‘For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies… Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.’
2010 GHCQ memo describing a briefing to employees about NSA accomplishments.
Many peoples’ more paranoid fears were confirmed yesterday when The Guardian, in partnership with The New York Times and ProPublica, published top secret documents obtained from whistleblower Edward Snowden that expose the lengths to which the NSA and GHCQ have gone in their efforts to decrypt and undermine encryption.
Essentially, it seems that since the Bill Clinton administration’s public attempt to require all encryption technologies have a back door built into them that would be made available to US security services failed in the 1990s, billions of dollars and untold man-hours have been poured into achieving this aim through stealth and secrecy.
These efforts appear to have taken a number of approaches:
- A full frontal code-breaking assault on common encryption methods such as SSL. It now seems safe to assume that the NSA can readily access any SSL (https://) encrypted communication of the kind used almost universally by internet banking and ecommerce institutions across the world
- Using a variety of sneaky and covert measures (including coercion) to deliberately compromise a range of encryption technologies, most notably by coopting security companies into building backdoors, or otherwise deliberately introducing security weaknesses into their products (CryptoAG and Lotus Notes being the most notable examples, although there is also evidence of a backdoor in Windows)
- Exploiting bad cryptography and weak passwords. Most people are aware of the danger of weak passwords (even if they do nothing about it), but the prevalence of bad cryptography is less well known. For example, the PPTP VPN protocol based on MS-CHAP key exchange remains the most commonly used VPN protocol used by business, despite even Microsoft (who was part of the consortium who developed the protocol) advising against its use
- A highly funded specialist group within the NSA – Tailored Access Operations (TAO) targets end-point computers using a variety of means, including introducing viruses, subverting CA certificate authentication, and hacking computers for long term keys. Basically, if the NSA targets your computer they will get into it, with the only good news being that doing so is resource-heavy, and so is only done against high-value targets.
VPNs and the protection used on 4G smartphones have come under particularly heavy attack. By 2010 the VPN traffic of 30 targets had been unscrambled, and a further 300 VPNs are targeted for unscrambling by 2015.
By attacking and deliberately weakening the underlying protocols that allow secure communication, and which therefore hold the internet together, the NSA has not only made the internet more vulnerable to hackers, criminals and the terrorists it claims to be fighting against, but has also deeply damaged any moral high-ground the United States may have when it comes to international issues of humans rights, and abuses of power. As Bruce Schneier, encryption specialist and fellow at Harvard’s Berkman Center for Internet and Society put it,
‘Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet.’
The good news
All is not entirely lost however. The underlying mathematics behind encryption is still good, and although we don’t know which protocols have been broken, it is very unlikely that strong public domain encryption can be readily decrypted by the NSA (if at all). As even Edward Snowden said,
‘Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on’, although his following statement bears keeping always in mind; ‘Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.’
Tips on securing yourself against the NSA (with particular reference to VPN)
Schneier has written an article for The Guardian outlining how to remain secure against NSA surveillance. We will look at his points, noting anything of particular relevance to VPN users, and then add some observations of our own.
1. Hide in the network – Schneier recommends using Tor, as even though the NSA targets Tor users, it is work for them, and the less obvious you are, the safer you’ll be. Using a secure (see comments below) VPN will provide a similar level of protection, while also being much more convenient.
2. Encrypt your communications – we know that SSL has been broken, but TLS (on which the OpenVPN protocol is based) and IPsec are probably still good. Even if they have been compromised, using them still provides more protection than not.
3. Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t – good general advice, to which we will add that any commercial software is suspect, so you may be more secure using Linux rather than Windows or OSX.
4. Be suspicious of commercial encryption software, especially from large vendors – avoid any software that is not open source, and which can therefore be freely analyzed and peer-reviewed for back doors and other malicious or weak code, As the documents clearly show, the NSA has, one way or another, convinced commercial companies to compromise their own software. Unfortunately a lot of open source software is extremely complex, and therefore even here there are no guarantees that something nasty isn’t lurking inside that no-one has picked up on (yet). We should also note that this point probably applies to custom VPN clients supplied by VPN providers, and that you should only really trust the open source OpenVPN software. However, if your VPN provider has been compromised by the NSA then it can simply keep logs of you behavior without telling you, so worrying about back-doors in the software is somewhat shutting the barn door once the horse has bolted.
5. Try to use public-domain encryption that has to be compatible with other implementations – this is a great point, as it much harder to build backdoors into software that is in common use, and which needs to be compatible every other instance of the technology, than it is for closed commercial systems. Schneier adds that you should prefer conventional discrete-log-based systems over elliptic-curve systems, and symmetric cryptography over public-key cryptography. We will point out that the popular Blowfish and AES cyphers commonly used for OpenVPN encryption are both symmetric-key algorithms.
So where does this leave VPN?
‘’Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.’ (Schneier)
Despite being targeted by the NSA, VPN remains a highly effective way of maintaining your privacy when online, as long as your VPN provider is trustworthy. While nothing can be considered absolutely secure, 256-bit AES OpenVPN encryption will at the very least slow the NSA down, and require them to specifically target you and allocate precious resources to infiltrating your computer.
‘TAO also hacks into computers to recover long-term keys. So if you’re running a VPN that uses a complex shared secret to protect your data and the NSA decides it cares, it might try to steal that secret. This kind of thing is only done against high-value targets.’ (Schneier).
Remember that most us are unlikely to be of much interest to the NSA, and that the protection afforded by a VPN is certainly highly effective against almost any other kind of adversary. Also remember that the while it is possible that NSA records are finding their way into the hands civilian law enforcement agencies, any such evidence is inadmissible in a court of law (even in the unlikely event that such a source were to be admitted).
VPN therefore remains a vital tool for maintaining your privacy, and in helping to ensure that every aspect of your digital life is wrapped up in secure encryption that will protect you from almost allsurveillance, which in most cases (i.e. unless it becomes specifically interested in you) includes the NSA.