
Feds put heat on Web firms for master encryption keys - antman
http://m.cnet.com/news/feds-put-heat-on-web-firms-for-master-encryption-keys/57595202
======
tptacek
I'm ambivalent about NSA's need to request potentially large amounts of data
from Google about broadly targeted foreign intelligence targets. I see the
long term sinister possibilities while generally believing that the data isn't
being misused today, and what immediate problems I see have more to do with
ineptitude and laziness than with the belief that Internet surveillance is
fundamentally evil.

But coercing Google into handing over TLS keys is unequivocally bad;
indefensible, I think. It's one thing to legally compel Google to grant access
to data, but another thing entirely to rewire Google itself:

* It provides NSA with a technical capability they do not currently have, enabling them to shoot first and answer questions for a court later, and eliminates a due process element that other providers (notably Yahoo) have been able to avail themselves of.

* If provides the USG with capabilities beyond simple surveillance, for instance by allowing them to spoof Google pages. There can't be any legitimate reason to provide them that blanket authority.

I appreciate the effort and expense it must take for companies like Google to
resist these requests.

~~~
nwh
> It provides the USG with capabilities beyond simple surveillance, for
> instance by allowing them to spoof Google pages. There can't be any
> legitimate reason to provide them that blanket authority.

The US government already has at least Verisign under their belt. They can
already MITM just about any SSL connection they could ever want to.

I would wager that they have a large number of private keys anyway. It's not
like datacenters would be able to do much when the NSA rocks up with a NSL.

~~~
jstalin
Would that mean that self-signed SSL/TLS certificates are safer than
certificate-authority-issued certificates?

~~~
mrweasel
Neither is inherently safer than the other, certificates are about trust,
SSL/TLS gives you encryption regardless of where the certificate comes from.
If you control both ends of a connection or know the person who signed the
self-signed cert and trust him more than someone like Verisign, then yes,
self-signed is just as good or better.

In the case of an organisation like Google, I don't see why the US government
would even need the keys for Googles SSL certificates. Google have all the
data they could ever want stored unencrypted anyway (or at least have the
ability to decrypt). If they had any legal reason for wanting the content of
my gmail account, they could just get the courts to subpoena Google for the
data.

~~~
jasonwatkinspdx
> they could just get the courts to subpoena Google for the data

I think that's one of the motivations right there. Even if FISA generally
gives the government what it wants, it's still a process that the government
appears to regard as a hassle to be eliminated.

I think the second reason is that google is a sophisticated enough company
that they could perhaps infer things from the data request patterns that the
requesting agencies would prefer secret.

------
jamieb
I think there needs to be an acknowledgement that the NSA, the FBI, and the
government in general are not staffed by angels or robots, but by human
beings, and that some of these human beings are criminals. The very fact that
Snowden got all that data means that, regardless of whether or not he's a
criminal or a whistleblower, _the humans in government_ cannot be trusted with
this data. "The FBI" may have a need for this data but the humans in the FBI
are too great a risk. I find it absurd that we are even having to have this
conversation with an organization that has to deal with operational security.

~~~
jivatmanx
Few men could be moral when offered the combination of unrestricted power over
others, total secrecy, and lack of consequences for actions, that is so often
the state of these agencies.

That's why we need their power to be limited and defined, as open as possible,
and have legitimate avenues of redress for grievances. They are supposed to be
public servants, not rogues.

------
ThomPete
I am always reminded of a quote from Arthur C. Clarke I was made aware of
through Bill Joys "Why the future doesen't need us."
[http://www.wired.com/wired/archive/8.04/joy.html](http://www.wired.com/wired/archive/8.04/joy.html)
(Still a classic piece)

"Another idea is to erect a series of shields to defend against each of the
dangerous technologies. The Strategic Defense Initiative, proposed by the
Reagan administration, was an attempt to design such a shield against the
threat of a nuclear attack from the Soviet Union. But as Arthur C. Clarke, who
was privy to discussions about the project, observed: "Though it might be
possible, at vast expense, to construct local defense systems that would
'only' let through a few percent of ballistic missiles, the much touted idea
of a national umbrella was nonsense. Luis Alvarez, perhaps the greatest
experimental physicist of this century, remarked to me that the advocates of
such schemes were 'very bright guys with no common sense.'" Clarke continued:
"Looking into my often cloudy crystal ball, I suspect that a total defense
might indeed be possible in a century or so. But the technology involved would
produce, as a by-product, weapons so terrible that no one would bother with
anything as primitive as ballistic missiles.""

The threat of terrorism is greatly overplayed by various interest groups. I
wonder if the accumulated effect of this attempt to oust terrorists is
creating more harm than it's hindering.

More people die in a year on the US roads than have died from all terrorist
attacks accumulated.

Some of those that died on the roads most probably chose a car instead of the
tediousness that is airports.

If the US government truly where interested in hindering terrorists and saving
lives, they wouldn't hide the fact that they are eavesdropping, they would
make it obvious and transparent, and possible for each individual citizen to
know what they know about you.

I just don't get their logic.

