-know-where-you-are-we-
know-where-youve-been-we-can-more-or-less-know-what-youre-thinking-
about-2010-10)

As connectivity spreads and devices become closer to our biological selves,
this is only going to become more accurate - and thus more powerful and
controlling for anyone with the ability to use and see the data.

The real questions I have are: how accurate are these predictions really (is
Google anywhere near as advanced as their public statements would have us
believe?), and how many organized criminals / terrorists will in their right
minds continue to use these services, extrapolating, as they must, about these
directions as well. With the current silicon valley mindset, the technologies
to support all this infrastructure _will_ be pursued even if for reasons of
pure capital - they all align perfectly with valid use cases in the
advertising, sales and marketing realms. (see: intent analysis)

I think there is a dream of purely computerized security based on 'enough'
global buy-in to US-based services, aligned with sufficient communications
interception. For example, if 70% of the world uses US services for
communications, perhaps that is enough to identify suspicious
holes/gaps/anomalies in social networks - as well as simpler patterns of
criminal behaviour within the covered communications - and thus anticipate
problems.

But whether this is near a reality, and whether the ones who suffer on
aggregate are {citizens/residents} or {organized crime, terrorists} I think is
very unclear without transparent statistics on coverage / actual crime
preventions / etc. I would _guess_ that the NSA, GCHQ, Facebook, Google et al
are not there yet, but what they have done is create an arms race where if
they do not follow-through, others elsewhere may do - and thus it _has_ become
a matter of national security (in terms of supremacy of the allies) after all.

Frankly I would question given the financial crisis whether they are even
hunting the right targets, but direction is presumably still set from a
political and defence angle as opposed to overall public good.

Given that other nations are likely now following in these same footsteps, I
think it is _extremely_ important that the US sets good precedents, because
others will take their lead. And to make a parallel with the cold war, it
seems like resolution of this kind of arms race would need co-ordination and
agreement with other international spy agencies - after all, the volumes and
value of the data/analysis they are storing is presumably as potentially
destabilizing to international safety as nuclear stockpiling is.

~~~
tallpapab
This is all very interesting. So far it seems to be used to show me adverts
for stuff I have already bought.

~~~
jka
That's commonly known as 'remarketing' \- by co-operating a little, a website
and an advertising network can communicate the pages and products you've been
looking at, and then the ad network can show you the products (or related
items) again when you visit other sites.

It's frequently annoying if you've already made the purchase / decided not to,
but it's a marketing ROI 'hack' in that the users who are being shown these
adverts have already previously expressed some interest in them.

Even if 50% of users aren't interested any more or bought the product, the
remaining 50% are still 'well qualified' \-- i.e. known relevant -- and so
showing the content again to them is more likely to result in sales, and so is
'cheaper' for the advertiser than targeting otherwise-unknown users. It's
better for the ad network as well since their customers (the advertisers) will
get better results.

Intent mining is really more about analyzing what people are saying online
(or, equally, the text they're entering via search engines) and working out
what they are intending to do - are they looking to purchase a camera, or are
they looking for information about a business?

The two aren't completely separate - remarketing combined with intent mining
could presumably have some interesting results (we've seen you were
investigating shoes yesterday, and you're travelling to a mall - I'll show you
some adverts from shoe stores there), but they're slightly logically
different.

------
thewarrior
Have no doubt about it, this marks the beginning of the end of online privacy.
Now that even the U.S. govt is asking for the TLS Certificates there is no
country that has the moral high ground on this issue.

I'm from India and when I heard that the Indian government was asking
Blackberry for its encryption keys I thought "Hah these people are so
ignorant! They don't even know how public key encryption works!!". In
hindsight it doesn't look very foolish. In fact they're openly building a
surveillance system called CMS which has no checks and balances even on paper.
Unfortunately in a country like ours with has so many other pressing issues it
isn't a big deal yet.

Recently some governments tried to orchestrate a power grab of the internet
via the ITU but it was vetoed by the US. "Its better to let the US govt. have
a monopoly on the internet", or so I thought. What with all their
constitutional protections and all. Recent developments have shattered my
hopes.

The NSA's worst case scenario has already happened. Other than some modest
outrage on the internet nothing much has changed. In a sense it shows a tacit
acceptance of mass surveillance by most of the public. Hence my opinion that
recent events mark a turning point.

