Ever since the recent Snowden leak revealed that the NSA has the ability to bypass most online encryption I got to thinking about how they would do that. I also wondered if the SSL protected websites I manage were secure from their eavesdropping. I think the answer is yes, they are still secure, and here's why.
The leak said that the NSA is able to break some encryption, but they mostly collude with companies to bypass the encryption altogether. In a recent report from Slate, they specifically named Google as one of the companies that the NSA uses for man in the middle attacks. From that article:
Now, documents published by Fantastico appear to show that, far from “cracking” SSL encryption—a commonly used protocol that shows up in your browser as HTTPS—the spy agencies have been forced to resort to so-called “man-in-the-middle” attacks to circumvent the encryption by impersonating security certificates in order to intercept data.Okay, so now we know that the NSA can impersonate Google's SSL certificates. How do they do it though? First take a look at this:
Prior to the increased adoption of SSL in recent years, government spies would have been able to covertly siphon emails and other data in unencrypted format straight off of Internet cables with little difficulty. SSL encryption seriously dented that capability and was likely a factor in why the NSA started the PRISM Internet surveillance program, which involves obtaining data from Internet companies directly.
However, in some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.
If you go to https://www.google.com you can check the certificate as shown above. You will see one interesting detail, and that is that Google is their own certificate authority and therefore can hand out certificates to whomever they want... Including the NSA.
Guess what, Microsoft (Also named in the original Prism leak) does the same thing:
So there you have it, I think it's safe to say that the way they bypass encryption, at least for Google and Microsoft users, is by obtaining certificates from Google's and Microsoft's certificate authorities and use them for man in the middle attacks. If the NSA has agreements with other certificate authorities like Verisign or Comodo, that remains to be seen, but neither of those companies were named in Snowden's leaks.
What do you think about this? Let us know in the comments.