Data, meet spies: The unfinished state of Web crypto

Many large Web companies have failed to adopt a decades-old encryption technology to safeguard confidential user communications. Google is a rare exception, and Facebook is about to follow suit.
Revelations about the National Security Agency's surveillance abilities have highlighted shortcomings in many Internet companies' security practices that can expose users' confidential communications to government eavesdroppers.
Secret government files leaked by Edward Snowden outline a U.S. and U.K. surveillance apparatus that's able to vacuum up domestic and international data flows by the exabyte. One classified document describes "collection of communications on fiber cables and infrastructure as data flows past," and another refers to the NSA's network-based surveillance of Microsoft's Hotmail servers.
Most Internet companies, however, do not use an privacy-protective encryption technique that has existed for over 20 years -- it's called forward secrecy -- that cleverly encodes Web browsing and Web e-mail in a way that frustrates fiber taps by national governments.
Lack of adoption by Apple, Twitter, Microsoft, Yahoo, AOL and others is probably due to "performance concerns and not valuing forward secrecy enough," says Ivan Ristic, director of engineering at the cloud security firm Qualys. Google, by contrast, adopted it two years ago.
Traditionally, "https" Web links have used a single master encryption key to encode hundreds of millions of user connections. That creates an obvious vulnerability: an eavesdropper who obtains that master key can decrypt and peruse millions of supposedly private connections and conversations
Source and read more:


0 yorum: