Feeds

Now we know why UK spooks simply shrugged at SSL encryption

HTTPS thwarting spies, web filters? They already had ways of breaking the code

High performance access to file storage

Analysis In July 2012, Britain's top spook Charles Farr made a rare public appearance: sat across a table from MPs in Parliament, he was quizzed by backbenchers scrutinising Home Secretary Theresa May's widely criticised plan to snoop on Brits' internet connections.

At the time, the government was trying to get politicos to agree that there was a solid case for massively increasing the surveillance of our online activities by granting the police and intelligence agencies in Blighty greater spying powers.

It was the latest Home Office push to hand more control to the likes of the UK's eavesdropping nerve-centre - the Government Communications Headquarters (GCHQ). And readers of these pages will be only too familiar with the regular attempts by successive administrations over more than a decade to write legislation that allows British spies to have deep access to our online communications, much like they already do with our telephone system.

All the while, technology companies have insisted that systems that protect sensitive information - such as credit card details and passwords - while in transit over the net are largely secure. Websites, VPN gear and similar online services that ordinary punters use to buy goods, send emails and share pictures rely on the TLS/SSL encryption protocol to keep data beyond the reach of eavesdroppers.

In the last two years, some of the biggest internet players including Google, Yahoo!, Microsoft and Facebook have all enabled SSL, switching their web communications to HTTPS.

The tech titans hoped the move would reassure their users that their in-transit data is safe. Now we've learnt that America's NSA has poured hundreds of millions of dollars into mathematically cracking, or otherwise ruthlessly undermining, the protocol family and related crypto technologies.

If the agency can't use maths to decrypt data, it can turn to backdoors in equipment and flaws in algorithms it helped plant, or ask the root certificate authorities for their secret keys, in order to snaffle the information.

Quite recently, Wikipedia founder Jimmy Wales - who has increased his lobbying against various aspects of UK government policy in the past year - reasserted that his online encyclopaedia will encrypt its connections in the wake of revelations from one-time NSA sysadmin Edward Snowden, who blew the whistle on spooks' activities on both sides of the Atlantic.

Jimbo said in August that Wikipedia would start using HTTPS by default on its site once it overcomes some problems with how its "current architecture" fails to handle the secure protocol.

Logged in users should now be redirected to HTTPS. But there is no timescale set for when the website will be encrypted for all its visitors. Jimbo insisted at the time that it was "highly unlikely" that US spooks could decrypt HTTPS.

But last night the New York Times and allied publications reported that Brit spooks and their American counterparts at the National Security Agency had in fact been doing what was expected of them: breaking encryption.

And included on that list was the trusted SSL protocol - which is used throughout the world to "secure" websites where personal data is carried across the net.

But should we really be that surprised that the NSA claims it can bypass that security? The clues were arguably there to show that such everyday access was already largely in play.

Hidden in plain sight

One need only sift through the evidence from the joint select committee hearings in 2012 that looked painstakingly over May's now shelved Communications Data bill, dubbed colloquially as the Snoopers' Charter, to recognise the level of complacency on display around matters such as SSL.

Just as Facebook and chums were switching to HTTPS by default, Britain's security services were showing little signs of discomfort with the move.

Politically, at least, it was an opportunity for May to argue the case for beefing up spooks' communications access powers. But Farr and other top-ranking Home Office officials did not complain about how their online surveillance work might be deeply disrupted by sites shifting to SSL. The g-men shrugged off Brits encrypting their network traffic, a move that should have have hampered or halted the analysis of said communications.

Here's one such exchange from 10 July 2012 [PDF] between Tory MP Stephen Mosley and Director of Communications Capability Directorate Richard Alcock:

Stephen Mosley: When it comes to cryptic communication, for instance, SSL or something, the encrypted communications data might be in the content of that communication. How is that classified?

Richard Alcock: Through the Bill, we will only be able to store communications data. The means by which we access communications data, our preferred route, will be working in partnership with the communications service providers, who will hold unencrypted data on their own services, i.e. the services that they are providing for their customers. We will be working with them to retain, in some cases, some aspects of communications data and, in that case, it is very easy to separate content from CD [communications data]. Though I must stress, through the Bill it is illegal for us to collect content. We will only be able to retrieve and store communications data. We will not be applying any systems that cannot reliably extract CD from content through whatever data streams. So, in essence, by working with communications service providers, we can ensure a very reliable means by which we can ensure that we only collect communications data and store that appropriately.

Tellingly, Farr then added this response to whether internet security protocols such as SSL was actually "an issue at all." He told the MPs:

We have already, of course, relations with many, but by no means all, overseas providers, including those who are household names and are the big suppliers into this country. We have that relationship, for all sorts of reasons, under existing legislation. Those relationships are co-operative and collaborative and, as some of those providers have made clear, they provide data, to the extent that they can — I would emphasise that — in accordance with existing legislation.

It is our hope and expectation that that collaborative relationship would continue and it would be part of the purpose of this legislation to facilitate that wherever we can. You are right, however, that the obligations do apply to overseas providers and in the event, which I regard as unlikely, that co-operation was not possible, an enforcement route would be open to Ministers, if they chose to exercise it, through civil action. This would apply as much to overseas providers as to domestic providers. I emphasise that is not the purpose of this legislation. The purpose is to facilitate a collaborative, co-operative relationship, building on the relationships that we have already.

Indeed, one of the key points raised in the latest revelations from the NYT and others is that spooks, without naming names, were "collaborating with technology companies in the United States and abroad to build entry points into their products".

As our American cousins might put it: you do the math.

BT refuses to attack its security guru for working with Snowden

Bruce Schneier, who is one of the world's most respected security experts, has been working directly with journalists on the latest revelations from Snowden. As part of that collaboration, the Guardian published an essay by Schneier in which he called for people who helped the NSA build backdoors into internet technologies to come forward and blow the whistle.

Meanwhile, the crypto boffin said on his blog: "Basically, the NSA is able to decrypt most of the internet. They're doing it primarily by cheating, not by mathematics."

One of Schneier's day jobs is a critical one for telecoms in the UK: he is BT's security futurologist.

The Register asked BT if Schneier's direct involvement with Snowden in any way compromised the one-time national telco's position. BT told us: "These are Bruce’s personal views." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.