Last week’s revelations that the NSA may be able to decrypt most of the traffic on the internet sent shockwaves through the global community. Secure Sockets Layer (SSL) encryption was thought to provide a secure and virtually impenetrable “tunnel” for sensitive internet traffic, such as credit card data or confidential client documents; the NSA, however, has reportedly circumvented the security of SSL connections through a combination of brute-strength computing power and a network of “back doors” inserted into the equipment and algorithms that provide SSL security.
These code-breaking capabilities have left many users of cloud-based services asking if traffic they otherwise expected to be encrypted may be vulnerable to eavesdropping. The short answer is “yes,” but with the major caveat that the NSA appears to be the only organization with the ability to decrypt SSL traffic. When you’re using a site that employs SSL encryption to protect your data, in most cases you’re not trying to protect your data from the NSA: you’re protecting your data from prying eyes on the same WiFi hotspot, an eavesdropper at your local ISP, or an overzealous employer. SSL remains a strong layer of protection against all but a very specific foe, and should be utilized whenever sensitive data is being transmitted over the internet. Even Edward Snowden, who observed and disclosed the NSA’s code-breaking capabilities, states:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.
There is another important caveat to fears around the NSA’s codebreaking capabilities: if the NSA has decided it wants access to your data, odds are that it won’t try to obtain it by compromising SSL encryption. As Bruce Schneier, an expert on internet security, points out, the NSA will likely instead try to compromise the security of one of your “endpoints” — that is, your computer, your mobile phone, or your tablet:
[The NSA] has a menu of exploits it can serve up against your computer – whether you’re running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.
SSL encryption is about protecting your data from commonplace threats, and for that it is just as effective as ever. For those that need to protect their data from highly motivated and sophisticated foes such as the NSA, Schneier provides a useful list of tools and techniques to add an additional level of security to your data.