Say what you will about Edward Snowden, he opened the lid on an impressive can of worms, provided a look behind the scenes as to what’s happening with the government’s security protocols, and maybe allowed us to find a sensible middle ground when the dust finally clears.
As noted in a terrific Declan McCullagh article over on CNET, one of the effects of Snowden’s whistleblowing has been a new awareness not only in the lack of security as to the generally tried-and-true HTTPS protocol, but also a need for organizations to begin exploring forward secrecy. Per Snowden’s revelations, some of the largest (and most trusted) technology companies in the world stand roughly two decades behind in not adopting a forward secrecy policy and protocol. This, in turn, has left corporations like Apple, Twitter, Microsoft, Yahoo, AOL and others generally using HTTPS and similar methodologies that proved vulnerable to eavesdropping techniques wherein a single master key could be used to decode hundreds of Web-based transactions and exchanges.
Forward secrecy, on the other hand, allows for temporary use of, not one, but hundreds of cryptographic keys, each serving its purpose and going by the wayside afterward.
The end result of this hasn’t been pleasant, a leaked PRISM slide published by the Guardian newspaper showing an NSA data closet designed to catch “upstream” data by tapping into backbones of Internet service providers such as AT&T, CenturyLink, XO Communications, Verizon and Level 3, storing the encrypted data and then having all the time the agency could ever need to use brute-force decryption to access the data’s contents.
Where one can argue the good and evil of such a practice, it brings up the point that a switch to forward secrecy is advisable, though the devil is in the estimated costs to upgrade to such a protocol (at least 15% of the IT budget in some cases, with other estimates pointing even higher). Far from meager, sums and the cost remains appreciable no matter which contractor you go with.
Still, Snowden’s efforts and those similar to it have brought the issue to light. We’ve all seen the HTTPS protocol appear when moving into a supposedly secure chunk of the Web—when we’ve purchased goods from Amazon or when we’ve made online banking transactions—and assumed it was good enough to protect both our privacy and our interests. By having forward secrecy come to the forefront, we can discuss it, focus the efforts of corporations, developers and the open source community on it, and bring the cost of adoption down to make it a cheaper, more viable protocol to adopt where it’s needed.
Not a terrible gift from a contractor with a guilty conscience who’s probably thoroughly sick of the Moscow International Airport’s food court and dodging the media hanging around there hoping for an interview with him.
In the near term—and I’ve got to thank McCullagh for this—you can adopt the right browser and move closer to a more secure protocol for the right-on price of free. A recent Netcraft survey found that different browsers “varied significantly” in terms of support for forward secrecy. Microsoft’s Internet Explorer, according to the survey, “does particularly poorly” and was generally unable to make a fully secure connection in accessing websites that employed more mainstream ciphers for forward secrecy. Apple’s Safari browser supported many of the ciphers used in forward secrecy, but would sometimes default to a less secure channel, while Firefox, Opera and Chrome performed better, according to the study.
In conclusion, good luck, stay safe and secure out there, and if there’s anything good that can come out of the whole NSA/PRISM ordeal, it’s that years of mistakes are out in the open—and ready to be learned from.