With noone having the moral high ground its quite likely that all world
governments and corporations are soon going to come to an agreement on
permanent mass surveillance . What then ?

~~~
nileshtrivedi
I am in the same boat. I supported US against my own (Indian) government on
the ITU taking over internet governance issue because I genuinely believed US
would be a better guardian of the Internet than India. I was proven wrong.
Now, decentralization of internet control doesn't seem like all that bad a
thing.

------
johngalt
It's a neat argument that the Feds have.

If you send traffic unencrypted: 'You have no expectation of privacy, because
you're broadcasting information publicly.'

Turn on encryption: 'Clearly you have something to hide, and deserve
additional scrutiny. It's still not a fourth amendment violation because we
are just compelling a business to give us your keys'

~~~
utnick
Right on,

Clearly its also ok for the police to search your apartment at any time as
well. You don't own your apartment, an apartment corporation does, so its
clearly not a 4th amendment violation

~~~
dclowd9901
Actually laws do protect private domain of a rental. It's the same reason the
apartment companies themselves/landlords are not allowed to enter the
apartment without your expressed consent.

~~~
pyrocat
They don't need consent, they just need to give notice.

------
rdl
Sounds like not "the death of public key encryption" but the golden age of
building technical controls into hardware/software which cannot be subverted
by the operator, even in the face of a state agent with a gun.

Assuming the right tech is developed and deployed, this is going to be far
better for everyone in a few years. Yes, it will be shitty for a year or two,
but by 2020, if we actually have real technical security, it will improve
security and trust for end users. Rather than "trust us", it will be "trust
us, because...".

~~~
coldtea
> _Assuming the right tech is developed and deployed, this is going to be far
> better for everyone in a few years._

A, the old "let's use technology to solve a political issue" idea.

Sadly, it does not work. For one, the government has all the technology
available for it too, including dedicated, full-time paid researchers.

Second, they can outlaw any of those things at whim.

~~~
jlgreco
These criticisms of technological solutions always miss the obvious: both
approaches _complement_ each other.

If I send my aunt a letter, I am assured that unless there is a warrant, my
letter to her will not be read by my government. She doesn't live in my
country though, and her country gives no such assurances. More-so, even if it
did, I would have no particular reason to trust her government. On that note,
what if I don't trust _my_ government?

Instead of sending her a regular letter, thanks to technology I have the
option of mailing her a message encrypted with her PGP public key. Now I have
to trust that my government will not beat me with a wrench or compromise my
computer to gain access to the pre-encrypted letter (if I posses it), I have
to trust her government to not beat her with a wrench or break into her
computer, and I have to trust our governments to not outlaw PGP.

So which is preferable, finding political solutions to the _" my aunt and I
are being beaten with wrenches"_ problem, or finding political solutions to
the _" my letters are secretly being read without our knowledge"_ problem? I
assert the former is preferable. Beating people with wrenches is a far more
extreme action, it is easier to trust governments not to do something that is
more extreme.

All of the problems with technical solutions are _ultimately_ political
problems. You can either abandon all technical solutions and only go for
political solutions, or you can find political solutions to the shortcomings
to technical solutions. Technical and political solutions complement each
other, providing assurances that the other cannot. Both need to be pursued.

Don't want the government to read your mail? Encrypt it. Don't want your
government to ban that? Lobby your position.

~~~
coldtea
> _These criticisms of technological solutions always miss the obvious: both
> approaches complement each other._

In a small way, yes, but in the long run, politics trumps technology.

You could achieve privacy from the government if you solved the political
issues.

But the reverse is not true: if you had the perfect technological solution,
they could make using the solution illegal -- including doing away with
plausible deniability, even if the technological scheme provides it.

Or, if the government goes totally south, they could fuck you in other ways,
making the technological solution totally irrelevant. E.g they could put you
in a concentration camp. Where's your tech now?

> _Beating people with wrenches is a far more extreme action, it is easier to
> trust governments not to do something that is more extreme._

Only if you leave in a western democracy (and are not a dissident, activist,
or of any concern to the law).

In any other country , trusting the government not to do the extreme is not
really that obvious. Heck, even in Western Europe, there have been 3 active
millitary dictatorships during the last 40 years (and this is not even
counting Eastern European countries, stasi and such).

~~~
jlgreco
You really seem to be keen on not getting it.

