Did the NSA Vaporize Cloud Security?
Last week’s revelations that the NSA may be able to decrypt most of the traffic on the internet sent shockwaves through the global community. Secure Sockets Layer (SSL) encryption was thought to provide a secure and virtually impenetrable “tunnel” for sensitive internet traffic, such as credit card data or confidential client documents; the NSA, however, has reportedly circumvented the security of SSL connections through a combination of brute-strength computing power and a network of “back doors” inserted into the equipment and algorithms that provide SSL security.
These code-breaking capabilities have left many users of cloud-based services asking if traffic they otherwise expected to be encrypted may be vulnerable to eavesdropping. The short answer is “yes,” but with the major caveat that the NSA appears to be the only organization with the ability to decrypt SSL traffic. When you’re using a site that employs SSL encryption to protect your data, in most cases you’re not trying to protect your data from the NSA: you’re protecting your data from prying eyes on the same WiFi hotspot, an eavesdropper at your local ISP, or an overzealous employer. SSL remains a strong layer of protection against all but a very specific foe, and should be utilized whenever sensitive data is being transmitted over the internet. Even Edward Snowden, who observed and disclosed the NSA’s code-breaking capabilities, states:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.
There is another important caveat to fears around the NSA’s codebreaking capabilities: if the NSA has decided it wants access to your data, odds are that it won’t try to obtain it by compromising SSL encryption. As Bruce Schneier, an expert on internet security, points out, the NSA will likely instead try to compromise the security of one of your “endpoints” — that is, your computer, your mobile phone, or your tablet:
[The NSA] has a menu of exploits it can serve up against your computer – whether you’re running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.
SSL encryption is about protecting your data from commonplace threats, and for that it is just as effective as ever. For those that need to protect their data from highly motivated and sophisticated foes such as the NSA, Schneier provides a useful list of tools and techniques to add an additional level of security to your data.
Regrettably, being a lawyer carries higher risks than being a nerd.
I’m at risk if I am in communication with someone or some group the security services are suspicious of, or if I’m in communication with someone who is in communication with them. By having been party to a deep technical debate on internet security, there is a small chance I might become a “person of interest” to one of the security services.
Similarly, I might become a person of interest to mere criminal using some of the back-doors created by the security services, but that’s a different problem (;-))
A lawyer, on the other hand, might well belong to a firm which has given advice to a person which the security services are concerned about, or someone associated with such a person.
Unless a law firm actively avoids providing services to persons the U.S. NSA would credibly be suspicious of, that law firm *should be* an organization of interest to the NSA.
The NSA would be remiss if they failed to pay attention to law firms just because they are law firms. Or because they’re Canadian.
There have been good suggestions here for protecting privileged communications, but if you’re communicating to anyone that a foreign security service should be interested in, you probably should be doing it in person.
–dave