SSL encrypted communications intercepted and stored by PRISM

By on June 26, 2013, 5:00 PM

Technologically inclined individuals often stand out within their familial or social circles as a resource for the many complications that arise in our ever-expanding interconnected world. Generally speaking, we, the aforementioned ‘techies,’ advise that users should always follow certain best practices on the internet, such as verifying the identity of a website before handing over sensitive information, and always watching for an indication that a site is secure when doing so.

If your expectations of privacy on the web were not already fairly low, they were likely shattered in the past few weeks with the revelation of the PRISM program. But, the ramifications of this surveillance seem to pervade through forms of communication that many may have otherwise thought to be safe.

In addition to collecting standard unencrypted communication, PRISM is also gathering and storing mass quantities of SSL (secure sockets layer) encrypted data for later cryptanalysis. Netcraft reports that this large volume of data is logged so that if an SSL private key later becomes available through a variety of means, the entire batch of data collected from a particular site could be decrypted.

Private keys can be obtained through a number of means: a court order, social engineering, an attack against the website, or through cryptanalysis. Once exposed, a single key can decrypt the entire site’s worth of data.

This single point of failure was recognized long ago, and a solution was invented in 1992 called perfect forward security, or PFS. PFS requires connections to an SSL site to use a per-session key, which means that even if a long-term private key is compromised, a snooper (or government) would still have to attack each collected session independently.

Problem solved, right? Not quite. PFS hasn't been fully embraced, and is not used on a majority of SSL secured sites. It's similar to how inadequate and incongruous technologies are used for password storage that are getting internet companies into trouble lately. Many of them are not nearly as secure as they once were, and developers either don't know or don't care enough to use more robust alternatives.

Netcraft points out that the web server Nginx, which uses PFS most often, was developed in Russia, a country commonly targeted by U.S. spies. Furthermore, none of the companies enrolled in the PRISM program use PFS.

While SSL may protect browsers from average eavesdroppers, these ‘secure’ communications are not at all infallible.




User Comments: 11

Got something to say? Post a comment
1 person liked this | cliffordcooley cliffordcooley, TechSpot Paladin, said:

Encryption will guarantee your data is stored for future analysis. You gain nothing by encryption, if anything you are painting a sign, I am guilty (at least that is what NSA thinks). Which is the exact same message our government is sending out with their secrecy.

1 person liked this | JC713 JC713 said:

Wow, this is beyond horrible.

Guest said:

Sorry, but what's the issue? We already knew the NSA / GCHQ were intercepting web traffic so the fact that they store SSL traffic in case at some point in the future they might possibly be able to decode it isn't really any worse than that. I think the point missed in the article is that the NSA can't decode SSL traffic, in other words SSL is working. Worse than that though is the realization that if you are up to anything illegal on the internet the NSA can't find out if you use SSL. After all isn't the point of law enforcement that they catch criminals?

1 person liked this | Darth Shiv Darth Shiv said:

Encryption will guarantee your data is stored for future analysis. You gain nothing by encryption, if anything you are painting a sign, I am guilty (at least that is what NSA thinks). Which is the exact same message our government is sending out with their secrecy.

Alternatively we can encrypt everything and send tonnes of rubbish emails like "Hi NSA. This is a rubbish email." in addition to our real messages.

MonsterZero MonsterZero said:

Wow, this is beyond horrible.

Encryption will guarantee your data is stored for future analysis. You gain nothing by encryption, if anything you are painting a sign, I am guilty (at least that is what NSA thinks). Which is the exact same message our government is sending out with their secrecy.

Encryption will guarantee your data is stored for future analysis. You gain nothing by encryption, if anything you are painting a sign, I am guilty (at least that is what NSA thinks). Which is the exact same message our government is sending out with their secrecy.

Alternatively we can encrypt everything and send tonnes of rubbish emails like "Hi NSA. This is a rubbish email." in addition to our real messages.

Sorry, but what's the issue? We already knew the NSA / GCHQ were intercepting web traffic so the fact that they store SSL traffic in case at some point in the future they might possibly be able to decode it isn't really any worse than that. I think the point missed in the article is that the NSA can't decode SSL traffic, in other words SSL is working. Worse than that though is the realization that if you are up to anything illegal on the internet the NSA can't find out if you use SSL. After all isn't the point of law enforcement that they catch criminals?

I think you missed the point of the article that they CAN decrypt SSL because very few sites, facebook, amazon, google, yahoo, etc DO NOT use PFS as a standard.

They have your credit card information, they have every password you ever used. This is hands down terrorizing your own citizens. They will use the decrypted SSL traffic to find and attempt to prosecute you for things you've done, whether they be in the past or present.

JC713 JC713 said:

I think you missed the point of the article that they CAN decrypt SSL because very few sites, facebook, amazon, google, yahoo, etc DO NOT use PFS as a standard.

They have your credit card information, they have every password you ever used. This is hands down terrorizing your own citizens. They will use the decrypted SSL traffic to find and attempt to prosecute you for things you've done, whether they be in the past or present.

Hence, my "beyond horrible" comment.

Guest said:

Great thinking on part of ASN they just do perfectly, love you

sweet dreams

Guest said:

And they say the Chinese are bad. Fucktard hypocrites. Wish the world wasn't like this...

Guest said:

PFS is Perfect Forward Secrecy, not Security. It means that the key derived to protect this session is not related to any past or future keys, and that the compromise of the server key will not aid the compromise of the individual sessions (assuming they all use PFS).

Darth Shiv Darth Shiv said:

I think you missed the point of the article that they CAN decrypt SSL because very few sites, facebook, amazon, google, yahoo, etc DO NOT use PFS as a standard.

They have your credit card information, they have every password you ever used. This is hands down terrorizing your own citizens. They will use the decrypted SSL traffic to find and attempt to prosecute you for things you've done, whether they be in the past or present.

I was of course talking about sending encrypted emails to/from PFS services. Rubbish emails. Emails they will by policy collect and bloat their storage with said rubbish to decrypt later only to find they say "Hi NSA hope you enjoyed wasting your time storing and decrypting this".

And yes, adding to that, we should be pressuring the sites to use PFS.

cliffordcooley cliffordcooley, TechSpot Paladin, said:

bloat their storage with said rubbish to decrypt later only to find they say "Hi NSA hope you enjoyed wasting your time storing and decrypting this".
Here is an idea.

Lets create a Botnet that encrypts and spams everyone worldwide with that message. Sending a message that appear to be different at least once every week, should keep them very busy with tax payers money.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.