[Hat-tip: Karl Denninger-Market Ticker]
You may have read my previous post entitled “Tired of Snoopfest?” in which I outlined how to set up an extremely secure IPSEC/IKEv2 VPN that can encrypt data between device(s) of your choice and your home or office network.
What’s shown up recently, however, are some really bad and maybe even dangerously bad piece of advice on evading the snooping that goes on out there.
This article is intended to disabuse those notions. I’m going to use the following assumptions and note that I rely on them — if they’re wrong, then so are my conclusions!
- Modern cryptographic algorithms themselves are extremely secure. It is very unlikely that the NSA, for example, can break AES-256 in any sort of reasonable amount of time. Remember that we’re not the only nation with high-powered computers or mathematical geniuses — so anything that can be broken with those, can be broken by other than the US. And our military and other government agencies do need and use encryption.
- It is easier to attack your key, most of the time, than to attack your algorithm. That is, a crappy password is easily broken. A good password (1) does not contain dictionary words, (2) does contain upper and lower case letters, numbers and symbols, and (3) is used to seed a high-quality key generation algorithm. The last is hard to verify. The other two are under your control. Therefore, worry about #1 and #2.
- Open-source software beats closed source in the general sense. The reason for this is that smart people can look at it and if someone tries to play games with it to insert a “back door” it can be detected. With closed-source or worse, closed-service you’re trusting everyone involved to have not stabbed you in the back. As has been recently revealed this is a bad bet.
- If I can’t break your key generator or algorithm the easiest way to break your encryption is to coerce (bribe, blackmail, threaten to or actually pull off fingernails, etc) someone into giving me what I need to break it. This is usually overlooked but shouldn’t be. Push comes to shove, if I want your password I will get out the vice-grips, drill or hammer. It’s faster and cheaper than trying to break AES-256 by far. However, and this is critical, this is not only applied to you. More on that in a minute.
- You cannot trust any commercial entity or indeed anyone other than yourself to protect your data. Period.
- If you have to compromise absolute levels of trust then minimizing the number of such incursions grossly minimizes risk. In fact the odds of compromise go up exponentially with the number of points of exposure. Thus “one” is not half as bad as two, it’s 1/4 as bad — or less.
Ok, so let’s start demolishing fools.
First, “SSL” certificates and everything based on them are only as secure as the certificate authorities. What this means is that all commercially-issued certificates cannot be trusted. You must assume that every public CA hasgiven their private key to the NSA, either voluntarily or not-so-voluntarily.
This means that if you’re going to be using public-key cryptography of any sort, whether to authenticate or encrypt VPN traffic, to secure email, or to secure access over the Internet you must either be the CA or the CA that signs your certificate must be some entity you trust entirely.
No, Verisign does not count. I have no knowledge that their keys have been compromised but I am forced to assume that all of them have been, no matter who the CA is!
So you must generate your own certificate authority, publish the public key and make damn sure the private key is secured and not compromised.
The reason for this is that if I can interject myself in the middle of the conversation (as the NSA has to be assumed to be able to do) and I have compromised the CA I can replace your key with another one that allows me to decrypt the transmission and your browser or other tool will not detect it. I can then use the original certificate to send on the communication undetected. Since a web server doesn’t know who’s talking to it and thus doesn’t verify a machine certificate for the client and even if it did your key would probably be signed by a “public” CA there is no way for the server to detect the tampering.
Note that you can detect a server being attacked in this fashion if you connected to it before it was tampered with and if you saved its key fingerprint. That’s a lot of “ifs”, but if you did then you can detect that the fingerprint has changed. The problem is that there are perfectly-valid reasons for the fingerprint to change (the key expires and is replaced, the company changes its address, etc.) — but it at least can raise an alarm. Unfortunately browsers in general don’t flag this (nor should they) because the model presumes that CAs are trustworthy.
In short you cannot use any key that requires verification against a public CA because it can be spoofed by someone interjecting themselves in the middle if the CA has been compromised. Since we now have bald assertions that companies that have claimed to be secure have in fact cooperated with warrantless interception you can’t trust any of them.
This leaves you in a pretty rough spot. Specifically:
- Any web or other online service that relies on SSL using a certificate “vouched for” by a public CA has to be considered suspect. It doesn’t matter if the entity itself is trustworthy. This includes virtuallyall online services except for ones controlled by people you trust and who have given you their own CA key that validates their certificate. In practice this means that using “https” (the nice “lock” symbol) isprobably safe to use for shopping if you’re worried about a criminal stealing your credit card number. If your concern is that the government has a complete and true record of everything you did on the site you must assume the security value of https against a publicly-verified certificate is zero.