What you are saying essentially boils down to _" Don't waste your time with
PGP because they could just stick you in a concentration camp."_ Being stuck
in a concentration camp is a problem that needs a political solution _(or in
that particular extreme case, a violent solution...)_ , _so strive for one_.
Nobody is suggesting that everyone abstain from finding political solutions to
political problems.

All the problems you seem to have with technical solutions are things that can
be solved with political solutions. If you are advocating the possibility and
pursuit of political solutions, as you seem to be doing, then why do you think
the problems with technical solutions insurmountable?

Here is my proposal: Everybody use cryptography everywhere, to the full extent
that we can manage. We then find political solutions to the political or
physical threats to cryptography. If they try to ban cryptography, we fight
back politically. If they start beating people with wrenches, we fight back
politically. If they try to throw us in camps, we fight back politically
(...and violently...).

There is absolutely no reason not to adopt technological solutions where they
exist.

------
dasil003
> _To be clear, this is not to assert that targeted, justified intercepts
> should not be possible under appropriate and realistic court supervision._

Why make this disclaimer? To avoid being branded a fringe anarchist?

It seems to me that we should absolutely be building intercept-proof
communication privacy to the best of our ability since A) there's no such
thing as perfect security and B) anything of importance eventually comes into
contact with the real world where governments have immense power and don't
need backdoors to do their job.

~~~
tootie
It's worth noting that prior to the internet there was absolutely no way of
creating intercept-proof communication. Whilst I don't want companies handing
over the SSL keys any more than you do, we have only had truly secure
communication protocols available to the public for the past 10 or so years of
human history.

~~~
dasil003
True, but then neither did governments have the capacity to record all
telephone and/or telegraph communications either. The sword cuts both ways.

------
leef
This article seems to be mostly FUD. Per-session, ephemeral SSL keys are
available and are used by at least Google [1], CloudFlare[2], and others.

No keys are stored, no keys can be given to the NSA.

1 -
[https://www.imperialviolet.org/2011/11/22/forwardsecret.html](https://www.imperialviolet.org/2011/11/22/forwardsecret.html)

2 - [http://blog.cloudflare.com/cloudflare-prism-secure-
ciphers](http://blog.cloudflare.com/cloudflare-prism-secure-ciphers)

~~~
dlitz
That's only true in a pure eavesdropping scenario. The keys would still allow
MITM attacks.

~~~
mpyne
Except for cert pinning. I think moxie is working on a general form of that
right now.

~~~
dlitz
Cert pinning doesn't solve that problem. Cert pinning solves the problem of a
compromised CA signing false certificates. If an attacker has the private key
of the _endpoint_ , cert pinning will do nothing.

~~~
mpyne
I.e. the attacker completely simulates the desired endpoint since they have
the priv key, DNS and all? I think that makes sense indeed.

------
anovikov
Broad solution to all this is building your lives in business in a way
government can have a minimal control of. Just do what it requires and keep
everything else encrypted and anonymized. And don't rely on government for
anything, for we are heading for a world of global government failure: people
and institutions are going to ignore and circumvent them all, and make them
dysfunctional. In a way, that will be like communism: there is little
government can be of help nowadays, and it is more and more becoming a
nuisance.

~~~
pron
Don't rely on government for anything? What are you talking about? Almost 100%
of scientific research and 100% of infrastructure around the world is funded
by government. Almost all of education, health and welfare around the world
(though less so in the US) is run by government. A lot of people are
suspicious of government, but such fundamental disdain toward and alienation
from government are peculiar American (and sometimes Russian) traits.

~~~
santosha
'such fundamental disdain toward and alienation from government are peculiar
American'

This. If you're so unshakably convinced that a government full of people you
vote for every four years is never going to work in your interests, you have
serious problems.

~~~
nine_k
I wish you counted the officials you voted for and compared it to the number
of governmental bureaucrats, agents, and other persons that are _assigned_ ,
never elected, and often stay at their offices as elected officials change.

The number of non-elected officials is vastly larger than the few thousand
elected officials people vote for.

Not that governments (and other bureaucratic bodies) never work in your
interests. They always work in _their own_ interests, and among these are
self-perpetuation and grabbing more power. But as long as their _other_
interests are aligned with yours, they could throw all their power at your
cause. Should your interests diverge... well, good luck.

~~~
7s
Many implementations of democracy have this problem, most prominent example of
course the US.

------
forman00
If anyone's interested in learning more of how you can use the private key of
a server to monitor all communications: see, for example, US Pat. 7,543,051

It describes a way to passively/non-intrusively ("invisible to the server")
capture and analyze all network traffic using a cable-tap.

