On Friday we reported the breaking news about new Edward Snowden revelations that the NSA has made great strides in circumventing, weakening and outright cracking many common forms of encryption used by individuals and businesses to protect their privacy, and to secure sensitive information online (such as bank account details). We have been following the many commentaries and observations made on this issue over the weekend, and wish share and clarify some thoughts about these with our readers, particularly with reference to what the following alarming sounding statement about VPNs actually means.
“Documents show that Edgehill’s initial aim was to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.”
1. It seems that the NSA can almost certainly readily decrypt PPTP (with MS-CHAPv2 authentication), a protocol that is still in common use throughout the business world, and that was heavily relied upon by VPN providers in the past. That the NSA has cracked PPTP is hardly surprising, given that its insecurity has been known about for years, but it does mean that the NSA can easily decrypt older VPN traffic.
2. More alarming is the fact that it seems highly possible the L2TP/IPsec VPN protocol may also be compromised. L2TP/IPsec is much more secure than PPTP, and is generally considered to ‘strong encryption’. However, as outlined in this post by John Gilmore (security specialist and founding member of the Electronic Frontiers Foundation), IPsec has likely been deliberately weakened by the NSA.
3. “Another program, codenamed Cheesy Name, was aimed at singling out encryption keys, known as ‘certificates’, that might be vulnerable to being cracked by GCHQ supercomputers.”
That these certificates can be ‘singled out’ strongly suggests that 1024-bit RSA encryption (commonly used to protect the certificates) is weaker than previously thought, and can be decrypted much more quickly than expected by the NSA and GHCQ. Once a certificate key has been decrypted, then all exchanges past and future will be compromised if non ephemeral key exchange is used.
This means that many forms of encryption which rely on certificates using non ephemeral keys must be regarded broken, including SSL and TLS. This has huge implications for all HTTPS traffic.
The good news is that OpenVPN, which uses ephemeral (temporary) key exchanges, should not be affected. This is because with ephemeral key exchanges a new key is generated for each exchange, and there is therefore no reliance on certificates to establish trust. Even if an adversary were to obtain the private key of a certificate, they could not decrypt the communication. It is possible that a man in the middle (MitM) attack could target an OpenVPN connection if the private key has been comprised, but this have to be specifically targeted attack.
The other good news is that solving this problem (even for SSL and TLS connections) is not difficult if websites implement perfect forward secrecy (i.e. use ephemeral key exchanges). Unfortunately, as we discuss in our article about just this subject, the only major internet company to implement PFS so far is Google (although this will hopefully now begin to change).
One final thought here is that if more companies start to implement PFS using the Diffie-Hellman exchange protocol, it would be good to see the protocol beefed up from the commonly used 1028-bits to at least 2048-bits to ensure that it cannot be cracked by the NSA (who, it seems, can crack 1048-bit RSA).
4. The MPLS routers used by some VPN providers may be compromised.
5. No VPN provider based in the United States or the United Kingdom can be completely trusted. With the NSA and GHCQ deliberately targeting VPN providers it seems foolhardy to believe that any VPN provider in these counties has not been ‘paid a visit’. That secure email service Lavabit recently closed its doors rather than comply with NSA demands to secretly let it spy on Lavabit’s customers’ serves to demonstrate this point.
It seems that the NSA has indeed succeeded in breaking or otherwise decrypting a great deal of VPN traffic. However OpenVPN, remains largely secure., as do strong encryption such as the AES (or even Blowfish). Combined with these, OpenVPN remains highly effective against any form of brute force attack, and as noted above, its use of ephemeral key exchanges means that dragnet surveillance of OpenVPN traffic should be impossible.
OpenVPN is also free and open source, which means its code is subject to peer review. While the truly paranoid might note that if the NSA can strong-arm commercial software developers, then there is nothing to stop them infiltrating open source software development groups without anyone noticing it, the fact remains that use of free and open source software (FOSS) is the best possible defense available.
In general then, and with the provisos outlined above, VPN from a trustworthy (and therefore certainly not a US or UK) provider, using the OpenVPN protocol (preferably with keys secured by 2048-bit RSA or better encryption), can still be considered secure even against the likes of NSA.
As we mentioned in our earlier post on this subject, VPN provider’s custom VPN clients should in theory be viewed with suspicion as they are not open source. However, if your VPN provider has been coopted to the extent that it builds backdoors or suchlike into its software, then it simply keep logs of your activity, so you are screwed anyway…