SSL vs. TLS: The Future of Data Encryption

[Guest]

Secure Socket Layer (SSL) protocol is responsible for keeping a lot of your online data secure, and the NSA has likely already cracked it.

SSL vs. TLS: The Future of Data Encryption : Read more

 

[MajinCry]

There is plenty that users can do to stop the NSA, just nothing that can be achieved by sitting in your chair.

Hell, get a bunch of people, go up to the NSA's HQ and burn it to the ground; workers and all.

Sure, that's only one head of the Hydra, but ya gotta start somewhere.

 

[koga73]

Bah the problem with BOTH is the handshake. If the traffic goes through an NSA server then they have the handshake which means they have the decryption keys. From this point its pretty easy to get the plain-text message.

 

[merikafyeah]

Even if you see the padlock, it doesn't mean you're secure:
https/www.grc.com/fingerprints.htm

You have to check the site's fingerprints in order to be (reasonably) certain that your secure line is not being intercepted.

 

[agnickolov]

While SSL/TLS can be used with certificates on both ends, in practice this is very very rare. Servers typically don't care who their clients are thus they don't request client certificates. This is actually a good thing, otherwise the system would be unusable by the average user. Not to mention the client costs to maintain a certificate would make it financially completely impractical.

As far as snooping the SSL handshake, that won't gain you anything unless you know how to break the underlying cipher or have the server private key already. As mentioned in a few recent articles already, the underlying AES cipher is still mathematically sound, though the older 128 bit keys slowly get less and less secure primarily through computational advances enabling brute force attacks. I expect 128-bit AES to be completely replaced within 10 years with more critical deployments already switching to 256-bit keys.

 

[ammaross]

"As far as snooping the SSL handshake, that won't gain you anything unless you know how to break the underlying cipher or have the server private key already."

According to the reports, that is EXACTLY how the NSA has "hacked" SSL: by obtaining the private keys through force or subterfuge (you think China is the only country to hack American companies?).

 

[dark_knight33]

@MajinCry

I live within view of Fort Meade, aka NSA HQ. It's not one building, it's a compound. Your choice of entrances are either Military guard posts at FT Meade's front gates, or off-ramps from local highways that are guarded 24x7 by MD state troopers. You wouldn't make it close enough to do anything of consequence.

The NSA is no joke. Given the current climate of fear and paranoia out there by both the populace and especially the NSA, I wouldn't make even moderately threatening statements towards them, lest you get labeled a domestic terrorist.