Bottom of column 8: "In order to accomplish decryption in a timely manner the
secure traffic decryption unit needs the private key of the server. Usually
providing the server's private key to another device would be considered a
security flaw, since private keys are not meant to be communicated to any
other party. But since it may be assumed that usually the server's owner or
operator will use the present invention to monitor his/her own server,
providing the server's private key to the secure traffic decryption unit does
not pose significant security risks."

~~~
forman00
[https://docs.google.com/viewer?url=patentimages.storage.goog...](https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US7543051.pdf)

------
rlpb
A logical conclusion to this is that if/when governments start forcing people
to supply them with their private keys, they will also start forcing companies
producing encryption software to include backdoors.

At this point, I'm thankful that we have Free Software. With access to the
source code, forcing the insertion of a backdoor is futile, since somebody
else will fork and remove it. With Free Software, we'll still be capable of
running our own encryption in a way that government intrusion will still be
detectable by ourselves.

Unless, of course, governments then ban communication about backdoors, or
instructions on removing them, or distributing source code altogether.

~~~
CodeMage
_At this point, I 'm thankful that we have Free Software._

Me too, which is why I'm worried about hardware. With enough effort, literally
anyone can decide not to trust a binary and check the source. Unfortunately,
the same cannot be said for hardware: you can't print your own microchips.

~~~
MacsHeadroom
Hardware? More than One Billion people are walking around with computers in
their pockets running closed source, proprietary, binary blobs. These
computers constantly track their owners while being connected to most (if not
all) of their private communications services.

Even people running a "fully" open source OS are affected.

Not even the Ubuntu phone will help this problem for which there is no end in
site.

This is off topic, but it's high time we open source cellular radio drivers.

------
macspoofing
Does the Federal government not understand that this (idiotic) mass scale
surveillance is bad for business? All the big American companies generate most
of their revenue outside of the US. Majority of the user-bases of the big
Silicon Valley tech companies are foreign. This only works if there is a level
of trust in the American system and American government. What are they
thinking?!?!

~~~
coldtea
> _Does the Federal government not understand that this (idiotic) mass scale
> surveillance is bad for business?_

Emmm, it's the business interests that ask for those kind of things. You think
the politicians operate on a vacuum?

The idea is to get a stable climate where the business interests
(multinationals and such) can do as they please, and citizens are afraid.

~~~
rafcavallaro
That's objectively false - Google, Microsoft, Yahoo, and Facebook (among
others) have all been at pains to distance themselves from NSA data collection
precisely because they understand how bad the NSA's behavior is for their
business.

~~~
coldtea
> _That 's objectively false - Google, Microsoft, Yahoo, and Facebook (among
> others) have all been at pains to distance themselves from NSA data
> collection precisely because they understand how bad the NSA's behavior is
> for their business._

For one, I wasn't speaking of those kind of business interests. Those
companies are complicit in doing it, not those that benefit most from it. It's
finance, infrastructure, industry, oil, millitary, etc.

Second, it's not like a CEO goes and asks his senator about it. It's an
emergent consensus, developing from lobbies, campaign financing, policy
meetings with the "giant of industry", think tank meetings, policy advisors
etc, about what's best for the continuation of the status quo, keeping the
people quiet, squashing dissidents and labour demands, the improvement of the
country's diplomatic might (which acts as a multiplier for business interests
inside the country), etc.

------
digitalsushi
The only thing I get really spooked over, is that eventually it gets to a
point where the government starts demanding passphrases for hard drives with
no hidden encrypted partition.

Am I being paranoid? Someone sensible please dilute my paranoia.

~~~
ttctciyf
Realistically paranoid, I think.

Best plan may be to create a small encrypted partition, and put some data on
it, so you can give them the passphrase when asked.

Don't forget the passphrase!

~~~
mistercow
And what if they say "That data was obviously innocuous so there must be
another encrypted partition"?

~~~
dilap
You could try putting something embarassing but not incriminating there (e.g.,
gay porn or whatever).

~~~
minor_nitwit
Aha, obviously you are quite cunning, therefore you knew that I would expect a
second partition, so there must be a third partition!

