Slashdot Mirror

← Back to Stories (view on slashdot.org)

CNET: Feds Put Heat On Web Firms For Master Encryption Keys

Posted by timothy on from the our-public-servants dept.

First time accepted submitter fsagx writes "The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users' private Web communications from eavesdropping. These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users."

4 of 148 comments (clear)

  1. Dupe by rsmith-mac · · Score: 4, Informative

    I know this is an important issue, but didn't we just do this exact same article yesterday?

    http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services

  2. Please Also Note by Anonymous Coward · · Score: 4, Informative

    Every telecommunication company that operates within the United States is required by law to provide law enforcement access to communication streams on demand. It's called CALEA and all telecommunications companies are required by law to follow it.

    CALEA also requires that encrypted communications be decrypted. This includes services like Skype(specifically). CALEA requires that Microsoft provide law enforcement access to the UNENCRYPTED streams of Skype communications, on demand. This is not new and, in light of the House vote yesterday, is not likely to change.

  3. Forward Secrecy by Agent+ME · · Score: 4, Informative

    The good news is that if the web servers use forward secrecy in the SSL encryption ( https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy ), then an attacker who has the private key is not able to decrypt a connection he has passively eavesdropped on. An active man-in-the-middle attack is required in order to listen in on the connection.

  4. Re:Self signed certs by IamTheRealMike · · Score: 3, Informative

    Common misconception - certificate authorities do not have private keys. Your private key never leaves your own computers. That's why the NSA would have to force companies to cough them up (or steal them).

    Also, for normal SSL having the private key lets you passively eavesdrop and decrypt. For souped up SSL with forward secrecy it doesn't, it only lets you MITM the connections, which results in the server and client having a different view of things - that's detectable, whereas a leaked SSL key isn't.

    Forward secret SSL is new, and not that easy to do. At the end of 2011 Google employees did the necessary upgrades to OpenSSL, but most other sites haven't deployed it (yet). Enabling forward secret SSL is the best and easiest step forward to beat the NSA/GCHQ right now, because if they HAVE obtained your private key, it forces them to start actively intercepting connections which is expensive and detectable.