~~~
zzzeek
> More people die in a year on the US roads than have died from all terrorist
> attacks accumulated.

I'm a little tired of this argument. "Only" 3000 people died in 9/11\. Yet
look at the effect that 9/11 had on the world, versus 100 times that many
automobile deaths.

As much as we'd like to think the only bad outcome of a terrorist attack is
loss of life, that's not really the biggest outcome. It is the impact on
society, like it or not.

At the end of the day, terrorism is primarily a tool to affect _political_
situations, their effect on public health situations is not really the point;
it is that political damage that is worrying to governments.

~~~
mikeash
99.99% of the impact of 9/11 was due to the reaction, not the initial action.

Using the vast impact of 9/11 as an argument for further reaction _is getting
everything backwards_.

We would have been vastly better off following 9/11 if the government had gone
with a "keep calm and carry on" mentality rather than the "everybody panic and
start invading things" reaction they actually had.

Terrorism is like a bee sting, and our reaction to terror attacks in the US is
like an allergic reaction. The difference is that the US has control over its
own immune system, and could choose not to be allergic if it wished.

That "political damage" is almost all _caused by_ the government, and can't be
treated like an independent entity. The excessive impact of terrorism cannot
be used to argue that the government needs to pay attention to terrorism,
because it is that paying attention which _causes_ the excessive impact in the
first place.

~~~
zzzeek
certainly if politicians felt it was feasible to allow terrorist attacks to
occur without mass hysteria resulting, they'd be doing that? Perhaps if all
the media in the country were state run, and the government simply suppressed
reporting of incidents like that in Boston, they'd be able to contain the
hysteria. But as it stands, we have a free press, and on 9/11 as well as in
Boston, the government _did absolutely nothing_ in the _immediate_ sense to
cause the resulting hysteria; the 24/7 media did that all by themselves. The
government's overreaction to all of it was only after the populace
collectively freaked out (which you can argue, they could have downplayed, but
again the government is extremely politically reactive - which is likely
better than them not giving a shit about political opinion); this because they
were informed by the media, which itself is an institution resulting from what
the populace wants, as the media is a for-profit, market driven entity.

~~~
darkarmani
> and on 9/11 as well as in Boston, the government did absolutely nothing in
> the immediate sense to cause the resulting hysteria

I don't recall hysteria in Boston. There was more hysteria over the Moonites
than bombings. But I don't think anyone has the bar so low to say that it's
all good as long as gov't doesn't create the hysteria. The gov't should be
able to dampen hysteria rather than swing it higher.

~~~
mikeash
I'd say that attempting to shut down the _entire city_ while they searched for
the surviving bomber would qualify as hysteria.

~~~
darkarmani
Was there anyone hysterical over that? They prevented him from easily fleeing.
I mean they had a dead police officer and a shootout where multiple very loud
bombs went off.

~~~
mikeash
Worse crimes happen with some frequency yet the response is never nearly that
large. Boston is the only time I have ever heard of an entire major American
city being shut down on order to chase a single criminal. His crime was not
exceptional, aside from the "terrorism" angle. Such a massive overreaction is
hysteria.

~~~
darkarmani
Worse crimes than injuring 246 people and killing 5? The only reason it might
not be "exception" is the number of heroes that prevented victims from
bleeding out. Without immediate aid, nearly everyone that lost a limb would be
on the deceased list.

------
declan
I can't help wondering if this is what prompted Google to adopt perfect
forward secrecy in November 2011, and for Facebook to say last month it would
follow suit, which I wrote about here:
[http://news.cnet.com/8301-13578_3-57591179-38/data-meet-
spie...](http://news.cnet.com/8301-13578_3-57591179-38/data-meet-spies-the-
unfinished-state-of-web-crypto/)

Note I have no direct knowledge that this is the motivation, but it strikes me
that PFS is a solution to a specific threat model of an eavesdropper having
passive access to the network. I'd be eager to hear more from people who are
more familiar with the issue than I am.

~~~
marshray
At the very least, if some judge in [rural county where Google has a
datacenter] issues a subpoena for the keys necessary to decrypt a packet
capture obtained by the Sheriff's Office in the course of investigating a
local crime

A: They can credibly argue that they don't have that information, and it won't
trigger an avalanche of copycat subpoenas.

B: The crypto key being sought by the subpoena is not one that would enable
decryption of all Google, but rather one specific to the connection.

~~~
declan
It's true that there are more Title III intercept orders targeting Internet
providers and companies that come from states vs. the Feds. Note these stats
do not include Foreign Intelligence Surveillance Act eavesdropping.

But because Google can be compelled to divulge the plaintext of, say, email
messages or G+ posts if subject to a lawful court order, there's no need to
perform a more difficult and expensive Title III wiretap. Real-time services
like Hangouts are an exception, but it's still easier to serve a Title III
order on Google than try to install a box on a rural ISP in Georgia and try to
intercept and decode the stream.

Re: your point B, PFS would protect against passive attacks even if the master
SSL key is known to Eve, and a subpoena would be insufficient legal process to
obtain an ephemeral session key.

------
DanielBMarkham
"The government's view is that anything we can think of, we can compel you to
do."

Which pretty much in a nutshell encapsulates what's wrong with the U.S.
security state we've built. Terrorism is the trump card, the thing that
compels/allows the state to take anything it needs. As one official put it
recently "We're not trying to spy on you, we're trying to find those among you
who are trying to kill you" And anything they do in order to prevent that from
happening is fair game. It's a perpetual state of war.

Having said that, this is kind of a good news/bad news situation. The good
news? Looks like most of the secret back door rumors, at least when it comes
to TLS, were wrong. The bad news? It doesn't matter. If the government can try
compel you to release the secret password for millions of users -- and then
forbid you even to talk about it in the open -- then there truly is no limit
to the monitoring and control they can exert. Whatever they get away with this
year, there'll be more to come next year. Fake out https websites, play MITM
games with data providers -- if you've got the keys, the world is your oyster.

Back around the turn of the century, I worked on several government projects.
Aside from the usual deadwood workers, there are folks that are really eager
to push the technology and create as much automation and storage as possible.
This is because they like to hack, just like the rest of us. I used to say,
jokingly, that the only reason we didn't live in a dystopian security state
was that the government was too inept to actually create one.

Looks like the joke was on me. They're pretty fast learners. Make the national
transaction and storage system totally secure, then lean on the in-country
tech community to give you the keys to all of it. What a terrible way to
destroy the national tech economy.

------
pasbesoin
It has been interesting, over the past some years, as a client just to observe
the ongoing changes Google has been making to the nature of HTTPS connections
to its properties.

Reporting like this appears[1], and -- coincidence or not -- those
observations fit into place.

\----

[1] Whether regarding three letter acronyms or protocol weaknesses or whatnot

P.S. I'm not sure why the downvotes. TLS renegotiation weakness. Perfect
forward security. Even earlier, nascent deployment of their own intermediate
certificate authority -- which disappeared after some months, only to reappear
again more recently (at least, in my Gmail connections). More recently, in
addition to maintaining perfect forward security, now also replacing the
underlying certificates every three weeks or so -- at least, as based upon the
changing validity dates that are easier/quicker to compare in/via the browser
interface.

I continue to "wonder" where Google comes down in all this...
"security/authoritarianism" fracas. If there is a single "Google position".
Regardless, they appear to be one of the most proactive parties, from a
technical perspective. And politics aside, I continue to think that behind the
scenes, there are a lot of people there behind the scenes who want to "do the
right thing" and who work hard, within their responsibilities and areas of
expertise, to "make it so".

~~~
declan
I agree. The most obvious explanation (which may not be correct, of course)
for these engineering changes is that Google is trying to armor its network
against state-sponsored surveillance.

BTW it's every two weeks:
[http://news.cnet.com/8301-13578_3-57591560-38/facebooks-
outm...](http://news.cnet.com/8301-13578_3-57591560-38/facebooks-outmoded-web-
crypto-opens-door-to-nsa-spying/) Langley added: "We would have totally eaten
the cost and the speed years ago -- if we could have done it without worries."
As an additional precaution, Langley said, Google usually rotates its RSA keys
every two weeks.

------
DanBC
The cypherpunks were right, but we've lost.

This is worse than key-escrow and clipper chips and all the other nonsense we
fought in the past.

~~~
marshray
Yes, we've lost everything encrypted with single DES, PPTP, SSL less than 1024
(?) bit keys, Debian Etch, and so on.

But on the other hand: Snowden was successfully able to evade Boundless
Informant and conduct a confidential conversation with Greenwald and Laura
Poitras (certainly already an active surveillance target for her film of
William Binney).

So the crypto wars are not yet lost.

