Slashdot Mirror

← Back to Stories (view on slashdot.org)

CNET: Feds Put Heat On Web Firms For Master Encryption Keys

Posted by timothy on from the our-public-servants dept.

First time accepted submitter fsagx writes "The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users' private Web communications from eavesdropping. These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users."

16 of 148 comments (clear)

  1. Dupe by rsmith-mac · · Score: 4, Informative

    I know this is an important issue, but didn't we just do this exact same article yesterday?

    http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services

    1. Re:Dupe by TWiTfan · · Score: 3, Funny

      Maybe we're in a loop like in that movie "Groundhog Day," where every day we wake up and learn the NSA are dicks all over again!

      --
      The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
  2. Declined to Respond by nanospook · · Score: 4, Insightful

    From TFA.. "Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner Cable, and Comcast declined to respond to queries about whether they would divulge encryption keys to government agencies." Now you know who is coughing up to the NSA..

    --
    Have you fscked your local propeller head today?
    1. Re:Declined to Respond by mmcxii · · Score: 3, Insightful

      Don't think that they're the only ones. Given the current climate I think it is reasonable to assume that you're being monitored regardless of your method of communication.

  3. Unencrypt this by Anonymous Coward · · Score: 5, Insightful

    Fuck the NSA.

    1. Re:Unencrypt this by slashmydots · · Score: 3, Funny

      You forgot to encrypt it. Okay, it's:
      lsdfoj240934ojfwnl;sdaglnkvasd08fvq2ut82js-9dvu8-9WJ34T'PWUD[-G9JWP4YUJ23049JT
      And the decryption key is "fuck the NSA" lol.

  4. An interesting quote FTA by Bearhouse · · Score: 4, Insightful

    "The government's view is that anything we can think of, we can compel you to do."

    Seems pretty spot-on. Unless people challenge these illegal activities, they'll just keep on and on.
    After all, they have pretty-much unlimited resources compared to most private entities, and no real pressure to justify their usage.
    Your tax dollars at work.

  5. Most likely to hide PRISM by Anonymous Coward · · Score: 5, Insightful

    If they can get the keys, then they don't need to use PRISM, they can grab the data upstream.

    It lets them hide the PRISM surveillance, Google/Yahoo/Facebook/DropBox etc. no longer gets to see the volume of requests, it is hidden. US companies can claim, with some degree of truthiness, that they no longer deliver data to PRISM requests, as if the program has been ended, because they no longer see the requests or get to challenge them. In fact surveillance had been expanded to all https traffic.

    They gain 'plausible deniability', and NSA gains 100% surveillance of their https traffic and the ability to man-in-the-middle at will, by simply using their connection upstream. NSA also removes the problem of companies challenging the intercepts.

    The fix is to avoid US based services, either their servers are compromised by the NSA, or their keys.

    More difficult is if NSA has signing rights from the US certificate authorities. Most of these are built into your browser. I tried deleting them from Firefox but it was not possible. With those compromised NSA can sign *foreign* traffic and man-in-the-middle intercept it even though both ends of the conversation are outside NSA control.

    The fix there is to avoid traffic being routed across NSA controlled territories (USA/Canada/UK/NZ/AUS). So if it crosses the UK they record everything and the private keys will let them record all https traffic too. A lot of backbone crosses the US, and a lot of European traffic crosses the UK, so France to Germany might cross the UK, and Germany to Japan might cross the US.

  6. Please Also Note by Anonymous Coward · · Score: 4, Informative

    Every telecommunication company that operates within the United States is required by law to provide law enforcement access to communication streams on demand. It's called CALEA and all telecommunications companies are required by law to follow it.

    CALEA also requires that encrypted communications be decrypted. This includes services like Skype(specifically). CALEA requires that Microsoft provide law enforcement access to the UNENCRYPTED streams of Skype communications, on demand. This is not new and, in light of the House vote yesterday, is not likely to change.

  7. Clipper and TIA, echoes of the past by bsandersen · · Score: 4, Interesting
    It seems bad ideas never die; they just get recycled. The US Government fighting encryption in the 1990's offered "key escrow" (where the Government had a backdoor into the encryption "just in case") as a way to allow citizens and business to protect their data and secure their privacy while allowing law enforcement a chance to use these transactions should it become necessary. It was wildly unpopular and eventually the idea was shelved. Now the government just comes and demands your keys.

    Total Information Awareness, championed by Admiral John Poindexter, former United States National Security Advisor to President Ronald Reagan, a one time felon over Iran-Contra (overturned on appeal), wanted to do much of what the NSA is doing today. When the details of TIA became public there was an outrage and the plans for it had to be scrapped. Or were they?

    The point is this: the public (voters) say "no" to these things... and they just sneak around our backs and do it anyway. Saying "no" once is not sufficient. If, as a citizen, voter, and patriot you believe that these ideas are bad you need to say "no" repeatedly, early, and often. Once whole bureaucracies are constructed to serve a bad aim it is difficult, and perhaps impossible, to stop them.

    As U.S. Supreme Court Justice Louis Brandeis once said, "Sunlight is the best disinfectant." With all due respect to Justice Brandeis, if some of these bad ideas do survive, though, it might be more because of public exhaustion than of public acceptance. Or, more simply, perhaps once a secret bureaucracy gets big enough in the darkness there is no way to kill it once it comes into the light. Even sunlight has its limits.

  8. Forward Secrecy by Agent+ME · · Score: 4, Informative

    The good news is that if the web servers use forward secrecy in the SSL encryption ( https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy ), then an attacker who has the private key is not able to decrypt a connection he has passively eavesdropped on. An active man-in-the-middle attack is required in order to listen in on the connection.

  9. Master key == FAIL by mbone · · Score: 3, Insightful

    If you are relying on a service with a master key for security, you have no security. This is true regardless of whether the government has access to those keys.

  10. those poor bastards by Thud457 · · Score: 3, Funny

    you've managed to make me feel sorry for the poor saps that have to spy all day on us

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  11. Re:Best available advice? by Thud457 · · Score: 3, Funny

    Talk to a lawyer

    great, now he has two problems.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  12. Two parties my ass. by ulatekh · · Score: 4, Insightful

    Our two party system only works were the two parties are not the same.

    I've said it before, and I'll say it again...the left-leaning half of the Ruling Party is no more, or less, virtuous than the right-leaning half of the Ruling Party.
    The only real difference between them is how they want to kill us. The left want to smother us in a stifling nanny-state bureaucracy that'll collapse under its own weight, and the right want to abandon us to fend for ourselves. The latter is more sustainable, but either way we die a miserable death.

    --
    "Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
  13. Re:Self signed certs by IamTheRealMike · · Score: 3, Informative

    Common misconception - certificate authorities do not have private keys. Your private key never leaves your own computers. That's why the NSA would have to force companies to cough them up (or steal them).

    Also, for normal SSL having the private key lets you passively eavesdrop and decrypt. For souped up SSL with forward secrecy it doesn't, it only lets you MITM the connections, which results in the server and client having a different view of things - that's detectable, whereas a leaked SSL key isn't.

    Forward secret SSL is new, and not that easy to do. At the end of 2011 Google employees did the necessary upgrades to OpenSSL, but most other sites haven't deployed it (yet). Enabling forward secret SSL is the best and easiest step forward to beat the NSA/GCHQ right now, because if they HAVE obtained your private key, it forces them to start actively intercepting connections which is expensive and detectable.