Sign in with
Sign up | Sign in

Online Security Pioneer Predicts Grim Future

By - Source: Tom's Guide US | B 8 comments
Tags :

One of the creators of Secure Socket Layer (SSL) encryption believes that the future of Internet security will see everyday users getting the short end of the stick.

The United States' National Security Agency (NSA) has likely compromised SSL, one of the foremost methods of Internet encryption. In theory, this gives the organization access to everything from email records to online shopping history for almost all Americans, regardless of whether they are under any kind of governmental suspicion.

SSL is a common method of encrypting sensitive data online. Suppose you buy an item online. You enter your credit card information to pay, and the store receives your credit card information in order to charge you. Protocols like SSL ensure that while the data is en route from you to the vendor, all of your information is encrypted and inaccessible to malicious third parties.

Although cracking SSL encryption is a relatively new advancement, Paul Kocher, president of Cryptography Research, Inc., and one of the minds behind SSL, says that collecting information is nothing new. He believes the NSA has been working for some time to collect as much data as possible from people who would ordinarily be above suspicion.

MORE: SSL vs. TLS: The Future of Data Encryption

"The NSA has for years been capturing and storing almost everything imaginable," he told Tom's Guide, "including massive amounts of data exchanged among Americans who are not suspected of any crime."

Although SSL is one of the most common methods of encryption on the Internet, it is by no means the only one. Systems that employ longer encryption keys than SSL's, for example, will prove tougher for the NSA to crack. Even so, better encryption will only hold out for so long, Kocher argued.

"Cryptographic improvements … may rein in some of the most indiscriminate collection of data, but the horrible state of endpoint security will prevent this from making much of a difference for end users on the Web," Kocher said.

SSL, he explained, requires security certificates at both ends of the equation. Both user- and server-side systems need to verify that information is secure. However, through NSA programs like PRISM, the government can access information from organizations like Google and Microsoft anyway. Data that is encrypted en route does little good when it arrives at its endpoint and goes into the NSA's hands.

Kocher also pointed out that cybersecurity in the United States does not exist in a vacuum. The NSA is hardly the only government organization that wants your data, or has the means to acquire it.

"The spying problem doesn't end with the NSA," he said. "Every intelligence agency worldwide wants the same material, and now they're all going to be benchmarked against NSA's known powers. There will be a huge pressure to catch up to NSA, and where this leads is not pretty."

Follow Marshall Honorof @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 2 Hide
    SuckRaven , September 9, 2013 1:22 PM
    well, looks like it's time to quit the ol' interwebs.
  • 2 Hide
    velocityg4 , September 9, 2013 1:42 PM
    It would help if anyone involved from the lowliest grunts to the highest levels. At any of the companies, working for the government or politicians and judges got consecutive life sentences for every count of espionage on their own people. We all know that will never happen.

    The only people to face any consequences will be the hero Snowden and maybe a scapegoat working for the NSA.
  • 1 Hide
    WyomingKnott , September 9, 2013 1:48 PM
    In other breaking news, water is wet.
  • Display all 8 comments.
  • 0 Hide
    koga73 , September 9, 2013 2:59 PM
    We need to get away from these systems completely because both SSL and TLS require a handshake to exchange keys. If the NSA or any middleman is watching all the traffic then they are able to capture the handshake. We really security that utilizes public/private keys so a handshake is not needed... but surely by this time the NSA has cracked PGP as well. We need a new open source public/private key system that can be updated rapidly. Though if one were to be created I'm sure the NSA would make them stop and issue a gag order... corruption at its best.
  • 0 Hide
    cats_Paw , September 10, 2013 5:24 AM
    And then they wonder why so many people are angry at the american government ...
  • 0 Hide
    agnickolov , September 10, 2013 6:01 PM
    @koga73: The fact there is handshake does not mean anybody observing it can decrypt the traffic. The nature of asymmetric cryptography means that you only observe one of the key of the pair -- the public key. Anything encrypted with that key can only be decrypted by somebody that has the matching private key. The TLS handshake is more complicated than that of course, since the server also needs to encrypt to the client and using its private key as is would mean anybody can decrypt it. Suffice it to say the handshake guarantees encryption both ways. Of course it all fails apart if the server's private key is compromised.
  • 0 Hide
    lalapark01 , September 11, 2013 1:35 AM
    After reading the article about XKeyscore on http://vpnexpress.net, I do believe that they can get whatever they want if they really want it. But the harder we make it, the less interested they will be as long as we really have nothing to hide.
  • 0 Hide
    CommentariesAnd More , September 11, 2013 10:52 AM
    Here in India , we have a 100% secure solution for online shopping. It works this way -
    1. Company receives order and delivers it.
    2. Customer can pay Cash to Delivery Boy and take the Parcel.
    Its called CoD ( Cash on Delivery ) :p  And no matter what , its the safest and easiest way to pay , which doesn't require a shit ton of firewalls or eve SSLs. :p 
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS