For some time, I have had to write down some of my thoughts about this NSA/PRISM/Network surveillance/spying case. For me, the most interesting question is what NSA can do in practice, and what they can not. This blog post by professor Matthew Green is pretty complete, and it sums up my thoughts and assumption about this case quite comprehensively.
One of the key points in the blog post by professor Green is, that NSA is probably not attacking cryptography itself, but protocols, implementations and humans.
For instance, let’s consider SSL/TLS protocols, which has become de facto cryptographic protocol in the web. There are several vulnerabilities in the protocols, including BEAST [Schneier’s blog post], CRIME and BREACH attacks. These affect SSL 3 / TLS version 1.0 and older. The only cipher which is not vulnerable to BEAST attack, RC4, is otherwise considered weak. Moreover, less than 15% of the all websites support TLS 1.1 and later, which are still considered secure [Wikipedia]. Also, adoption of TLS 1.1 has been very slow in web browsers.
Thus, it is obvious that NSA has resources to break a vast majority of the SSL/TLS -encrypted web traffic. Moreover, they may have stolen or otherwise received private keys for large public web services (like Facebook, Hotmail and so on), as well as they can sign valid certificates for any web service in the world (and utilize man-in-the-middle attacks). However, I do not think they are able to break strong algorithms, such as AES or Blowfish. Why should they, since they can utilize flaws in the protocol or backdoors on the network endpoints?
However, if you are paranoid, you can still achieve NSA-proof encryption for web traffic. Only thing you need to do is take care of a few little things:
- Only allow TLS 1.1 or later on server side.
- Make sure you have strong ciphers and long enough keys (at least 2048 bits).
- Make sure that the private key of the server is 100% safe and not compromised.
- Ensure that there are no backdoors or malware in any software or hardware, neither on client or server side
- On client side, always check who has signed the certificate (preferably, write down the fingerprint and check it every time)
Then you should theoretically have an NSA-proof TLS-connection. Just a piece of cake. And yes, I am being sarcastic.