In recent days we have written about the efforts of the tech giants to erect barriers which will prevent spy agencies from piercing their systems. It was first reported that Google was sealing up cracks in its systems that Edward Snowden revealed a year ago. Google even has taken the extreme step of laying its own fiber-optic cables under the world’s oceans. Now other tech companies are joining the initiative. They pledge to do more to encrypt their internet traffic and, in some cases, their internal network traffic. It seems the era of quiet cooperation with the government is over, although Ars Technica reports that data continues to leak.
In March, the Electronic Frontier Foundation (EFF) singled out eight companies for praise in advancing encryption protocols to battle the backdoor surveillance of the government spies. Facebook, Dropbox, Google, Microsoft, Sonic.net, SpiderOak, Twitter and Yahoo were those commended by the EFF. Their crypto efforts are important because the NSA’s MUSCULAR program tapped into the fiber-optic lines connecting the data centers of internet giants and thus exposed their vulnerabilities. What is very disconcerting is that MUSCULAR bypassed the companies’ legal departments. It snagged extra-legal access to private communications without court order- not even from the usually pliant FISA court.
To further confound spy agencies and others from their prying eyes, the EFF made several suggestions. They advocated that companies encrypt with HyperText Transfer Protocol Secure (HTTPS) by default. To ensure that all communications remain secure, companies should enable HTTP Strict Transport Security (HSTS). This essentially insists on using secure communications. It prevents certain attacks where a network pretends that the site has asked to communicate insecurely. But they worried that this might not be enough to obviate the inroads of the MUSCULAR program.
Further enhancements may be called for. According to the EFF, firms should also encrypt communication between company cloud servers and data centers. And email service providers should supplement STARTTLS. This is an opportunistic encryption system which encodes communications between email services that use the Simple Mail Transfer Protocol (SMTP). This will scramble a message from, say, a Hotmail user to a Gmail user. It is important that both users have STARTTLS as they then will understand each other. If one or the other doesn’t have it then the spectre of eavesdropping may appear. The EFF also lauded efforts made with Perfect Forward Secrecy in the fight against unwarranted intrusions from third parties- whoever they may be.
But even as these companies implement stronger security measures, their protection still leaks- especially when it comes to integrating with other services. One of the largest sources of leakage is between email services. Many email service providers have lagged in their employment of Transport Layer Security for encrypting email in transit.
Another source of privacy leaks is the services “cookies”. These are the bits of information that get stored by browsers and are retrieved by websites. Too many cookies carry identifying data. Ars Technica singled out one used by Microsoft Bing that included the full name of the writer’s Facebook profile and a link to two different sizes of his Facebook profile picture. Some issues need to be resolved here in that what appears on Facebook is public information. It is this balance of public information displaying, i.e. performance, with privacy. There are fears that this will continue to be the stickler when it comes to achieving complete protection.
SSL is one important element in the protection arena. But implementation issues continue to swirl. One only need witness the colossal Heartbleed Bug and the latest round of exploits uncovered in the OpenSSL library. They make it harder for smaller website operators to stay secure. So even when a site uses SSl to provide a secure connection, there’s no guarantee that your activities on the site won’t be spied upon. Then there are the “man in the middle” attacks to contend with. These have become easier to implement and can erode SSL’s protection and don’t require the resources of a giant government agency.
Still, it is heartening to see enhancements which seem to suggest that the Tech giants are staying one step ahead of the government and others in the privacy game. But conventional wisdom still applies. Technology exists today for the average consumer to circumvent unwanted surveillance. Multitudes of users are benefitting from VPNs to thwart interlopers. It’s one thing to wait for companies to make strides in protecting privacy, but another to take matters into your own hands. Are you a candidate for a VPN?