Slashdot Mirror

← Back to Stories (view on slashdot.org)

CNET: Feds Put Heat On Web Firms For Master Encryption Keys

Posted by timothy on from the our-public-servants dept.

First time accepted submitter fsagx writes "The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users' private Web communications from eavesdropping. These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users."

2 of 148 comments (clear)

  1. Unencrypt this by Anonymous Coward · · Score: 5, Insightful

    Fuck the NSA.

  2. Most likely to hide PRISM by Anonymous Coward · · Score: 5, Insightful

    If they can get the keys, then they don't need to use PRISM, they can grab the data upstream.

    It lets them hide the PRISM surveillance, Google/Yahoo/Facebook/DropBox etc. no longer gets to see the volume of requests, it is hidden. US companies can claim, with some degree of truthiness, that they no longer deliver data to PRISM requests, as if the program has been ended, because they no longer see the requests or get to challenge them. In fact surveillance had been expanded to all https traffic.

    They gain 'plausible deniability', and NSA gains 100% surveillance of their https traffic and the ability to man-in-the-middle at will, by simply using their connection upstream. NSA also removes the problem of companies challenging the intercepts.

    The fix is to avoid US based services, either their servers are compromised by the NSA, or their keys.

    More difficult is if NSA has signing rights from the US certificate authorities. Most of these are built into your browser. I tried deleting them from Firefox but it was not possible. With those compromised NSA can sign *foreign* traffic and man-in-the-middle intercept it even though both ends of the conversation are outside NSA control.

    The fix there is to avoid traffic being routed across NSA controlled territories (USA/Canada/UK/NZ/AUS). So if it crosses the UK they record everything and the private keys will let them record all https traffic too. A lot of backbone crosses the US, and a lot of European traffic crosses the UK, so France to Germany might cross the UK, and Germany to Japan might cross the US.