I'm ambivalent about NSA's need to request potentially large amounts of data from Google about broadly targeted foreign intelligence targets. I see the long term sinister possibilities while generally believing that the data isn't being misused today, and what immediate problems I see have more to do with ineptitude and laziness than with the belief that Internet surveillance is fundamentally evil.
But coercing Google into handing over TLS keys is unequivocally bad; indefensible, I think. It's one thing to legally compel Google to grant access to data, but another thing entirely to rewire Google itself:
* It provides NSA with a technical capability they do not currently have, enabling them to shoot first and answer questions for a court later, and eliminates a due process element that other providers (notably Yahoo) have been able to avail themselves of.
* If provides the USG with capabilities beyond simple surveillance, for instance by allowing them to spoof Google pages. There can't be any legitimate reason to provide them that blanket authority.
I appreciate the effort and expense it must take for companies like Google to resist these requests.
Since this is apparently new information to you, I hope you update your risk assessment.
The government misusing secret surveillance isn't conspiracy talk, it's first order incentives. It would be bizarre if the data were NOT being abused. I'm a law and order guy, but federal prosecutors have a well documented history of playing as close to the the line as they can and dancing right over the line when they can get away with it. Since they're now trying to hide the line, this should be fairly scary to rational people.
> It provides the USG with capabilities beyond simple surveillance, for instance by allowing them to spoof Google pages. There can't be any legitimate reason to provide them that blanket authority.
The US government already has at least Verisign under their belt. They can already MITM just about any SSL connection they could ever want to.
I would wager that they have a large number of private keys anyway. It's not like datacenters would be able to do much when the NSA rocks up with a NSL.
> It provides NSA with a technical capability they do not currently have, enabling them to shoot first and answer questions for a court later
If I remember correctly , you don't have a problem with the NSA phone metadata collection either... but wouldn't your same argument apply there as well?
the effort and expense it must take for companies like Google to resist these requests
I think the "resistance" by the legal departments of these companies is largely theatre. If someone with the resources of a nation-state agency wants the keys, they will get them. All they need to do is figure out who has access to them, and either bribe them or blackmail them.
How realistic is it to keep these master keys secret? Can't the CIA just blackmail a foreign employee into handing over the keys? The keys must be sitting on literally thousands of boxes that do SSL termination. How many employees could access these keys?
I think there needs to be an acknowledgement that the NSA, the FBI, and the government in general are not staffed by angels or robots, but by human beings, and that some of these human beings are criminals. The very fact that Snowden got all that data means that, regardless of whether or not he's a criminal or a whistleblower, the humans in government cannot be trusted with this data. "The FBI" may have a need for this data but the humans in the FBI are too great a risk. I find it absurd that we are even having to have this conversation with an organization that has to deal with operational security.
Few men could be moral when offered the combination of unrestricted power over others, total secrecy, and lack of consequences for actions, that is so often the state of these agencies.
That's why we need their power to be limited and defined, as open as possible, and have legitimate avenues of redress for grievances. They are supposed to be public servants, not rogues.
I am always reminded of a quote from Arthur C. Clarke I was made aware of through Bill Joys "Why the future doesen't need us." http://www.wired.com/wired/archive/8.04/joy.html (Still a classic piece)
"Another idea is to erect a series of shields to defend against each of the dangerous technologies. The Strategic Defense Initiative, proposed by the Reagan administration, was an attempt to design such a shield against the threat of a nuclear attack from the Soviet Union. But as Arthur C. Clarke, who was privy to discussions about the project, observed: "Though it might be possible, at vast expense, to construct local defense systems that would 'only' let through a few percent of ballistic missiles, the much touted idea of a national umbrella was nonsense. Luis Alvarez, perhaps the greatest experimental physicist of this century, remarked to me that the advocates of such schemes were 'very bright guys with no common sense.'"
Clarke continued: "Looking into my often cloudy crystal ball, I suspect that a total defense might indeed be possible in a century or so. But the technology involved would produce, as a by-product, weapons so terrible that no one would bother with anything as primitive as ballistic missiles.""
The threat of terrorism is greatly overplayed by various interest groups. I wonder if the accumulated effect of this attempt to oust terrorists is creating more harm than it's hindering.
More people die in a year on the US roads than have died from all terrorist attacks accumulated.
Some of those that died on the roads most probably chose a car instead of the tediousness that is airports.
