Online Security Pioneer Predicts Grim Future

One of the creators of Secure Socket Layer (SSL) encryption believes that the future of Internet security will see everyday users getting the short end of the stick.

The United States' National Security Agency (NSA) has likely compromised SSL, one of the foremost methods of Internet encryption. In theory, this gives the organization access to everything from email records to online shopping history for almost all Americans, regardless of whether they are under any kind of governmental suspicion.

SSL is a common method of encrypting sensitive data online. Suppose you buy an item online. You enter your credit card information to pay, and the store receives your credit card information in order to charge you. Protocols like SSL ensure that while the data is en route from you to the vendor, all of your information is encrypted and inaccessible to malicious third parties.

Although cracking SSL encryption is a relatively new advancement, Paul Kocher, president of Cryptography Research, Inc., and one of the minds behind SSL, says that collecting information is nothing new. He believes the NSA has been working for some time to collect as much data as possible from people who would ordinarily be above suspicion.

MORE: SSL vs. TLS: The Future of Data Encryption

"The NSA has for years been capturing and storing almost everything imaginable," he told Tom's Guide, "including massive amounts of data exchanged among Americans who are not suspected of any crime."

Although SSL is one of the most common methods of encryption on the Internet, it is by no means the only one. Systems that employ longer encryption keys than SSL's, for example, will prove tougher for the NSA to crack. Even so, better encryption will only hold out for so long, Kocher argued.

"Cryptographic improvements … may rein in some of the most indiscriminate collection of data, but the horrible state of endpoint security will prevent this from making much of a difference for end users on the Web," Kocher said.

SSL, he explained, requires security certificates at both ends of the equation. Both user- and server-side systems need to verify that information is secure. However, through NSA programs like PRISM, the government can access information from organizations like Google and Microsoft anyway. Data that is encrypted en route does little good when it arrives at its endpoint and goes into the NSA's hands.

Kocher also pointed out that cybersecurity in the United States does not exist in a vacuum. The NSA is hardly the only government organization that wants your data, or has the means to acquire it.

"The spying problem doesn't end with the NSA," he said. "Every intelligence agency worldwide wants the same material, and now they're all going to be benchmarked against NSA's known powers. There will be a huge pressure to catch up to NSA, and where this leads is not pretty."

Follow Marshall Honorof @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

This thread is closed for comments
    Your comment
  • well, looks like it's time to quit the ol' interwebs.
  • It would help if anyone involved from the lowliest grunts to the highest levels. At any of the companies, working for the government or politicians and judges got consecutive life sentences for every count of espionage on their own people. We all know that will never happen.

    The only people to face any consequences will be the hero Snowden and maybe a scapegoat working for the NSA.
  • In other breaking news, water is wet.