NSA and GCHQ have broken internet encryption, created backdoors that anyone could use

NSA and GCHQ have broken internet encryption, created backdoors that anyone could use

This is the big one: New documents released by Edward Snowden show that the NSA and its British equivalent, GCHQ (pictured above), have cracked VPNs, SSL, and TLS — the encryption technologies that keep your data secure on the internet. The NSA program, dubbed Bullrun, took 10 years to crack the web’s encryption technologies, before finally reaching a breakthrough in 2010 that made “vast amounts” of previously unreadable data accessible. Perhaps more worryingly, the NSA has an ongoing program to place backdoors in commercial products (websites, routers, encryption programs, etc.) to enable easy snooping on encrypted communications. The documents, which contain some choice phrases such as, “work has predominantly been focused this quarter on Google due to new access opportunities being developed,” almost completely undermines the very basis of the internet, obliterating the concept of trust online.

The documents outline a three-pronged plan to ensure the NSA can access the bulk of the internet’s encrypted traffic: Influencing the development of new encryption standards to introduce weaknesses, using supercomputers to break encryption, and collaborating with ISPs and tech companies to gain backdoor access. Unfortunately, the documents don’t outline exactly how the NSA and GCHQ broke the security of VPNs, SSL, and TLS, only that they have successfully done it. There are numerous possibilities, with the two simplest being that the intelligence agencies have either obtained the root certificates used to sign private keys, or they’ve found a flaw in the standards that can be easily exploited — perhaps using a flaw that they themselves introduced into the standard.

A slide detailing the successes of the NSA and GCHQ programs to break internet encryption

The final point, that the NSA has been lobbying ISPs and tech companies to include backdoors in their products, is the most chilling. These backdoors might consist of hardware-level access (say, in your home router or a big router at your ISP) that allows the NSA to log in and spy on any data that passes through. These backdoors might be the NSA working with major tech companies, such as Microsoft or Facebook, to deliberately introduce flaws into the encryption tech so that the NSA can easily crack it. (A previous leak pegged Microsoft as helping the NSA circumvent encryption used by Outlook.com and IM services.) The main thing, though, is that these commercial entities are working with, not against, the NSA to introduce these backdoors.

At first blush, in the words of the NSA itself, these decryption programs are the “price of admission for the US to maintain unrestricted access to and use of cyberspace.” The problem is, by deliberately introducing security flaws, the NSA and GCHQ have obliterated the concept of trust online. The whole point of VPNs and TLS is that they are impossible to crack — at least within a reasonable time frame. We now know that our secure communications can be easily snooped on by the government — but more importantly, due to this plethora of backdoors, we can’t be sure that only the government is listening in. That’s the problem with a backdoor: It’s great while you’re the only one who knows about it, but it’s game-breakingly awful if someone else — an enemy government, for example — stumbles across it. (See: XKeyscore: The NSA program that collects ‘nearly everything’ that you do on the internet.)

This diagram shows how GCHQ proposed to identify, intercept, and decrypt encrypted traffic in near-real time.

For years the security industry has speculated that the internet was riddled with NSA backdoors, and now it seems we have confirmation. It would be foolish to assume that these backdoors haven’t been exploited by other, “non-authorized” entities. If you require private and secure communications, now would be the time consider your alternatives. (Have you ever thought about physically exchanging thumb drives?) Ideally, if the cryptographic systems behind VPN, SSL, and TLS have been broken (3DES, AES, etc.) then work needs to begin on new industry-standard ciphers. This would likely take years.

For a lot more information on the NSA and GCHQ’s sigint (signals intelligence) operations,hit up the Guardian. I can’t say that I’m really surprised, but it’s still a bit depressing to see the terrifying extent of their sigint operations laid bare — and moreover, I guarantee that, due to the higher levels of classification that Snowden couldn’t access, this is still just the tip of the iceberg.