- S/Mime email cannot be considered secure if you got your keys, directly or indirectly, from a public CA. If you run your own CA then it is as secure as is the CA (you.) But this makes interoperability somewhat of a pain as verifying certificates forces correspondents to install your CA public key.
- PGP Email is probably secure. Because PGP does not rely on a key being vouched for by a central authority, there is nobody’s arm to twist. PGP Email is thus probably more secure than S/Mime using a public CA, and likely about equally secure as S/Mime with a private and trusted CA. PGP has a reasonably-robust and solid infrastructure for distributing public keys, but you have to submit yours. For email use you thus probably want to strongly prefer PGP over S/Mime.
- For files on your local PC, network or cellular device encryption of the device should be strongly encouraged. It can be a pain in the ass to use, however. I have no knowledge of the security afforded by things like Bitlocker, and given recent revelations I wouldn’t trust it. Truecrypt, on the other hand, is open source and therefore probably secure. Other open source solutions (E.g. GELI on FreeBSD, etc) are probably secure provided your key is good. Note that if your machine is “seized” while “in use” and powered up there exists the potential to extract the key. It’s not easy to do but if you’re a high-enough value target they very well may come prepared to do exactly that. Just remember that if you’re that high of a value target that the use of vice-grips and hammers is easier than cryogenics and other special equipment.
- For remote access to files or resources only a strong VPN should ever be used. This means OpenVPN or IPSEC/IKEv2 with machine certificate verification for the server with the CA being private, yours, and you having hand-loaded the CA public key on the remote device. If you’re using PPTP/LT2P or similarforget it. If you’re not going to use a machine certificate verified against your own private CA then you’re probably safer using a password with no machine verification at all!
- Remember that the security only goes as far as the encryption does. If you’re in a “free” Hotspot Internet cafe and have your phone out browsing, everything you do over the web is visible to anyone sitting in the same cafe (or within a few hundred feet of it.) If you VPN to your office network via IPSEC (secure) and then browse the Internet all you’ve done is force the bad guy to spy on your office connection instead of at the cafe.
- If you have a wireless router in your home or office and are not using WPA2/AES with astrong password, you’re screwed. WEP in particular is trivially breakable, usually within minutes. WPA2/AES is theoretically breakable but it requires a long time and a lot of connecting clients that are valid in order to glean enough pattern data to try to attack it, and even then it may fail. Machine certificates are even better but a serious pain in the ass to administer (since you have to load them on the client machines) but are something to consider.
- You cannot trust so-called “anonymous” networks such as TOR. There is no way to know if a given node is “clean” or compromised. There are a fairly-small number of high-bandwidth nodes in the TOR network, which means that the task of actually intercepting your traffic in terms of statistical probability isnot all that difficult. I have to assume that TOR is thus “secure” against a random website operator knowing I’m browsing their site but that if the government wants to track me using it, they not only can but probably already are.
- There is no such thing as a “chat”, “video chat” or “phone” (voice) network that can be considered secure except for true peer-to-peer where you know the certifying authority is secure. This, for all practical purposes, means that no online chat or “phone” application no matter which one it is, can be considered secure in today’s world. Sorry.
- All cloud services, no matter what they are and who runs them, other than your own personal cloud on your own hardware, must be considered compromised. There is no other reasonable posture to take at the present time. This means that nothing you care about ever goes on any cloud service from anyone unless the file is first encrypted with strong encryption. This explicitly includes all “cloud” storage services and all cloud computing resources. If you are a business using “cloud computing” for your operations given these revelations and facts you are a fool. Again, if you think the United States is the only nation doing what has been disclosed you’re stupid beyond words and deserve to have the Chinese steal everything on your so-called “secure” cloud service and use it.
Any compromise you make on the above is a bet not just on the government of today not wanting to do evil things to you but on all instances of the government from this day forward until you are dead.
Understand this well — the government is building a data center right now capable of storing everything they can grab that you do or any data you allow to leak out of your hands forever and they both are now and intend on a forward basis to do exactly that.
That data, once collected, will never be deleted. Your only defense against this is to not allow them to acquire the data in the first place, and that means the data has to be encrypted to the best of your ability at all times.
This won’t stop them from showing up with a warrant and seizing your computers. But it will stop them from taking and indefinitely storing your data without you knowing about it and without said warrant.
If you think this is nothing to worry about consider how many Jewish people had any clue that Hitler was going to come and start gassing them in the 1920s. That was less than 20 years before it happened!
Whatever you do today will be in that database 20 years from now.
Are you willing to count on the government NOT being evil – from today until the day you die?
THAT is the bet you’re making.