{"items": [{"author": "Hollis", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626349219022", "anchor": "fb-626349219022", "service": "fb", "text": "So how do we get all web servers and browsers to use https by default?", "timestamp": "1377956885"}, {"author": "Jesse", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626349303852", "anchor": "fb-626349303852", "service": "fb", "text": "Both may be true.  Assuming metadata collection (who connects to which site) is easier to obtain, that can be tracked in real-time, and special cases decrypted.<br><br>The NSA almost certainly has indexes for DNS and likely user IP addresses.  Mining metadata can yield a lot of info.<br><br>Also would not surprise me if either (a) the NSA has much better decryption, especially for older methods or (b) they have an arrangement that gives them either decryption keys or unencrypted versions of the transaction.", "timestamp": "1377957006"}, {"author": "Jeff&nbsp;Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626349353752", "anchor": "fb-626349353752", "service": "fb", "text": "@Hollis: https://www.eff.org/https-everywhere is one option.  Servers switching to https is another.  Old browsers that don't support SNI yet delays this some.  Plus https fundamentally requires servers to have a cert, and that's a big bottleneck.", "timestamp": "1377957089"}, {"author": "Dustin", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626349478502", "anchor": "fb-626349478502", "service": "fb", "text": "It's likely they haven't cracked AES, otherwise they wouldn't be using it themselves. More likely is that they've found implementation flaws in things like SSL that make it significantly easier than brute force to decrypt. Though, I would agree that they probably can't do that at scale.", "timestamp": "1377957179"}, {"author": "Jeff&nbsp;Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626349508442", "anchor": "fb-626349508442", "service": "fb", "text": "@Jesse: What do you mean by \"(b) they have an arrangement that gives them either decryption keys or unencrypted versions of the transaction\"?", "timestamp": "1377957203"}, {"author": "Jesse", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626349737982", "anchor": "fb-626349737982", "service": "fb", "text": "My knowledge of current encryption is minimal, so I don't know how practical this is, but we know the NSA has special arrangements with numerous ISP's... odds are pretty good they (1) have hired people who developed each encryption system and (2) if there is ever an unencrypted moment, capture that version.", "timestamp": "1377957485"}, {"author": "Dustin", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626349967522", "anchor": "fb-626349967522", "service": "fb", "text": "@Jesse: SSL certificates are unique per site, so they would have to collaborate with all sites.", "timestamp": "1377957604"}, {"author": "Forsythe", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626352178092", "anchor": "fb-626352178092", "service": "fb", "text": "I'm not convinced that you've analyzed the required parallelism correctly. <br>I don't know that much about cryptography so I'm a bit out of my depth here, but check out ch 9 of this: http://www.ic.unicamp.br/.../cracking.../cracking-des.htm...", "timestamp": "1377959714"}, {"author": "David", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626352407632", "anchor": "fb-626352407632", "service": "fb", "text": "@Jeff: If DANE (RFC 6698) catches on, the requirement to have a cert would be much less of a bottleneck. Unfortunately, DANE deployment is probably a bit far off since it depends on DNSSEC. (And even once it's deployed, it'll have the same problem as SNI for years until the older implementations catch up.)", "timestamp": "1377959876"}, {"author": "Ames", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626356983462", "anchor": "fb-626356983462", "service": "fb", "text": "I thought they just made up excuses to force companies to surrender user data.", "timestamp": "1377963540"}, {"author": "Jeff&nbsp;Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626365411572", "anchor": "fb-626365411572", "service": "fb", "text": "@Martin: \"I'm not convinced that you've analyzed the required parallelism correctly.\"<br><br>If you have a known plaintext, which I think you do with every many connections starting with something like \"GET / HTTP/1.1\" at a consistent offset, then for each key you're testing you encrypt the plaintext with that key and then compare to your many captured encrypted versions.  If one of them matches, you've solved it.  The complexity here is number_of_keys * number_of_captures which isn't an improvement.  If the comparisons are much cheaper than running the encryption code then it's a speedup, but it's not enough of one.", "timestamp": "1377968024"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626365720952", "anchor": "fb-626365720952", "service": "fb", "text": "I think what the NSA might try to do is capture lots of encrypted traffic annotated with the unencrypted metadata, like the IP endpoints, and then hang onto it. Then, once they have some reason to believe a specific IP address is suspicious based on some other information, they could then perform more analysis retroactively on the captured packets.", "timestamp": "1377968218"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626379253832", "anchor": "fb-626379253832", "service": "fb", "text": "Well, you could mail them a sealed DVD with a one-time pad that you generated from your own source of