The britons got our USA SSL man in the middle attack software

The NSA, now little Britain?

http://www.channel4.com/news/black-boxes-to-monitor-all-internet-and-phone-data

When an individual uses a webmail service such as Gmail, for example, the entire webpage is encrypted before it is sent. This makes it impossible for ISPs to distinguish the content of the message. Under the Home Office proposals, once the Gmail is sent, the ISPs would have to route the data via a government-approved "black box" which will decrypt the message, separate the content from the "header data", and pass the latter back to the ISP for storage.

This is probably the best argument against Open Source and standardized protocols ever.

You now have a better chance with proprietary specs and security through obfuscation than with "super hard" established protocols.

I almost see a market for an "encryption of the week" subscription service, that gives you new 2 way encryption every week via a browser extension to replace SSL. Of course you would have to create a corresponding Apache module for it and get people to install it.

So the government have top-secret technology (that for some reason they share with AT&T) that allows them in a single device to factor large numbers into primes, that according to the best known publically available crypt-analysis technique would require one

million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million million 

supercomputers 42-days to crack?

Wait, so all I need is a network router with a port mirroring facility and suddenly I can magically decrypt encrypted communications? And not just one encrypted stream, but every single one on the Internet at once!

I think our AT&T engineer friend here may not have quite the understanding of the technology that he thinks he does.

@evildictaitor: wont they just pass a law that all your SSL certificates are belong to us?

@Maddus Mattus:

If they do that then,

a) All Root CAs will laugh wholeheartedly and say "no". A breach of a root-CA's private cert would compromise the entire SSL-infrastructure and companies that do that get smacked-down by browser vendors (including Microsoft). Diginotar went bust for less than this.

It's also easy to detect for customers, because your SSL trust chains end in HackedCA rather than Verisign.

b) Any government that wants all SSL certs from all websites? Good luck with that.

c) Just email? Google would say no. Just like they say no to governments all the time.(http://googlepublicpolicy.blogspot.co.uk/2012/06/more-transparency-into-government.html).

d) They have to actually break RSA.

So we're down to either the government asks somebody to compromise their entire entire business (i.e. Gmail/RootCA) in a way that is detectable and which would cripple that company's business (so they'll just say no), or the government has to break RSA.

If you put your conspiracy-glasses away for a second you'll realise that in real-life the government can't break SSL since by definition SSL already includes the best known and most independently security audited cipher algorithms currently in existence.

There are unbreakable methods of exchanging messages. It requires at least on meeting in person though to exchange physical media ahead of time. Obviously not a solution for most purposes such as e-commerce.

Do you all think it would be beyond an organization with trillions of dollars in budgets to covertly overtake CAs at an early stage, and even to fund people like Mark Shuttleworth?

BTW: http://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html

EDITED TO ADD (3/22): Another option is that the NSA has built dedicated hardware capable of factoring 1024-bit numbers. There's quite a lot of RSA-1024 out there, so that would be a fruitful project. So, maybe.

2 hours ago, 01001001 wrote

Do you all think it would be beyond an organization with trillions of dollars in budgets to covertly overtake CAs at an early stage, and even to fund people like Mark Shuttleworth?

My gosh, an organisation with a budget that huge would be able to fake the moon landings!

@evildictaitor:

You knew it was coming...

Government can break RSA. Not imparsible.

@JohnAskew:

I heard they also found the biggest prime.

16 hours ago, 01001001 wrote

 

The NSA, now little Britain?

http://www.channel4.com/news/black-boxes-to-monitor-all-internet-and-phone-data

"When an individual uses a webmail service such as Gmail, for example, the entire webpage is encrypted before it is sent. This makes it impossible for ISPs to distinguish the content of the message. Under the Home Office proposals, once the Gmail is sent, the ISPs would have to route the data via a government-approved "black box" which will decrypt the message, separate the content from the "header data", and pass the latter back to the ISP for storage."

This is probably the best argument against Open Source and standardized protocols ever.

You now have a better chance with proprietary specs and security through obfuscation than with "super hard" established protocols.

I almost see a market for an "encryption of the week" subscription service, that gives you new 2 way encryption every week via a browser extension to replace SSL. Of course you would have to create a corresponding Apache module for it and get people to install it.

Firstly: this is the same Orwellian legislation we discussed the merits of here.

Secondly: I think the reporter that wrote that story hasn't got a clue.

As far as I understand it your ISP would only have to log that you visited https://mail.google.com. Google would then be responsible for logging who you communicate with. No decrypting of SSL necessary (and, as much as I loath these plans, I really doubt the government has the ability to strip the SSL from everyone's communications in real time).

Emails themselves aren't encrypted even if you connect to GMail via SSL - it's only your web sessions that's encrypted and the email is never sent from your PC (if using webmail) and hence would never pass through your ISPs black box. (If you're not using webmail, then it could pass through their monitoring system - I suspect they won't be logging anything other than what server you connected to on what ports when - your email provider (rarely the same as ISP these days) would be logging the actual details of the communication.

Besides, why go to all the effort of cracking the encryption on something that will shortly go flying unencrypted around the web - all you need to is install your monitoring device on the web side of the email providers servers.

And quite frankly any actual terrorists will render this effort useless by doing something that looks like the following:

1. Use TOR to connect to anonymous email account that has nothing to link it back to them
2. Use SSL to protect their email login information while using TOR
3. Write emails using innocuous sounding code words like "turn the computer off" = bomb and "server room" = railway station
4. Encrypt emails using PGP or some other public key/private key encryption process so that even if the authorities get them they can't read them (at least not without difficulty)

@GoddersUK:

Secondly: I think the reporter that wrote that story hasn't got a clue.

Except, here it is again, and on video:

http://www.rt.com/news/uk-privacy-internet-freedom-186/

'Black boxes' will be installed by internet services providers to filter & decode encrypted materials – including social media and email messages, something which critics say will have an impact on personal privacy.

@GoddersUK:

And quite frankly any actual terrorists

I never said anything about that. Every reference I've seen about this technology both in the USA and in the UK refer to man in the middle attacks on SSL browser sessions.

12 hours ago, Maddus Mattus wrote

@evildictaitor: wont they just pass a law that all your SSL certificates are belong to us?

They basically already have - https://en.wikipedia.org/wiki/RIPA.

@1001001: OK, my bad they may be planning on intercepting encrypted communications. I did a bit more research - although their source is still only that c4 news article.

They're still not cracking anyone's SSL though - it's just an MITM. And of course an MITM kind of stops working once you know about it, because you'll stop trusting the inauthentic certs.

I also think that channel 4 article is *still* wrong. because they won't be decrypting you connection to GMail to log your email info as I'm 90% sure that logging will be GMail's responsibility.

Also, should the government put in place legal requirements for isps to MITM everyone's communications you can rest assured that UK internet users won't stand idly by and watch - trying to decrypt everyone's communications would make SOPA and PIPA look positively beneficial for the internet.

My comment about terrorists was a general comment about the ridiculousness of these laws (the justification given for them is always that they will somehow stop terrorists and paedophiles).

EDIT: http://wiki.openrightsgroup.org/wiki/TLS_interception