This is a bit of a follow-up to yesterday's post on how NSA hacks into e-mail accounts. The information comes courtesy of a talk I had with the ACLU's Chris Sogohoian, who is probably one of the leading intellectual forces probing the intersection of technology, privacy and surveillance. (If I've gotten any of it wrong, it's on me, not him.)
Let's call it the Yahoo problem.
SEE ALSO: Why a bunch of dead bees is terrible news for the economy
Google and most other Internet content providers use SSL, a protocol that encrypts data as it passes through a network.
Yahoo does not use SSL encryption by default.
SEE ALSO: WATCH: Ashton Kutcher's unconvincing Steve Jobs impression in the Jobs trailer
Yahoo users communicate with other Yahoo users are sending their data through the networks without encryption. (If they're savvy enough, they can, as of January 2013, enable it, but, honestly, how many Americans know what SSL actually is?)
Ok, you might be saying to yourself: I don't use Yahoo. I use Gmail.
SEE ALSO: WATCH: Paula Deen apologizes for saying the N-word [Updated]
But many Gmail users send e-mail messages to Yahoo users.
So when a Yahoo communication communicates with a Google communication, by default, it can't be encrypted unless the Yahoo sender has enabled encryption, which, again, requires a basic understanding of why doing so would be worth the time.)
SEE ALSO: 4 secret societies you probably don't know about
If someone wanted to tap into Google to Yahoo communications, she could do so by finding a place on the fiber optic wire that the electrons zip through, tap in, and simply read and see everything in real-time.
This is why, incidentally, you need to make sure to use the "https" indicator whenever you're using public Wifi; it's very easy to for malevolent folks to sniff data from unsuspecting users at Starbucks, and then exploit it for all sorts of nefarious purposes.
SEE ALSO: The last word: He said he was leaving. She ignored him.
Why doesn't Yahoo make SSL the default? Cost, maybe. Or maybe, since the NSA acquires unencrypted Yahoo e-mail in bulk overseas, it doesn't want to give the government a reason to serve Yahoo with a lot of FISA orders and requests. Don't ask, don't tell. There is also a tradeoff of sorts.
Google has been a leader in the field of forcefully and willfully adding security to its communications over time. Microsoft, Yahoo and other internet firms have followed Google's lead in many instances.
SEE ALSO: Why the British gave up looking for UFOs
Where Google leads today in the practice of only certifying a specific set of certifying authorities, or transactional middlemen, who give both ends of a communication a measure of security by verifying that the sender of a communication is indeed the sender who sent it.
Chrome browers are embedded with a list of certificates that Google has pre-cleared, in essence, for use with its own e-mail and content. These are stored locally and checked against the certificates that Google has already validated for the pipeline in question.
SEE ALSO: NSA's motherlode
Think of this way. Certifying Authorities are the friendly patrol officers on the net. You are an e-mail. You need to find an officer to escort you somewhere else. So you interrogate the officer you find. Is he a real officer? Does he have credentials? Do you recognize him? If the answer is yes, then you let him be your escort. If the answer is "no," then you run to the police station and make a complain. This is how Google's certificate pinning is supposed to work. It makes sure that the patrol officer's name is the same name that's on his police badge, and also makes sure that the police officer is a legitimate part of the force and is working the right beat at the right time.
Of course, a lot of content providers don't make sure that the police officers escorting their messages through the Internet are actually the ones who are supposed to be there. They accept most of the 400-or so certifying authorities. Valid sites might their certificates expire, and most browsers won't interrupt your experience with this news unless you ask it to. It's hard, but not impossible, to hack into a certifying authority and pose as someone you're not.
SEE ALSO: The 6-year-old who woke up from a coma with a different personality
One reason why Google leads on certifying authorities is because they were burned by a fake one in 2011. Google caught hackers in the act because a user in Iran complained to the company that his browser was having difficulty accepting the certificate. That's because the certificate was being spoofed by hackers associated with the government. They managed to burrow into the servers of a small Dutch certifying authority used mainly by the Dutch government. Using the fake certificate, the Iranian government could easily read real-time communication from 250,000 Gmail users inside the country.
The Internet is much larger than Google mail or website content, so what researchers like to call the "SSL certificate vulnerability" ought to be an urgent matter for companies to work together to fix.
SEE ALSO: 4 bizarre plastic surgery trends that somehow exist
I'll end with this paradox.
The more secure a system is, the harder it is for the government to hack into.
SEE ALSO: The strange homicide case linked to Patriots star Aaron Hernandez [Updated]
If all the world's gatekeepers used SSL and certificate pinning, the NSA would not be able to collect nearly as much digital communications as they do now. (There are ways to break SSL, but it is not scalable and requires midstream collection. See here:)
View this article on TheWeek.com Get 4 Free Issues of The Week
More from The Week:
Like The Week on Facebook?-?Follow The Week on Twitter?-?Sign-up for The Week's Daily Newsletter
Source: http://news.yahoo.com/insecure-internet-154300126.html
robin thicke mariana trench transcendental meditation trayvon martin obama care miss universe canada don draper
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.