The NSA Can Get Around Most Web Encryption Because Of Course It Can

You might remember back in the ’90s, the NSA wanted everything to have a “Clipper chip”, a little piece of silicon that would give them a backdoor into literally any device with the chip installed. This died an immediate and deserved death, as it was an enormous violation of privacy and also the encryption was crappy anyway. So, the NSA, faced with the public’s explicit refusal to allow it to just poke around wherever it wanted in your encrypted communications… went ahead and did it anyway.

The root of the problem is Secure Sockets Layer, or SSL, and virtual private networks, or VPNs. If these sound familiar, they’re some of the most common privacy tools used commercially: SSL, for example, is commonly used in e-commerce applications. No points for guessing what the NSA can read, even if they do have to take it network by network. And it gets worse:

The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

One thing that should be emphasized is that the United States is not unique here. The British have admitted to a similar program called Edgehill, and it’s extremely unlikely other world governments haven’t been engaging in similar crypto-wars. Still, there are two huge problems here, beyond the privacy violations.

The first is that if these tools get out among the general public, and to be frank, that’s more a matter of “when” than “if”, it’s going to cause a lot of problems. A subset of that is that they’ve announced to criminals that, hey, cracking this stuff is possible, so just keep trying, champ!

Secondly, it illustrates a basic problem with corporate cryptography in general; it refuses to be completely secure or perform basic security tasks like letting the larger crypto community get a crack at their systems and find vulnerabilities. This is part of the reason we live in a world where lightbulbs can be hacked by websites and your router is basically a loose mesh screen any idiot can hack.

In other words, if you want privacy on the Internet, start using tested cryptographic solutions. Either that or just accept the NSA is going to know your Internet habits and that your copy of Fifty Shades of Grey was not, in fact, a gift.

(Image courtesy of Shutterstock)