I tip my (red) hat to you, Netcraft. This is an absolutely excellent article that I recommend everybody to read. Great suff.
Millions of websites and billions of people rely on SSL to protect the transmission of sensitive information such as passwords, credit card details, and personal information with the expectation that encryption guarantees privacy. However, recently leaked documents appear to reveal that the NSA, the United States National Security Agency, logs very high volumes of internet traffic and retains captured encrypted communication for later cryptanalysis.
The reason that governments might consider going to great lengths to log and store high volumes of encrypted traffic is that if the SSL private key to the encrypted traffic later becomes available — perhaps through court order, social engineering, successful attack against the website, or through cryptanalysis — all of the affected site’s historical traffic may then be decrypted at once.
There is a defence against this, known as perfect forward secrecy (PFS). When PFS is used, the compromise of an SSL site’s private key does not necessarily reveal the secrets of past private communication; connections to SSL sites which use PFS have a per-session key which is not revealed if the long-term private key is compromised. The security of PFS depends on both parties discarding the shared secret after the transaction is complete (or after a reasonable period to allow for session resumption).
Source: N.S.A. Able to Foil Basic Safeguards of Privacy on Web, New York Times
Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL; virtual private networks, or VPNs; and the protection used on fourth-generation, or 4G, smartphones.
Specially interesting are these couple of snippets on SSL/TLS:
Paul Kocher, a leading cryptographer who helped design the SSL protocol, recalled how the N.S.A. lost the heated national debate in the 1990s about inserting into all encryption a government back door called the Clipper Chip.
“And they went and did it anyway, without telling anyone,” Mr. Kocher said. He said he understood the agency’s mission but was concerned about the danger of allowing it unbridled access to private information.
By that year (2010), a Bullrun briefing document claims that the agency had developed “groundbreaking capabilities” against encrypted Web chats and phone calls. Its successes against Secure Sockets Layer and virtual private networks were gaining momentum.
All in all, what you thought was secure is not, and to add insult to injury, we don’t know what the flaw is, yet.
Do you guys feel being spied on? Well, you better be, because you actually are, despite whether you use SSL/TLS based protocols or even stabilised a VPN connection. The guys you trusted with your vote do not trust you.
There is no smoke without fire, so somehow we knew it was coming, didn’t we? Do you remember the backdoor that the FBI planted on BSD? Anyone?
<SIGH> I wonder what the global reaction to this will be, at least the technical side of it.