Online Security Pioneer Predicts Grim Future
The United States' National Security Agency (NSA) has likely compromised SSL, one of the foremost methods of Internet encryption. In theory, this gives the organization access to everything from email records to online shopping history for almost all Americans, regardless of whether they are under any kind of governmental suspicion.
SSL is a common method of encrypting sensitive data online. Suppose you buy an item online. You enter your credit card information to pay, and the store receives your credit card information in order to charge you. Protocols like SSL ensure that while the data is en route from you to the vendor, all of your information is encrypted and inaccessible to malicious third parties.
Although cracking SSL encryption is a relatively new advancement, Paul Kocher, president of Cryptography Research, Inc., and one of the minds behind SSL, says that collecting information is nothing new. He believes the NSA has been working for some time to collect as much data as possible from people who would ordinarily be above suspicion.
"The NSA has for years been capturing and storing almost everything imaginable," he told Tom's Guide, "including massive amounts of data exchanged among Americans who are not suspected of any crime."
Although SSL is one of the most common methods of encryption on the Internet, it is by no means the only one. Systems that employ longer encryption keys than SSL's, for example, will prove tougher for the NSA to crack. Even so, better encryption will only hold out for so long, Kocher argued.
"Cryptographic improvements … may rein in some of the most indiscriminate collection of data, but the horrible state of endpoint security will prevent this from making much of a difference for end users on the Web," Kocher said.
SSL, he explained, requires security certificates at both ends of the equation. Both user- and server-side systems need to verify that information is secure. However, through NSA programs like PRISM, the government can access information from organizations like Google and Microsoft anyway. Data that is encrypted en route does little good when it arrives at its endpoint and goes into the NSA's hands.
Kocher also pointed out that cybersecurity in the United States does not exist in a vacuum. The NSA is hardly the only government organization that wants your data, or has the means to acquire it.
"The spying problem doesn't end with the NSA," he said. "Every intelligence agency worldwide wants the same material, and now they're all going to be benchmarked against NSA's known powers. There will be a huge pressure to catch up to NSA, and where this leads is not pretty."