If the US government truly where interested in hindering terrorists and saving lives, they wouldn't hide the fact that they are eavesdropping, they would make it obvious and transparent, and possible for each individual citizen to know what they know about you.
> More people die in a year on the US roads than have died from all terrorist attacks accumulated.
I'm a little tired of this argument. "Only" 3000 people died in 9/11. Yet look at the effect that 9/11 had on the world, versus 100 times that many automobile deaths.
As much as we'd like to think the only bad outcome of a terrorist attack is loss of life, that's not really the biggest outcome. It is the impact on society, like it or not.
At the end of the day, terrorism is primarily a tool to affect political situations, their effect on public health situations is not really the point; it is that political damage that is worrying to governments.
I can't help wondering if this is what prompted Google to adopt perfect forward secrecy in November 2011, and for Facebook to say last month it would follow suit, which I wrote about here: http://news.cnet.com/8301-13578_3-57591179-38/data-meet-spie...
Note I have no direct knowledge that this is the motivation, but it strikes me that PFS is a solution to a specific threat model of an eavesdropper having passive access to the network. I'd be eager to hear more from people who are more familiar with the issue than I am.
At the very least, if some judge in [rural county where Google has a datacenter] issues a subpoena for the keys necessary to decrypt a packet capture obtained by the Sheriff's Office in the course of investigating a local crime
A: They can credibly argue that they don't have that information, and it won't trigger an avalanche of copycat subpoenas.
B: The crypto key being sought by the subpoena is not one that would enable decryption of all Google, but rather one specific to the connection.
"The government's view is that anything we can think of, we can compel you to do."
Which pretty much in a nutshell encapsulates what's wrong with the U.S. security state we've built. Terrorism is the trump card, the thing that compels/allows the state to take anything it needs. As one official put it recently "We're not trying to spy on you, we're trying to find those among you who are trying to kill you" And anything they do in order to prevent that from happening is fair game. It's a perpetual state of war.
Having said that, this is kind of a good news/bad news situation. The good news? Looks like most of the secret back door rumors, at least when it comes to TLS, were wrong. The bad news? It doesn't matter. If the government can try compel you to release the secret password for millions of users -- and then forbid you even to talk about it in the open -- then there truly is no limit to the monitoring and control they can exert. Whatever they get away with this year, there'll be more to come next year. Fake out https websites, play MITM games with data providers -- if you've got the keys, the world is your oyster.
Back around the turn of the century, I worked on several government projects. Aside from the usual deadwood workers, there are folks that are really eager to push the technology and create as much automation and storage as possible. This is because they like to hack, just like the rest of us. I used to say, jokingly, that the only reason we didn't live in a dystopian security state was that the government was too inept to actually create one.
Looks like the joke was on me. They're pretty fast learners. Make the national transaction and storage system totally secure, then lean on the in-country tech community to give you the keys to all of it. What a terrible way to destroy the national tech economy.
It has been interesting, over the past some years, as a client just to observe the ongoing changes Google has been making to the nature of HTTPS connections to its properties.
Reporting like this appears[1], and -- coincidence or not -- those observations fit into place.
----
[1] Whether regarding three letter acronyms or protocol weaknesses or whatnot
P.S. I'm not sure why the downvotes. TLS renegotiation weakness. Perfect forward security. Even earlier, nascent deployment of their own intermediate certificate authority -- which disappeared after some months, only to reappear again more recently (at least, in my Gmail connections). More recently, in addition to maintaining perfect forward security, now also replacing the underlying certificates every three weeks or so -- at least, as based upon the changing validity dates that are easier/quicker to compare in/via the browser interface.
I continue to "wonder" where Google comes down in all this... "security/authoritarianism" fracas. If there is a single "Google position". Regardless, they appear to be one of the most proactive parties, from a technical perspective. And politics aside, I continue to think that behind the scenes, there are a lot of people there behind the scenes who want to "do the right thing" and who work hard, within their responsibilities and areas of expertise, to "make it so".
I agree. The most obvious explanation (which may not be correct, of course) for these engineering changes is that Google is trying to armor its network against state-sponsored surveillance.
BTW it's every two weeks:
http://news.cnet.com/8301-13578_3-57591560-38/facebooks-outm...
Langley added: "We would have totally eaten the cost and the speed years ago -- if we could have done it without worries." As an additional precaution, Langley said, Google usually rotates its RSA keys every two weeks.
Yes, we've lost everything encrypted with single DES, PPTP, SSL less than 1024 (?) bit keys, Debian Etch, and so on.
