CNET: Feds Put Heat On Web Firms For Master Encryption Keys

First time accepted submitter fsagx writes "The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users' private Web communications from eavesdropping. These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users."

Declined to Respond

[nanospook]

From TFA.. "Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner Cable, and Comcast declined to respond to queries about whether they would divulge encryption keys to government agencies." Now you know who is coughing up to the NSA..

Re:Declined to Respond

[mmcxii]

Don't think that they're the only ones. Given the current climate I think it is reasonable to assume that you're being monitored regardless of your method of communication.

Unencrypt this

Fuck the NSA.

An interesting quote FTA

[Bearhouse]

"The government's view is that anything we can think of, we can compel you to do."

Seems pretty spot-on. Unless people challenge these illegal activities, they'll just keep on and on.
After all, they have pretty-much unlimited resources compared to most private entities, and no real pressure to justify their usage.
Your tax dollars at work.

Most likely to hide PRISM

If they can get the keys, then they don't need to use PRISM, they can grab the data upstream.

It lets them hide the PRISM surveillance, Google/Yahoo/Facebook/DropBox etc. no longer gets to see the volume of requests, it is hidden. US companies can claim, with some degree of truthiness, that they no longer deliver data to PRISM requests, as if the program has been ended, because they no longer see the requests or get to challenge them. In fact surveillance had been expanded to all https traffic.

They gain 'plausible deniability', and NSA gains 100% surveillance of their https traffic and the ability to man-in-the-middle at will, by simply using their connection upstream. NSA also removes the problem of companies challenging the intercepts.

The fix is to avoid US based services, either their servers are compromised by the NSA, or their keys.

More difficult is if NSA has signing rights from the US certificate authorities. Most of these are built into your browser. I tried deleting them from Firefox but it was not possible. With those compromised NSA can sign *foreign* traffic and man-in-the-middle intercept it even though both ends of the conversation are outside NSA control.

The fix there is to avoid traffic being routed across NSA controlled territories (USA/Canada/UK/NZ/AUS). So if it crosses the UK they record everything and the private keys will let them record all https traffic too. A lot of backbone crosses the US, and a lot of European traffic crosses the UK, so France to Germany might cross the UK, and Germany to Japan might cross the US.

Re:Self signed certs

[1s44c]

The whole SSL CA setup was broken from the start. The trusted people at the top never were even remotely trustworthy.

Self signed certs are a pain, what we need is something peer2peer based.

Master key == FAIL

[mbone]

If you are relying on a service with a master key for security, you have no security. This is true regardless of whether the government has access to those keys.

Two parties my ass.

[ulatekh]

Our two party system only works were the two parties are not the same.

I've said it before, and I'll say it again...the left-leaning half of the Ruling Party is no more, or less, virtuous than the right-leaning half of the Ruling Party.
The only real difference between them is how they want to kill us. The left want to smother us in a stifling nanny-state bureaucracy that'll collapse under its own weight, and the right want to abandon us to fend for ourselves. The latter is more sustainable, but either way we die a miserable death.