Anonymous Source Claims Feds Demand Private SSL Keys From Web Services

Lauren Weinstein writes "With further confirmation of the longstanding rumor that the U.S. government (and, we can safely assume, other governments around the world) have been pressuring major Internet firms to provide their 'master' SSL keys for government surveillance purposes, we are rapidly approaching a critical technological crossroad. It is now abundantly clear — as many of us have suspected all along — that governments and surveillance agencies of all stripes — Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications." If this is true it means that SSL/TLS to any Internet service could be useless — the authorities could simply man-in-the-middle anyone. Without knowing who has given keys over, or if anyone has given keys over... The NSA does claim encryption poses a problem for them, but honesty isn't their best attribute. The source claims that major providers at least have resisted (assuming it is happening), but that smaller companies may have folded to the pressure.

"Main-in-the-middle"?

[Lieutenant_Dan]

Well, at least it's not "man-in-the-middle" because that would be bad.

Re:"Main-in-the-middle"?

[lgw]

The larger issue IMO is

governments and surveillance agencies of all stripes â" Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications.

We haven't had a constitutional amendment in the US for some time now. We need one here. Forget specific technologies and the bizarre precedents that have twisted the 4th to allow this - we need a major reset.

Something like "The government shall not collect or store any information, even publically available information, about the activities of a citizen except upon issuance of a warrant; said warrant shall only issue upon evidence that a specific individual has committed a specific crime."

I casn accept a lower bar for "collecting and storing information" than for "searching" but there must be some bar to clear.

Re:Time To Learn Klingon

[Sparticus789]

We're talking about the NSA. Half of the probably play Klingon Boggle at lunch.

Re:Self signed?

[Todd+Knarr]

No. The Feds are requesting the private keys from the server operators themselves, not from the CA. A self-signed certificate's no guarantee the site operator hasn't coughed up the private half to the surveillance people. I'm not any more worried about this, though, since as demonstrated with XMission the government doesn't need to eavesdrop on communications when they can get access directly at the server end of things. As long as the Feds can threaten the site operator with unspecified nasty things if they don't cooperate or if they even say a word about what's going on, I have to assume any site I don't control myself is potentially compromised and any data sent to it's potentially visible to the various agencies involved or to the private contractors those agencies are using to do the grunt work. In many cases that doesn't matter much since the nature of the site's such that I won't put anything sensitive or compromising on it in the first place.

US Military shares your opinion.

[ron_ivi]

The US DoD shares your opinion. https://www.my.af.mil/afp/netstorage/login_page_files/afportal_faqs.html Looks like a self-signed cert not issued by any commercial vendor in the default browser lists.

Re:How is this "confirmation"?

[Alok]

Do you really expect people to say this publicly, when the most likely consequence is imprisonment and a media circus that paints them as evil villains?

Will this do it?

[Taantric]

If this does not kill off the cloud or at least seriously damage the business model, I think it would be safe to say human apathy has reached critical mass and we deserve everything that is coming in the next 20-30 years.