Over the weekend, German news outlet Spiegel published a story about the NSA’s ability to crack encrypted forms of communication, exposing the agency’s routine interception of SSL/TLS, which are used by web servers to transmit sensitive information. The report also exposed the fact that the agency has the ability to decrypt a virtual private network.
But perhaps more significantly, the revelations culled from the trove of documents leaked by Edward Snowden show the forms of encryption the NSA struggled to break (at least at the time of the documents in 2012). That list includes PGP, Tor, CSpace, OTR and ZRTP.
The combination of good news and bad news garnered contradictory coverage, with The Verge highlighting the networks the NSA can’t break, and Slashdot leading with “Snowden Documents Show How Well NSA Codebreakers Can Pry.”
Overall the report was reassuring. Many of the forms of added encryption measures those concerned about security have taken in the 18 months since the Snowden documents became public are effective. For example, the documents show that communications protected by ZRTP (the type of encryption RedPhone uses) block the NSA.
“It’s satisfying to know that the NSA considers encrypted communication from our apps to be truly opaque,” RedPhone developer Moxie Marlinspike told Spiegel.
Although the scope of the interceptions on SSL and VPN connections are concerning, many assumed the agency possessed this capability previously. The trove released by Spiegel shows the specific tools the agency used to go about this.
The Spiegel report has prompted backlash in the information security community, with some saying it sensationalizes the NSA’s ability to access information on VPN connections. According to Spiegel, the NSA operates “a large-scale VPN exploitation project to crack large numbers of connections, allowing it to intercept data inside the VPN — including, for example, the Greek government’s use of VPNs.”
This is a very concerning revelation, considering the high number of companies and governments that utilize VPNs to allow users to access their networks anywhere in the world. But No Hats, a security specialists blog, says if you properly configure your VPN, you’re not affected. According to the blog’s comprehensive breakdown of the NSA slides that Spiegel based its reporting on, properly configured IPsec based VPNs are okay.
Another alarming statistic from the article is the number of https connections, the type of secure connections used by sites like Facebook, that the agency intercepts. One document showed that by late 2012, the NSA was cracking 10 million such connections a day.
Much of the Spiegel article discusses a conflict of interest that the NSA faces: It is charged with recommending security standards, yet it is constantly attempting to break the very security standards it recommends.
At first glance these claims seem to point to the very hypocrisy we are reminded of time and again as more is exposed about the American surveillance state. Privacy advocates widely agree that communications vulnerable to law enforcement agencies are also at risk for all kinds of cyber threats, from criminals attempting to steal identities to hacks of foreign governments. It seems counterintuitive that the NSA would be responsible for creating standards it only wants to break, especially when American law enforcement agencies have a history of wanting communications to be less secure to make accessing information easier.
But in a blog post criticizing the Spiegel report, calling it “activist nonsense,” cybersecurity expert Robert Graham says the NSA trying to break the standards it sets is a good thing.
“You secure things by trying to break them,” he writes.
The Spiegel story leaked a large number of documents containing very specific information about the NSA’s techniques. A year-and-a-half after The Guardian and Washington Post first published the documents, the report reignited calls on social media for the full release of the Snowden documents. If anything, the report served as a reminder that we likely have years of new exposures to come about American surveillance practices.