Who's trying to fix the NSA back door in SSL?
December 21, 2013 7:18 PM   Subscribe

In some of the Edward Snowden articles they mentioned that the NSA put back doors into web standards like SSL. Is anyone trying to find them? What the latest news about it?
posted by cupcake1337 to Technology (4 answers total) 7 users marked this as a favorite
http://arstechnica.com/security/2013/12/critics-nsa-agent-co-chairing-key-crypto-standards-body-should-be-removed/ they are still working on it depending on who you ask.
posted by TheAdamist at 7:47 PM on December 21, 2013

The browser vendors like Mozilla (disclosure: my employer) and Google are modifying their browsers to use stronger encryption algorithms by default, and publishing guidelines promoting better SSL deployment on the server side, and promoting Perfect Forward Secrecy which limits the ability of attackers like the NSA to record encrypted traffic and decrypt it at a later date with a leaked/stolen/subpoenaed key.
posted by mbrubeck at 8:45 PM on December 21, 2013 [2 favorites]

Apart from known issues around the NSA's design and promotion of Dual_EC_DRBG (which had always been suspicious, was never widely used, and was immediately withdrawn), there appears to be very little fear about security holes and backdoors in the algorithms themselves. Snowden himself says:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
The IETF is looking at way to re-design protocols to be make NSA-style eavesdropping far harder. Here's a good overview of the current arguments going on.
posted by grahamparks at 1:11 PM on December 22, 2013 [1 favorite]

It's also worth noting that the implementation of Dual EC_DRBG in openSSL, a very common encryption library, was broken in such a way that it would crash if it was used. Nobody was even trying to use the backdoored RNG.
posted by borkencode at 2:27 PM on December 23, 2013

« Older Help me learn how to collaborate with programmers!   |   How do I get a test specialist job with IBM? Newer »
This thread is closed to new comments.