Now we know why UK spooks simply shrugged at SSL encryption

HTTPS thwarting spies, web filters? They already had ways of breaking the code

Mobile application security vulnerability report

Analysis In July 2012, Britain's top spook Charles Farr made a rare public appearance: sat across a table from MPs in Parliament, he was quizzed by backbenchers scrutinising Home Secretary Theresa May's widely criticised plan to snoop on Brits' internet connections.

At the time, the government was trying to get politicos to agree that there was a solid case for massively increasing the surveillance of our online activities by granting the police and intelligence agencies in Blighty greater spying powers.

It was the latest Home Office push to hand more control to the likes of the UK's eavesdropping nerve-centre - the Government Communications Headquarters (GCHQ). And readers of these pages will be only too familiar with the regular attempts by successive administrations over more than a decade to write legislation that allows British spies to have deep access to our online communications, much like they already do with our telephone system.

All the while, technology companies have insisted that systems that protect sensitive information - such as credit card details and passwords - while in transit over the net are largely secure. Websites, VPN gear and similar online services that ordinary punters use to buy goods, send emails and share pictures rely on the TLS/SSL encryption protocol to keep data beyond the reach of eavesdroppers.

In the last two years, some of the biggest internet players including Google, Yahoo!, Microsoft and Facebook have all enabled SSL, switching their web communications to HTTPS.

The tech titans hoped the move would reassure their users that their in-transit data is safe. Now we've learnt that America's NSA has poured hundreds of millions of dollars into mathematically cracking, or otherwise ruthlessly undermining, the protocol family and related crypto technologies.

If the agency can't use maths to decrypt data, it can turn to backdoors in equipment and flaws in algorithms it helped plant, or ask the root certificate authorities for their secret keys, in order to snaffle the information.

Quite recently, Wikipedia founder Jimmy Wales - who has increased his lobbying against various aspects of UK government policy in the past year - reasserted that his online encyclopaedia will encrypt its connections in the wake of revelations from one-time NSA sysadmin Edward Snowden, who blew the whistle on spooks' activities on both sides of the Atlantic.

Jimbo said in August that Wikipedia would start using HTTPS by default on its site once it overcomes some problems with how its "current architecture" fails to handle the secure protocol.

Logged in users should now be redirected to HTTPS. But there is no timescale set for when the website will be encrypted for all its visitors. Jimbo insisted at the time that it was "highly unlikely" that US spooks could decrypt HTTPS.

But last night the New York Times and allied publications reported that Brit spooks and their American counterparts at the National Security Agency had in fact been doing what was expected of them: breaking encryption.

And included on that list was the trusted SSL protocol - which is used throughout the world to "secure" websites where personal data is carried across the net.

But should we really be that surprised that the NSA claims it can bypass that security? The clues were arguably there to show that such everyday access was already largely in play.

Hidden in plain sight

One need only sift through the evidence from the joint select committee hearings in 2012 that looked painstakingly over May's now shelved Communications Data bill, dubbed colloquially as the Snoopers' Charter, to recognise the level of complacency on display around matters such as SSL.

Just as Facebook and chums were switching to HTTPS by default, Britain's security services were showing little signs of discomfort with the move.

Politically, at least, it was an opportunity for May to argue the case for beefing up spooks' communications access powers. But Farr and other top-ranking Home Office officials did not complain about how their online surveillance work might be deeply disrupted by sites shifting to SSL. The g-men shrugged off Brits encrypting their network traffic, a move that should have have hampered or halted the analysis of said communications.

Here's one such exchange from 10 July 2012 [PDF] between Tory MP Stephen Mosley and Director of Communications Capability Directorate Richard Alcock:

Stephen Mosley: When it comes to cryptic communication, for instance, SSL or something, the encrypted communications data might be in the content of that communication. How is that classified?

Richard Alcock: Through the Bill, we will only be able to store communications data. The means by which we access communications data, our preferred route, will be working in partnership with the communications service providers, who will hold unencrypted data on their own services, i.e. the services that they are providing for their customers. We will be working with them to retain, in some cases, some aspects of communications data and, in that case, it is very easy to separate content from CD [communications data]. Though I must stress, through the Bill it is illegal for us to collect content. We will only be able to retrieve and store communications data. We will not be applying any systems that cannot reliably extract CD from content through whatever data streams. So, in essence, by working with communications service providers, we can ensure a very reliable means by which we can ensure that we only collect communications data and store that appropriately.

Tellingly, Farr then added this response to whether internet security protocols such as SSL was actually "an issue at all." He told the MPs:

We have already, of course, relations with many, but by no means all, overseas providers, including those who are household names and are the big suppliers into this country. We have that relationship, for all sorts of reasons, under existing legislation. Those relationships are co-operative and collaborative and, as some of those providers have made clear, they provide data, to the extent that they can — I would emphasise that — in accordance with existing legislation.

It is our hope and expectation that that collaborative relationship would continue and it would be part of the purpose of this legislation to facilitate that wherever we can. You are right, however, that the obligations do apply to overseas providers and in the event, which I regard as unlikely, that co-operation was not possible, an enforcement route would be open to Ministers, if they chose to exercise it, through civil action. This would apply as much to overseas providers as to domestic providers. I emphasise that is not the purpose of this legislation. The purpose is to facilitate a collaborative, co-operative relationship, building on the relationships that we have already.

Indeed, one of the key points raised in the latest revelations from the NYT and others is that spooks, without naming names, were "collaborating with technology companies in the United States and abroad to build entry points into their products".

As our American cousins might put it: you do the math.

BT refuses to attack its security guru for working with Snowden

Bruce Schneier, who is one of the world's most respected security experts, has been working directly with journalists on the latest revelations from Snowden. As part of that collaboration, the Guardian published an essay by Schneier in which he called for people who helped the NSA build backdoors into internet technologies to come forward and blow the whistle.

Meanwhile, the crypto boffin said on his blog: "Basically, the NSA is able to decrypt most of the internet. They're doing it primarily by cheating, not by mathematics."

One of Schneier's day jobs is a critical one for telecoms in the UK: he is BT's security futurologist.

The Register asked BT if Schneier's direct involvement with Snowden in any way compromised the one-time national telco's position. BT told us: "These are Bruce’s personal views." ®

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
Adam Afriyie MP: Smart meters are NOT so smart
Mega-costly gas 'n' 'leccy totting-up tech not worth it - Tory MP
Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
'Greenhouse effect is real, but as for the rest of it ...'
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.