~~~
declan
And even 1024-bit SSL, unless you believe the NSA can't afford to devote <$1M
per year per key to the effort:

[http://news.cnet.com/8301-13578_3-57591560-38/facebooks-
outm...](http://news.cnet.com/8301-13578_3-57591560-38/facebooks-outmoded-web-
crypto-opens-door-to-nsa-spying/) Eran Tromer, an assistant professor of
computer science at Tel Aviv University who wrote his 2007 dissertation on
custom code-breaking hardware, said it's now "feasible to build dedicated
hardware devices that can break 1024-bit RSA keys at a cost of under $1
million per device." Each dedicated device would be able to break a 1,024-bit
key in one year, he said.

~~~
nathan_long
Then use 2048. Each additional bit doubles the effort required.

~~~
marshray
No, asymmetric crypto keys don't work that way.

~~~
declan
Yup. Brute-forcing a 1,024-bit key is about a thousand times as difficult as a
768-bit key, not 2^256 as hard.

In any case, major Internet companies have either moved to longer SSL keys or
have announced plans to do so.

------
trotsky
I wish cnet didn't write this article like they thought they were CNN or USA
Today. What are we supposed to make of the phrase "master keys"? It doesn't
seem like they are talking about root ca's. Is it really practical to try to
collect and use all of the multitude of last link in the chain endpoint
certificate keys? Those seem to change quite often and can be quite numerous.
Demanding sub-ca or company wide middle chain keys would seem to be more
manageable, but that would suggest that both they're really worried about
people watching for signing chain anomalies since presumably they have at
least a few root ca privates and that they are willing to sit in the middle
rewriting traffic.

Perhaps this is a response to growing use of certificate pinning? Facebook
apparently has joined google in using pins, and I was recently told that
microsoft is enabling pinning as an option in EMET4. But if that was the
issue, that would tend to suggest they had been previously accustomed to
rewriting some of these providers traffic with unlikely root ca's, something
which people have been keeping an eye out for and to my knowledge has never
been caught in the wild.

------
rdl
Didn't we already go through this in the mid/late 1990s?

(I'd personally have a really hard time giving them a polite multi-page legal
letter saying "sorry, we are unable to comply, and we don't have to, due to x,
y, z" \-- either a single "No." or perhaps "Nuts!", or trolling them with
ASCII art or a return letter demanding NSA turn over their keys. Which is why
I'm not a lawyer.)

------
betterunix
What if a company is storing its keys on a smartcard/cryptographic module that
cannot export the key? I guess the FBI just asks for backdoor access to the
company's servers, or maybe just follows the standard "we need to take your
systems and shut down your business" approach?

~~~
penguindev
So there's no disaster recovery for the company if their hardware breaks?
There should be an offline backup thats N-way encrypted (secret sharing).

I've had to think about that case myself.

~~~
betterunix
Do you commonly store all TLS traffic somewhere? I may have misunderstood the
article, but I had thought this was about TLS secret keys, not keys used
internally for secure storage.

------
mentat
There has been some speculation that the NSA is focusing on bad RNGs now. I
wonder what the quality (overall) are of the RNGs in the servers using these
keys. I also am pretty curious how such a widely needed key is protected at
the scale of tens to hundreds of thousands of devices.

------
jonknee
Any ideas why my submission of this same link (and title!) went dead even
though it was posted two hours before this one and had attracted up votes?

[https://news.ycombinator.com/item?id=6096229](https://news.ycombinator.com/item?id=6096229)

------
warmwaffles
I'm willing to bet, the feds already have the master encryption keys and just
want to make the companies give up the keys willingly so it sheds some of the
blame onto them rather than all on government at once.

------
glitchdout
> Facebook enabled encryption by default in 2012.

Kinda off-topic but this statement is false. Facebook HTTPS is not enabled by
default, it's opt-in.

~~~
MichaelGG
I tried in 3 browsers (2 which I haven't gone to Facebook before), and
Facebook didn't load over HTTP. Facebook sent HTTP STS headers, too. I believe
you are incorrect.

~~~
glitchdout
I _used_ to be correct. You are right now, though.

They started rolling out HTTPS for everyone on November, 2012
([http://webcache.googleusercontent.com/search?q=cache:develop...](http://webcache.googleusercontent.com/search?q=cache:developers.facebook.com/blog/post/2012/11/14/platform-
updates--operation-developer-love/))

But since I don't live in the US, it must have taken Facebook a long time to
get to my country. I still remember telling all my friends to opt-in to HTTPS
in 2012.

------
mmuro
Am I the only that's skeptical of any news story that is based off one
anonymous person's statement?

------
peterkelly
Plot twist: This is the _real_ reason Apple's developer site is down

