Is encryption broken? REDUX
I spent the days between Christmas and New Years in Hamburg, at the Chaos Communication Congress. I had a fantastic time as usual, and there were a lot of great discussions and talks. I wanted to quickly cover the new revelations that Jake Appelbaum and Laura Poitras dropped on us on the Sunday evening. The video can be found here. At the same time, Der Spiegel published two articles about this subject. They also dropped over 600 pages of documents from the Snowden archive about these subjects.
There were a lot of potentially scary pieces in these documents and the presentation. An observer might want to ask the question if encryption is broken and whether we should give up right now. I would like to put some context on some of these findings based on a few days of thinking and talking about these revelations. What does it all really mean?
Let us begin with the really simple pieces. Skype is completely broken, and has been for a significant amount of time. This shouldn't come as a surprise - the truth is we should trust Skype as much as we trust a post card for keeping our information secret. Another one that is problematic is the VPN technology called PPTP - this should never be used because it is completely broken.
The more dangerous thing seems to be that a lot of other VPN technologies are also in one way or another broken. If you depend on VPNs for security, you should be fairly careful - and compose it with other encryption in order to be a bit safer.
Let's take a break and talk about some of the good news. Tor still seems to cause a lot of problems for intelligence services - and Tails is even better. This confirms our hopes. Of course, the intelligence services are working to break Tor and Tails, and they are trying out a lot of different methods for this. However, it doesn't seem to have been succesful so far.
It also seems that the intelligence services aren't attacking AES very succesfully. Of course they have studies and methods against it, but not to a very large degree, and nothing that seems like real breaks.
OK, what about SSL/TLS then? It's a bit more unclear. They definitely seem to be doing some decrypts of SSL/TLS traffic, but it's still unclear if this is something they do by stealing keys from providers, doing man-in-the-middle attacks with fake certificates, directly breaking some crypto in real time, or anything inbetween. Occam's razor tells us that we should assume that mostly, no major breaks are involved, although I wouldn't be surprised if say RC4 can be decrypted on the fly.
So what about SSH? This one is potentially scary. The real problem is that the published documents doesn't contain all the information that the journalists used to come to the conclusion that some SSH is broken. After talking with some of them about this, it seems that they don't know exactly what is broken and what is not - it's unclear. However, it seems to indicate that there are specific issues. Not all SSH connections are possible to decrypt. So what can happen? Well, first a MITM attack can be used. People don't necessarily always check the fingerprints. There could be a weakness in one of the algorithms used, but this is not very likely, since most of them are used in other settings where they seem to be secure. The most likely thing is that there is a vulnurability in one of the specific implementations of SSH. And I hear that this could have to do with how the intelligence services steal keys for VPN appliances and things like that. So, in other words it doesn't seem like the SSH breaks are against your server or client machine SSH. How can you protect yourself? Use layers. Easiest way is to expose your SSH over a Tor hidden service and connect to that.
Finally we come to OTR and GPG. The articles claim that these are safe. However, what the documents say is that there are circumstances where OTR and GPG were not possible to decrypt - that is not exactly the same thing. I would feel cautiously optimistic about these things - but we should be careful to not overstate the case. Security and crypto in depth is still very important, and every precaution will fall down if you make other mistakes or if the endpoint is owned.
Finally - nothing in here that really would change our behavior in most cases if we are doing things correctly already. Soft indications about how to build and think about systems are quite useful though.