Sunday, September 8, 2013

The NSA Has Not Broken Internet Encryption

In the last few days since the most recent leak by Edward Snowden, I've received countless emails from people I've convinced to use encryption forwarding me story after story about how the US National Security Agency has 'broken Internet encryption".  These articles are usually followed by comments like "See, I told you they had access to everything!" or "Why bother using encryption at all now?"

Here's why: because the NSA hasn't actually broken Internet encryption!

What the Snowden documents reveal is a pattern of coercion  by the NSA to force companies into deliberately making their encryption products weak, turning over their encryption keys, or providing backdoors into encrypted systems. None of this constitutes 'breaking' encryption anymore than if I come across an open door in your house and I walk in I'm 'breaking and entering'. It's silly sensationalism put out by a media that can barely understand what encryption actually is much less what it takes to break it.

Are all encryption technologies still safe? No. I would seriously question encryption software and hardware that doesn't disclose its source code for public review. I know companies like to yell 'trade secrets' but that's bull. Encryption isn't a trade secret and by claiming it is they are showing that 1) they don't fully understand encryption and why it's not a bad thing to publish your source code or 2) they are afraid of public review; maybe because something is there to find.

So, as these leaks continue to give us a better view of how the NSA operates in attacking the Internet, one thing becomes clear: we have passed the time when we can blindly trust technology companies and the software they create to protect us. We need more than words and promises from these companies because words are cheap. We need source code, we need peer review, we need complete transparency.

Now, I know a lot of you will say 'being open source doesn't guarantee that there aren't subtle things in the code meant to weaken it' and that's very true. But being open source means that we have a better chance to discover those holes and weaknesses than we do if we don't have the source code.  It's trivial to hide something nasty in a product that doesn't disclose its source code; it's not so easy to do so when thousands of eyes will be pouring over the code specifically looking for those 'something nasty's'.

So, no, "Internet encryption' has not been broken - not all of it at least. But it's time that we become much more choosy about the products and companies in who's hands we place our security.  We have to outright reject the notion of 'trusted companies' and only accept verifiable proof that a company's products are secure. That's the only way we'll have a fighting chance against adversaries like the NSA.

Now, go tell the New York Times to shut the hell up about things they know nothing about.

Liked this post?  Send me some Bitcoin!

No comments: