In his essay 'A Few Thoughts on Cryptographic Engineering' Matthew Green, a cryptographer and research professor at Johns Hopkins University, asks "how the hell is NSA breaking SSL?" If this is news to you, following the Edward Snowden revelations in The Guardian, then you obviously haven't read the New York Times piece about the NSA 'Bullrun' briefing sheet which quite plainly states that the agency has been circumventing exactly the type of encryption protection of everyday Internet communications that we take for granted, such as SSL (Secure Sockets Layer).
Of course, as Green has hinted at here, it's not the fact that SSL is being broken (or rather sidestepped, although it amounts to the same thing ultimately) that's in doubt but rather the precise method by which it is being circumvented. I'm not going to repeat all of the possibilities here, Green goes through them in some detail in his paper and I would humbly suggest you follow the link and do likewise. It's seriously interesting stuff, even for the non-ITSec geeks amongst you. But it's not all bad news, at least the Snowden revelations are increasing public awareness of the snooping and this in turn is driving IT vendors to double down on efforts to improve and extend encryption efforts to enhance data privacy.
"Whether implementing stronger encryption algorithms or adding it where it wasn't previously used, vendors are raising the bar for attackers (good and bad) attempting to orchestrate data breaches" says Michael Sutton, vice president of security research for cloud based security provider Zscaler, continuing "despite these efforts, it is likely that the NSA and other intelligence organisations will continue to succeed in their eavesdropping efforts, not because they are breaking SSL, but because they are bypassing it." This occurs either because encryption is often not employed end-to-end or due to legal efforts to obtain encryption keys. The revelations that the NSA was tapping directly into fibre optic cables outside of Google and Yahoo! data centres for example, was being done as an effort to tap into a weak link in the security chain where data was not encrypted when being transferred between data centres. Likewise, court documents have revealed NSA efforts to force companies to turn over private encryption keys. As Sutton concludes "the strongest encryption algorithms in the world are of little use when not turned on or if the keys are handed over."