------
masswerk
Just a thought: For the better half of the 20th century, i.e. after WWII,
Europe has been confronted and living with acts of terrorism from numerous
sides (Israeli – just after WWII, Palestine, left-wing, right-wing,
nationalist, etc, etc) with several severe casualties. Europe's democracies
(for the better part at least) stepped back from drastic surveillance measures
at will. (Partly because of the example of the Eastern block. Look up: Stasi.)
It worked anyway.

So: There is no possible deal of security versus freedom as it has been
proposed for the last 12 years or so. Sorry. It does not make sense. There is
no proportion between the losses of freedom and identity, the investment, and
the reported "less than 50 use cases" for the whole surveillance system.
Please stop. Immediately.

Just saying, while we are losing digital identity.

------
kenster07
Articles like this miss the main issue.

Privacy rights should not have to be enforced at the public key encryption
level.

Before all the sensationalists start going wild, remember that the NSA almost
got defunded very recently. That is where the real frontier of this debate
should be.

At best, this episode exposes how vulnerable public key encryption is. But
let's not go off the reservation.

------
mrmekon
And as Feds demand skeleton keys to buildings, prepare for the death of
cylinder locks?

Prepare for a change in how we use it, not for its death.

------
zokier
There is just so much more to public key crypto than public web SSL/TLS.

~~~
click170
This is what I was thinking.

This sounds more like certificates are broken than public key crypto.

Yes they can come to me for my private key, but that's a different issue, then
at least they're coming to me and not going to some intermediary "trusted
party".

~~~
mhaymo
If certificates are broken then public key crypto is broken, because a trusted
third-party certificate is necessary to prevent man-in-the-middle attacks, no?

~~~
nhaehnle
No. The trust model of HTTPS was always broken from the start. This whole
story "only" reinforces the point that key distribution and management is
hard, and a central list of certificate authorities is not a good solution.

This story has exactly zero effects if you use some public-key system with
different key management.

On the negative side, good systems don't really exist. On the plus side, this
story might help push the development of good systems.

------
cmircea
I treat email in Gmail as publicly accessible, same for almost everything I do
on the web casually.

My business data lives in Amsterdam (Azure EU West), critical services we use
are based in Europe. At least in my case I couldn't care less if the big US
companies handed out SSL keys.

~~~
evgen
If you think that operating in any particular jurisdiction provides you with
protection then you are sadly deluded. Your protection lasts just up until the
point where protecting you becomes inconvenient. Oddly enough, using the
resources of smaller companies provides less protection because they are
easier to influence, and basing services outside of the US means that you are
completely fair game for the NSA as you lack even the nominal protection that
the (waxing and waning, but currently too damn weak for my mind)
domestic/foreign distinction offers in terms of US SIGINT.

~~~
cmircea
The NSA itself has exactly zero power outside the USA.

~~~
nhaehnle
European snooping agencies seem to be quite happy to cooperate with them, so
that argument doesn't really count.

------
tallpapab
Please forgive my rudimentary (and possible erroneous understanding. There are
three things important to public-key encryption. The public key, the private
key (together called the key pair) and a certificate. If I understand it the
cert is just to give confidence that you have the correct public key. So the
NSA having access to the cert is a non issue as everyone has access to same.
That's its purpose in life. Also the public key is publicly available or the
system wouldn't work. The only sensitive things are the private keys. Is this
right so far? If I want to encrypt a message to someone I need to use that
person's public key. I use the cert to make sure I have the right one. Now the
message can only be decrypted with the private key. So how can the NSA decrypt
such a message? They would need the private key. The ISP doesn't have it. Even
if they have the private key don't they need a pass phrase to use it?