But on the other hand: Snowden was successfully able to evade Boundless Informant and conduct a confidential conversation with Greenwald and Laura Poitras (certainly already an active surveillance target for her film of William Binney).
It is possible that the keys are already compromised, and that the Feds want to cover themselves with an excuse for having supposedly encrypted communications when that is later discovered.
How is this worse than key escrow? You can still use PGP without having to give your secret key to the government. In a world of key escrow, the FBI would not have to put pressure on anyone to give up a secret key, because they would already have the key.
We won the cryptowars, but it was a Pyrrhic victory. By the time we won the right to distribute strong cryptography there were hundreds of millions of people using the Internet without it, and the important protocols were all insecure. We have spent over a decade trying to jimmy cryptography into those protocols and are now stuck with a complete mess. We are still relying on passwords to authenticate people, we are still sending unsigned email in the clear, etc. Glen Greenwald had to be pestered by another journalist to even bother with OTR when Snowden tried to talk to him.
I wish cnet didn't write this article like they thought they were CNN or USA Today. What are we supposed to make of the phrase "master keys"? It doesn't seem like they are talking about root ca's. Is it really practical to try to collect and use all of the multitude of last link in the chain endpoint certificate keys? Those seem to change quite often and can be quite numerous. Demanding sub-ca or company wide middle chain keys would seem to be more manageable, but that would suggest that both they're really worried about people watching for signing chain anomalies since presumably they have at least a few root ca privates and that they are willing to sit in the middle rewriting traffic.
Perhaps this is a response to growing use of certificate pinning? Facebook apparently has joined google in using pins, and I was recently told that microsoft is enabling pinning as an option in EMET4. But if that was the issue, that would tend to suggest they had been previously accustomed to rewriting some of these providers traffic with unlikely root ca's, something which people have been keeping an eye out for and to my knowledge has never been caught in the wild.
Didn't we already go through this in the mid/late 1990s?
(I'd personally have a really hard time giving them a polite multi-page legal letter saying "sorry, we are unable to comply, and we don't have to, due to x, y, z" -- either a single "No." or perhaps "Nuts!", or trolling them with ASCII art or a return letter demanding NSA turn over their keys. Which is why I'm not a lawyer.)
What if a company is storing its keys on a smartcard/cryptographic module that cannot export the key? I guess the FBI just asks for backdoor access to the company's servers, or maybe just follows the standard "we need to take your systems and shut down your business" approach?
There has been some speculation that the NSA is focusing on bad RNGs now. I wonder what the quality (overall) are of the RNGs in the servers using these keys. I also am pretty curious how such a widely needed key is protected at the scale of tens to hundreds of thousands of devices.
I'm willing to bet, the feds already have the master encryption keys and just want to make the companies give up the keys willingly so it sheds some of the blame onto them rather than all on government at once.
I tried in 3 browsers (2 which I haven't gone to Facebook before), and Facebook didn't load over HTTP. Facebook sent HTTP STS headers, too. I believe you are incorrect.
[+] [-] tptacek|12 years ago|reply
But coercing Google into handing over TLS keys is unequivocally bad; indefensible, I think. It's one thing to legally compel Google to grant access to data, but another thing entirely to rewire Google itself:
* It provides NSA with a technical capability they do not currently have, enabling them to shoot first and answer questions for a court later, and eliminates a due process element that other providers (notably Yahoo) have been able to avail themselves of.
* If provides the USG with capabilities beyond simple surveillance, for instance by allowing them to spoof Google pages. There can't be any legitimate reason to provide them that blanket authority.
I appreciate the effort and expense it must take for companies like Google to resist these requests.
[+] [-] ferdo|12 years ago|reply
Not to be unkind, but I'm honestly repulsed by your ambivalence. Ambivalence is assent, in police state logic. Your opinion, backdated:
"I'm ambivalent about the Stasi's need to request that postmasters allow access to all mail."
"I'm ambivalent about the KGB's need to request that all phone lines be tapped."
Make a choice: either be in favor of the American Police State or oppose it.
[+] [-] ellyagg|12 years ago|reply
http://www.nytimes.com/2013/07/16/us/double-secret-surveilla...
Since this is apparently new information to you, I hope you update your risk assessment.
The government misusing secret surveillance isn't conspiracy talk, it's first order incentives. It would be bizarre if the data were NOT being abused. I'm a law and order guy, but federal prosecutors have a well documented history of playing as close to the the line as they can and dancing right over the line when they can get away with it. Since they're now trying to hide the line, this should be fairly scary to rational people.