entropy... :)", "timestamp": "1377976615"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626380062212", "anchor": "fb-626380062212", "service": "fb", "text": "I think one time pads are resilient to MITM attacks. The DVD has to be mailed in an opaque, sealed, tamper-proof container of some sort, or perhaps handed off in-person. If the OTP is not intercepted, then there's no way for an attacker to decrypt the data -- there's no way to decrypt the cyphertext without knowing the pad. Since you generated the pad, they wouldn't be able to guess it. Am I missing something?", "timestamp": "1377977200"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626382706912", "anchor": "fb-626382706912", "service": "fb", "text": "Yeah, I agree -- the trust model used today behaves pretty poorly in the face of frequent compromise of \"trusted\" authorities. I think efforts ought to focus on managing the scope of compromise when it inevitably happens, perhaps by drastically tightening certificate expiration time windows, proactive addition and removal of trust chains as a routine thing, and other things that people who have thought about this a lot more than me have already proposed.", "timestamp": "1377978497"}, {"author": "Jeff&nbsp;Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=626383694932", "anchor": "fb-626383694932", "service": "fb", "text": "@Jake: \"Then they could forge certificates for any domain they wanted.\"<br><br>They could, but they would be open to being noticed.  This is the sort of thing you'd have to do to very few people, and you'd need to make sure no one was doing certificate pinning.", "timestamp": "1377979320"}, {"author": "Forsythe", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=627086112282", "anchor": "fb-627086112282", "service": "fb", "text": "http://nyti.ms/1dV982u", "timestamp": "1378410331"}, {"author": "Jesse", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=627092060362", "anchor": "fb-627092060362", "service": "fb", "text": "Along with the NYTimes article, here are the companion pieces:<br>http://www.propublica.org/.../the-nsas-secret-campaign-to...<br>http://www.theguardian.com/.../nsa-project-bullrun...", "timestamp": "1378413780"}, {"author": "Jeff&nbsp;Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=627096351762", "anchor": "fb-627096351762", "service": "fb", "text": "@Martin, Jesse: that the NSA has been hacking sites and trying to crack encryption isn't new here, and \"The N.S.A. hacked into target computers to snare messages before they were encrypted\" isn't very surprising.  But while I can totally believe that \"the agencies\u2019 goal was to move away from decrypting targets\u2019 tools one by one and instead decode, in real time, all of the information flying over the world\u2019s fiber optic cables and through its Internet hubs, only afterward searching the decrypted material for valuable intelligence\" I'm not seeing anything here to indicate they've succeeded.<br><br>Some sort of on-demand one-at-a-time key cracking is plausible (especially for sites using 1024 bit RSA) and the \"Key Recovery Service\" sounds like it could be this, but this is much weaker than decrypting all https traffic and scanning it.", "timestamp": "1378417165"}, {"author": "Forsythe", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=627097818822", "anchor": "fb-627097818822", "service": "fb", "text": "This is the piece that I find more worrisome: \"The NSA has worked with American and foreign tech companies to introduce weaknesses into commercial encryption products, allowing backdoor access to data that users believe is secure.<br>The NSA has deliberately weakened the international encryption standards adopted by developers around the globe.\"", "timestamp": "1378418409"}, {"author": "Danner", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=627101132182", "anchor": "fb-627101132182", "service": "fb", "text": "I'm interested in the amount of heat this would create, and how it would be either hidden or exchanged.", "timestamp": "1378421323"}, {"author": "Jeff&nbsp;Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=627149834582", "anchor": "fb-627149834582", "service": "fb", "text": "@Martin: the quote you have doesn't say encryption standards but commercial encryption products.  That's a lot easier.  You can just go up to a company and ask them to make changes.  So a way around this is to \"use public-domain encryption that has to be compatible with other implementations\": http://www.theguardian.com/.../nsa-how-to-remain-secure...", "timestamp": "1378469277"}, {"author": "Jesse", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=627150777692", "anchor": "fb-627150777692", "service": "fb", "text": "\" Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States\u2019 encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members.<br><br>Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort \u201ca challenge in finesse.\u201d<br><br>\u201cEventually, N.S.A. became the sole editor,\u201d the memo says. \"<br>From the ProPublica article.", "timestamp": "1378470565"}, {"author": "Jeff&nbsp;Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/626348510442?comment_id=627151206832", "anchor": "fb-627151206832", "service": "fb", "text": "@Jesse: the weakness discovered by two MS researchers in 2007 is probably: http://rump2007.cr.yp.to/15-shumow.pdf<br>Thomas Ptacek of Matasano described it as \"CSPRNG design that nobody uses or is ever likely to use (it's extremely expensive)\" so unless they can do much better at this that's not what we should be focusing on.", "timestamp": "1378470833"}]}