Not sure how the above applies to https or to ssh. Still, in both cases I
don't think access to the cert breaks things. Indeed access to it and the
public keys are essential to it working at all. (I guess one can operate
without the cert too if you trust the source.)

~~~
205guy
Your understanding of keys is about right. It is the OP article that your are
not understanding.

You ask "so how can the NSA decrypt such a message?" That's what the article
is telling you: Either by 1) getting the private key from the corporation you
are communicating with, or by 2) cracking the cryptography.

Most people don't encrypt every email, they just use https to their email
server. You say you're not sure about https, but that is the big
vulnerability. So NSA just needs to ask your emailserver corp for their
private key (to decrypt the packets, and then everyone can deny that the NSA
obtained _your_ email from the corp). This is case 1) above.

For people who encrypt the message end to end (as in your example "encrypt a
message to someone I need to use that person's public key"), this is case 2).
It is controversial whether the NSA can crack the best ciphers, which are
postulated to be near-impossible to crack. But the NSA has resources we cannot
imagine and/or secret resources we cannot even know about. When the first
encryption schemes came out, they were strong in the day but were later brute
forced by more power computers. So there are some who think the NSA can or
will be able to crack the current crypto (that's what the OP is referring to
when he says "the means to subvert widely used mechanisms"). As others have
said, in targetted cases like this, it may be easier for the NSA just to plant
a bug on the receiving computer, to read contents after it has been decrypted.

Now certs, which you have half wrong. Yes, certs give confidence that you have
the correct public key. But certs are mostly used by companies (case 1 above)
not individuals (case 2).

In case 2, peer-to-peer encryption, individuals rarely go to the expense of
getting trusted certificates. You say "let's take this private", and you send
him your public key, or he sends you his--no cert involved. Instead you both
rely on publishing your public keys everywhere and all the time (at the bottom
of every email, on their website, etc.). That provides some history for you to
trust the key he sends you--and vice-versa. In other words, public keys MUST
be displayed publicly before you want to use it to gain credibility.

Certificates are a way for companies to publish their public key with a
credible certificate authority (CA). A certificate is essentially another
public-private key pair that lets you determine that the CA really endorses
the public key you are interested in. The credibility of the CA is determined
by their record in the marketplace as to whether they endorse credible
companies and whether they keep their master keys secure.

The original article really doens't address certs, except to say that if
master keys can be deciphered, we cannot trust certs anymore. That's because a
malicious party could create a cert that looked real but wasn't (this happened
recently when somebody stole one of the master keys used by a CA--they were
able to make fake certs).

My question to you is: if you misunderstood the article, why are you taking
such strong positions in your other comments?

~~~
tallpapab
Strong position? Do you mean the Post Office thing? Or the "Balderdash"
comment warning about getting distracted by generalizing people? Or did you
mean the joke about getting ads for stuff I already bought? Sorry if I came on
too strong. The boomer bashing is getting old (get it?). It's in no way
helpful.

The original article seemed to be a bit political and so I bailed on it.
Perhaps I'm getting lazy in my old age.

Thanks for confirming my understanding about asymmetric keys. I forget how the
pass phrase fits into this. Is it required in order to use the private key?
Also the article and you use the term "master key". What is that? Is that just
another term for private key?

------
teeja
The whole cert structure has always been a house of cards. As evidenced last
year, e.g, with the Turkish provider ...

Since I first looked through the original Netscape, I've never had -any-
reason to put so much trust in the hands of these Blue-Ribbon names. Or any
ISP, for that matter. If US intelligence goes through with this, then only
end-to-end (which has been deliberately stalled off and roadblocked and
stonewalled for decades) will be left.

At that point we'll find out just how much power we've left to defend the
privacy of our communications, our relationships, our finances and our
movements. The Cryptocat guy may yet become a legend... or someone like him.

------
niels_olson
Due to the nature of SCI compartmentalization, I suspect that if this happens,
they're going to end up in something like symlink hell, where some FDA
inspector in Kansas has root on Facebook via 4 degrees of ssl certificates.

------
jasonkolb
If they're not careful they're going to endanger what access they have now. If
secure communication as we know it ceases to be actually secure people will
start (are now) figuring out how to go around points of failure. Meaning, if
they push on this too hard they'll lose their ability to listen in on targeted
communication because people will have more faith in unsigned than signed
keys.

All it takes is one leak of this data to throw the entire idea "gimme your
private key" requests into the domain of F###ing horrible ideas.

~~~
jasonkolb
Actually, how crazy would it be if the documents that Greenwald is sitting on
now bring to light that this is already happening... it would overnight throw
software best practices into chaos. I hope he's careful.

------
tallpapab
All this increased digital surveillance comes at a time when the US Post
Office is under artificial financial pressure. Just last night the news
reported a plan to eliminate direct delivery to the door in favor of some sort
of community mail box facilities. Interesting coincidence that physical
letters (whose contents are still protected by federal statute) are being
discouraged while unprotected content is being collected.

~~~
takluyver
What makes you think that the financial pressure is artificial? Postal
services in general are having problems because there's not much reason to
spend money sending a letter that will take days to arrive, when you can write
an email for free and it will arrive in seconds.

------
Mordor
Any country with secret laws and secret courts cannot be trusted, so it's only
the death of US encryption (chips, software, hosting and services).