[+] [-] nwh|12 years ago|reply
The US government already has at least Verisign under their belt. They can already MITM just about any SSL connection they could ever want to.
I would wager that they have a large number of private keys anyway. It's not like datacenters would be able to do much when the NSA rocks up with a NSL.
[+] [-] utnick|12 years ago|reply
If I remember correctly , you don't have a problem with the NSA phone metadata collection either... but wouldn't your same argument apply there as well?
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] ams6110|12 years ago|reply
I think the "resistance" by the legal departments of these companies is largely theatre. If someone with the resources of a nation-state agency wants the keys, they will get them. All they need to do is figure out who has access to them, and either bribe them or blackmail them.
[+] [-] sneak|12 years ago|reply
Why don't we see 50,000 deaths a year in the US from terrorist attacks?
N.B. that the NSA claims to have stopped "dozens" (<=100) of plots with these programs.
[+] [-] jcampbell1|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] jamieb|12 years ago|reply
[+] [-] jivatmanx|12 years ago|reply
That's why we need their power to be limited and defined, as open as possible, and have legitimate avenues of redress for grievances. They are supposed to be public servants, not rogues.
[+] [-] ThomPete|12 years ago|reply
"Another idea is to erect a series of shields to defend against each of the dangerous technologies. The Strategic Defense Initiative, proposed by the Reagan administration, was an attempt to design such a shield against the threat of a nuclear attack from the Soviet Union. But as Arthur C. Clarke, who was privy to discussions about the project, observed: "Though it might be possible, at vast expense, to construct local defense systems that would 'only' let through a few percent of ballistic missiles, the much touted idea of a national umbrella was nonsense. Luis Alvarez, perhaps the greatest experimental physicist of this century, remarked to me that the advocates of such schemes were 'very bright guys with no common sense.'" Clarke continued: "Looking into my often cloudy crystal ball, I suspect that a total defense might indeed be possible in a century or so. But the technology involved would produce, as a by-product, weapons so terrible that no one would bother with anything as primitive as ballistic missiles.""
The threat of terrorism is greatly overplayed by various interest groups. I wonder if the accumulated effect of this attempt to oust terrorists is creating more harm than it's hindering.
More people die in a year on the US roads than have died from all terrorist attacks accumulated.
Some of those that died on the roads most probably chose a car instead of the tediousness that is airports.
If the US government truly where interested in hindering terrorists and saving lives, they wouldn't hide the fact that they are eavesdropping, they would make it obvious and transparent, and possible for each individual citizen to know what they know about you.
I just don't get their logic.
[+] [-] bingaling|12 years ago|reply
[1] https://www.youtube.com/watch?feature=player_detailpage&v=bA...
[+] [-] zzzeek|12 years ago|reply
I'm a little tired of this argument. "Only" 3000 people died in 9/11. Yet look at the effect that 9/11 had on the world, versus 100 times that many automobile deaths.
As much as we'd like to think the only bad outcome of a terrorist attack is loss of life, that's not really the biggest outcome. It is the impact on society, like it or not.
At the end of the day, terrorism is primarily a tool to affect political situations, their effect on public health situations is not really the point; it is that political damage that is worrying to governments.
[+] [-] declan|12 years ago|reply
Note I have no direct knowledge that this is the motivation, but it strikes me that PFS is a solution to a specific threat model of an eavesdropper having passive access to the network. I'd be eager to hear more from people who are more familiar with the issue than I am.
[+] [-] marshray|12 years ago|reply
A: They can credibly argue that they don't have that information, and it won't trigger an avalanche of copycat subpoenas.
B: The crypto key being sought by the subpoena is not one that would enable decryption of all Google, but rather one specific to the connection.
[+] [-] lifeisstillgood|12 years ago|reply
[+] [-] DanielBMarkham|12 years ago|reply
Which pretty much in a nutshell encapsulates what's wrong with the U.S. security state we've built. Terrorism is the trump card, the thing that compels/allows the state to take anything it needs. As one official put it recently "We're not trying to spy on you, we're trying to find those among you who are trying to kill you" And anything they do in order to prevent that from happening is fair game. It's a perpetual state of war.
Having said that, this is kind of a good news/bad news situation. The good news? Looks like most of the secret back door rumors, at least when it comes to TLS, were wrong. The bad news? It doesn't matter. If the government can try compel you to release the secret password for millions of users -- and then forbid you even to talk about it in the open -- then there truly is no limit to the monitoring and control they can exert. Whatever they get away with this year, there'll be more to come next year. Fake out https websites, play MITM games with data providers -- if you've got the keys, the world is your oyster.
