- dotTech - http://dottech.org -

HTTPS is no longer safe: US government is pressuring companies to provide access to secret encryption keys, according to report

Brass-Padlock_large [1]

US government agencies are not completely satisfied with the fact that they have unhindered access to sensitive information from citizens [2]. Apparently, they’ve also attempted — and are continually attempting — to acquire master encryption keys which would afford them access to otherwise secure material. You know, the encryption keys used to make HTTPS and SSL connections secure.

Without discussing the technology in full detail, asymmetric encryption — the type of encryption used for secure online connections such as HTTPS and SSL — is secure from prying eyes and increasingly difficult to crack due to a public-key-private-key architecture. The combination of a public key and a privacy key helps keep connections secure.

Out of the two keys, the private key is the most important because it is kept hidden and safe and is used to authenticate and ensure a connection is indeed secure. It is these private keys that US government agencies, such as the NSA and FBI, want access to from each tech company (each tech company has their own keys, because private keys differ from connection to connection). Dubbed master encryption keys, if the NSA and FBI were to be given access to the private keys, they would be able to decode internet connections as necessary and gain direct access to data. In other words, they would render HTTPS useless.

Believe it or not, encryption was never adopted to protect data and sensitive information from government agencies. Instead, it was widely adopted because of how many people use open and unsecure wireless access points. Of course, there are other underlying reasons why it was so widely adopted by many, but the fact is industry followed along these lines: Internet companies began using HTTPS/SSL encryption standards more regularly to protect users. But by protecting users, tech companies are also denying access to federal agencies, because while it is possible to crack these private keys if you have enough computing computer, cracking these keys is practically improbably due to their length and complexity… which is why HTTPS is a pillar of the web when it comes to secure transactions.

The previously undisclosed efforts by government agencies to access master encryption keys, have since been ousted thanks to recent coverage. Anonymous sources confirmed to CNET that the government has continuously attempted to obtain such keys from a wide variety of companies. The source further claims that agencies are targeting smaller companies who do not have the resources to fight such attacks:

“The government is definitely demanding SSL keys from providers.

I believe the government is beating up on the little guys. The government’s view is that anything we can think of, we can compel you to do.”

A former US Justice Department official spoke to CNET and claimed the following:

“The requests are coming because the Internet is very rapidly changing to an encrypted model. SSL has really impacted the capability of U.S. law enforcement. They’re now going to the ultimate application layer provider.”

Several requests for more information from prominent tech companies like Facebook, Google, Apple, and Verizon turned up nothing. In fact, a lot of them declined to comment on the matter when pressed. However, several documents leaked by Edward Snowden point to a possibility that the government has requested access to such tools in the past.

Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society, says that despite some of the evidence, it’s not exactly clear whether or not the government has the authority to request master encryption keys. Granick commented on whether or not they can:

“That’s an unanswered question. We don’t know whether you can be compelled to do that or not.”

Apparently the government has used subpoenas to request access to master encryption keys in the past, but sources claim they’re not sure whether or not companies would –or have- actually turned over such tools.

To quickly summarize, the possibility is definitely there, but the reality is shrouded in uncertainty. Looking at this from a logical standpoint, and considering what the government already has access to, what is truly stopping agencies and tech companies from sharing such information? If they were indeed sharing master encryption keys, would it be likely to assume that they’re never going to admit doing so? I’m not trying to incite riots or make ridiculous claims here, but come on. At this point we have to approach news without a glaze over our eyes and consider the possibility that governments (and businesses) around the world aren’t always open and honest… despite being “by the people, for the people”.

What do you think about the general situation? If you care to read more on the subject please be sure to visit the via link below. By all means, I certainly encourage you to read more at your convenience.

[via CNET [3], image via Wickes [4]]