------
ptaffs
The monitoring program is costing an awful lot of money, the data centers
could be doing real work streamlining government processes and making the
administration more efficient. We know governments, corporates, sys admins
will snoop and should be objecting to our tax being used for a probably
useless effort to process this raw data. Discuss tax rather than privacy,
everyone cares more about that.

------
cantankerous
Really, this article is silly. SSL keys will remain useful for
_authentication_. If you want to make sure nobody's got the master key, just
do a double-Diffie-Hellman and you're square...provided the person snooping on
the master key isn't trying to use it to MITM you. That's a whole other bear
entirely, though.

------
diydsp
As Feds hire contractors to do this work, the work will leak out of the
contractors hands into the hands of those with money, such as foreign
organized identity thieves. It's not just about hiding furry porn from the
"Murican Gubmint," but about protecting our financial info from foreign
thieves.

------
chris_mahan
The only defense against government snooping is air gap. Don't connect your
stuff to the Internet.

~~~
205guy
From the article, I got the impression that the only way to really have secure
communications is to create your own crypto. Now that you mention "air gap," I
think that is the key (pun intended): it would have to be a crypto device that
communicates with a PC through an air gap. Not USB nor bluetooth, actually
nothing digital. The device I'm thinking of would rely on certain kinds of
digital-to-analog and analog-to-digital conversions.

~~~
chris_mahan
How about QR codes? Light spectrum communications.

------
acd
Maybe we should not trust central key emitting authorities but each other and
our friends instead. For e.g. the government could run shadow CAs which
normally perform their duties but at demand provide MITM certificates for
them.

------
jensC
Arrrg! Forget about the cloud. I'll host my servers at home, unplug them at
night and watch my log files over the day :)

------
aidenn0
Didn't moxie marlinspike have an idea for replacing the current SSL trust
chain?

------
mtgx
Why can't PFS be a solution for this?

~~~
EGreg
PFS and other Deniable encryption
([http://en.wikipedia.org/wiki/Deniable_encryption](http://en.wikipedia.org/wiki/Deniable_encryption))
are great for deniability. However, they and everything else can be
susceptible to unrelenting rubber-hose "cryptanalysis".
([http://en.wikipedia.org/wiki/Rubber-
hose_cryptanalysis](http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis))

It is said that the goal of cryptography is to make the attacker resort to
rubber-hose cryptanalysis, revealing their intentions. In those cases, the
best you can hope for is plausible deniability, i.e. decrypt some part of the
cipher showing something embarrassing but not illegal, and hope that they
think that was all that was there. Actually that's what TrueCrypt provides
with its "secret encrypted volume". However, there are some tests for
randomness
([http://en.wikipedia.org/wiki/Randomness_tests](http://en.wikipedia.org/wiki/Randomness_tests))
like the chi-squared test which can detect/identify many such encryption
schemes if the size is large enough.

In short ... it's an arms race. Your best bet is Steganography
([http://en.wikipedia.org/wiki/Steganography](http://en.wikipedia.org/wiki/Steganography))
which has been around for centuries. Just write messages where no one
suspects. You can encrypt them with PFS and plausible deniability for best
effect.

~~~
ReidZB
Any encryption scheme worth using will not be identifiable by a randomness
test. Block ciphers like AES are designed specifically to model pseudorandom
permutations (or, rather, this was one of their design goals); being able to
distinguish them from truly-random data would be a rather frightening result.

For more information, see "Is it possible to distinguish a securely-encrypted
ciphertext from random noise?" at
[http://crypto.stackexchange.com/q/1646/2454](http://crypto.stackexchange.com/q/1646/2454)

~~~
phlo
Well, only two typical use cases will lead to owning a hard drive filled with
(pseudo-)random noise: secure deletion or encrypted data. If you used either,
you've got something to hide and it's a well-known fact only terrorists and
communists do.

~~~
gknoy
Or, radio telescope analysis. I wonder how hard it is to get a terabyte of
radio telescope noise. If I had that, how hard would it be to use it to xor
with a truecrypt partition.

------
jokoon
well no one has to obey them.

why so much fuss about it ?

------
Yourfags
Technology changes and so does the world, whether we like it or not. The
question is always, who will come out on top

I'm not really trying to be snide, but it really is an issue that's been sort
of hanging around since the before I was born (1980s), who's going to control
the internet and how, and whoever does is probably going to have a lot of
power