Back around the turn of the century, I worked on several government projects. Aside from the usual deadwood workers, there are folks that are really eager to push the technology and create as much automation and storage as possible. This is because they like to hack, just like the rest of us. I used to say, jokingly, that the only reason we didn't live in a dystopian security state was that the government was too inept to actually create one.
Looks like the joke was on me. They're pretty fast learners. Make the national transaction and storage system totally secure, then lean on the in-country tech community to give you the keys to all of it. What a terrible way to destroy the national tech economy.
[+] [-] pasbesoin|12 years ago|reply
Reporting like this appears[1], and -- coincidence or not -- those observations fit into place.
----
[1] Whether regarding three letter acronyms or protocol weaknesses or whatnot
P.S. I'm not sure why the downvotes. TLS renegotiation weakness. Perfect forward security. Even earlier, nascent deployment of their own intermediate certificate authority -- which disappeared after some months, only to reappear again more recently (at least, in my Gmail connections). More recently, in addition to maintaining perfect forward security, now also replacing the underlying certificates every three weeks or so -- at least, as based upon the changing validity dates that are easier/quicker to compare in/via the browser interface.
I continue to "wonder" where Google comes down in all this... "security/authoritarianism" fracas. If there is a single "Google position". Regardless, they appear to be one of the most proactive parties, from a technical perspective. And politics aside, I continue to think that behind the scenes, there are a lot of people there behind the scenes who want to "do the right thing" and who work hard, within their responsibilities and areas of expertise, to "make it so".
[+] [-] declan|12 years ago|reply
BTW it's every two weeks: http://news.cnet.com/8301-13578_3-57591560-38/facebooks-outm... Langley added: "We would have totally eaten the cost and the speed years ago -- if we could have done it without worries." As an additional precaution, Langley said, Google usually rotates its RSA keys every two weeks.
[+] [-] DanBC|12 years ago|reply
This is worse than key-escrow and clipper chips and all the other nonsense we fought in the past.
[+] [-] marshray|12 years ago|reply
But on the other hand: Snowden was successfully able to evade Boundless Informant and conduct a confidential conversation with Greenwald and Laura Poitras (certainly already an active surveillance target for her film of William Binney).
So the crypto wars are not yet lost.
[+] [-] fnordfnordfnord|12 years ago|reply
[+] [-] betterunix|12 years ago|reply
We won the cryptowars, but it was a Pyrrhic victory. By the time we won the right to distribute strong cryptography there were hundreds of millions of people using the Internet without it, and the important protocols were all insecure. We have spent over a decade trying to jimmy cryptography into those protocols and are now stuck with a complete mess. We are still relying on passwords to authenticate people, we are still sending unsigned email in the clear, etc. Glen Greenwald had to be pestered by another journalist to even bother with OTR when Snowden tried to talk to him.
[+] [-] trotsky|12 years ago|reply
Perhaps this is a response to growing use of certificate pinning? Facebook apparently has joined google in using pins, and I was recently told that microsoft is enabling pinning as an option in EMET4. But if that was the issue, that would tend to suggest they had been previously accustomed to rewriting some of these providers traffic with unlikely root ca's, something which people have been keeping an eye out for and to my knowledge has never been caught in the wild.
[+] [-] rdl|12 years ago|reply
(I'd personally have a really hard time giving them a polite multi-page legal letter saying "sorry, we are unable to comply, and we don't have to, due to x, y, z" -- either a single "No." or perhaps "Nuts!", or trolling them with ASCII art or a return letter demanding NSA turn over their keys. Which is why I'm not a lawyer.)
[+] [-] betterunix|12 years ago|reply
[+] [-] penguindev|12 years ago|reply
I've had to think about that case myself.
[+] [-] mentat|12 years ago|reply
[+] [-] jonknee|12 years ago|reply
https://news.ycombinator.com/item?id=6096229
[+] [-] warmwaffles|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] glitchdout|12 years ago|reply
Kinda off-topic but this statement is false. Facebook HTTPS is not enabled by default, it's opt-in.
[+] [-] MichaelGG|12 years ago|reply
[+] [-] mmuro|12 years ago|reply
[+] [-] orokusaki|12 years ago|reply
[deleted]
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] peterkelly|12 years ago|reply