Print 34 comment(s) - last by NellyFromMA.. on Jul 31 at 11:51 AM

The question of whether it's legal for them to ask for these SSL keys or not is unclear

The feds are trying to creep further into the personal lives of Web users by requesting master encryption keys from Internet companies. 

According to a new report from CNET, the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) have both tried to obtain master encryption keys as part of their digital surveillance efforts, but there's a huge question as to whether they have the legal authority to do so. 

 Master encryption keys are crucial to Web encryption. They put contents of Web communications into code that is tough to crack using Secure Sockets Layer (SSL). If government agencies were to get their hands on these SSL keys, they could decode the content and peek into the lives of Internet users.

The NSA is also looking to get these SSL keys because it would allow for surveillance through its fiber taps, which are now heavily guarded by SSL.

SSL was originally put in place because of insecure and open Wi-Fi networks. Google adopted HTTPS (which appears in the browser to show that SSL is enabled -- back in 2010 for Gmail, and Microsoft did the same for Hotmail. Later in 2012, Facebook followed suit for its popular social network.

Now, these large Internet companies face the fear of government agencies trying to obtain the SSL keys and expose information on their users. Microsoft, Google and Facebook all said that they haven't given any SSL keys to the government, and agreed that they would fight against doing so. 

Other larger companies like Apple, Verizon, AT&T, Yahoo, Comcast and AOL haven't said if they've been asked for or have given SSL keys to the feds. 

But the larger companies fear that smaller Web establishments without deep pockets or a hefty legal department will give in to the government's requests for keys. 

SSL has certainly hindered the government's spying abilities, which is why they're coming directly to the source for the keys. But if all else fails, the feds have other avenues of getting what they need. For instance, companies like Packet Forensics help government agencies import "legitimate" copies of SSL keys -- which could possibly be obtained through a court order -- for spying on users. 

Speaking of a court order, it's not clear whether federal surveillance laws allow the government to ask for SSL keys -- even with subpoenas. Subpoenas call for gathering evidence related to an investigation, where SSL keys would seem to open up a treasure trove of data that may contain pieces of information relevant to an investigation, but likely most that are not.

Source: CNET

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Too little too late
By Ammohunt on 7/25/2013 7:59:06 PM , Rating: 5
Anyone who doesn't want their activities monitored will be using more than SSL to encrypt their actions thanks to Edward Snowden.

RE: Too little too late
By othercents on 7/26/2013 8:26:08 AM , Rating: 3
Vendors need to allow users to provide their public key for their encrypted traffic. This way the private key can be kept by the individual and away from the government. No more blanket requests to view everyone's information.

RE: Too little too late
By Shadowself on 7/26/2013 11:46:40 AM , Rating: 1
Are you seriously suggesting that every "https" type transmission between you and the provider be done with each and every individual's key pair? Do you have any idea the level of overhead that would require? Do you really expect Amazon to keep (and update every year or two) every customer's public key and use that -- and only that -- for each of the 10s (or more likely 100s) of thousands of concurrent sessions they have at any given moment?

It's a nice idea in theory, but the practical implementation could be a business killer.

Plus, this would work great for transmissions that Amazon (or other provider) sends to you as you and only you (in theory) would be able to decrypt the traffic sent to you. But what about what is sent to Amazon by you and encrypted with your private key? Anyone (even the U.S. Government who could get your public key by any number of means) could decrypt traffic that you send out. You realize that secure two way communications requires two key pairs, not one? All traffic is generated with the public key by the sender and is decrypted by the private key of the receiver. When the traffic goes the other way a different key pair is used.

Are you suggesting each provider (e.g., Amazon) create a unique key pair for each of its customers giving the customer the "public key" and the provider holding the unique private key for each customer so that traffic from the end user has to be decrypted with the "private" key assigned to that individual but kept solely by the provider? And what's to keep the provider from giving that "private" key to the U.S. Government just as easily as the generic keys they are using now?

I truly don't see how this would be a practical solution.

RE: Too little too late
By EricMartello on 7/26/2013 8:16:42 PM , Rating: 2
Are you seriously suggesting that every "https" type transmission between you and the provider be done with each and every individual's key pair? Do you have any idea the level of overhead that would require?

LOL it already is done that way, except that the "trust" is given to the server rather than the client. The server keeps a private key for itself and sends clients its public key.

If this process were reversed, then establishing an SSL connection would have the client send its public key to the server and the server would use that key to encrypt the data.

This would effectively phase out the necessity of having "Certificate Authorities" because users would generate their own self-signed key pairs and maintain their own private key.

The per-session increase in "overhead" would be limited to the the inclusion of the client's public key to the session data...which may have been an issue when memory and storage space was limited, but is much less of an issue today. If your server is so limited, then you could request the public key from the client with each transaction so that you wouldn't need to store it locally on the server.

RE: Too little too late
By Argon18 on 7/26/2013 11:32:05 AM , Rating: 3
This is Obama's doing, not Snowden's. Obama ran for office on the promise of "transparent" government and "hope" for the people. He's done exactly the opposite though, locking down government, denying access, and spying on and oppressing the people. All who voted for this clown, I hope you're happy with this mess you chose.

RE: Too little too late
By Shadowself on 7/26/2013 11:48:12 AM , Rating: 1
Obama can be accused of nothing more than complicity.

The prior administration got the ball rolling. Obama's failure is that he has not stopped it.

RE: Too little too late
By fleshconsumed on 7/26/2013 12:00:41 PM , Rating: 5
I'm not going to defend Obama on this one, but all of these programs have been started under Bush administration. If you're implying the republican party is any better, it's not. More republicans voted to keep the program funded than the democrats. Your only choice is to vote third party of keep voting "none of the above". That might be the only thing that will send a message through.

RE: Too little too late
By Ammohunt on 7/26/2013 3:31:46 PM , Rating: 2
Voting for the Green party? or maybe the Constitutional(Christian party) yeah no thanks we have enough problems without having people throw their votes away by voting for crackpots like ron paul.

RE: Too little too late
By PontiusP on 7/26/2013 6:57:53 PM , Rating: 2
Care to elaborate on how he's a crackpot? Let's see:

-Correctly called out the war on drugs for the catastrophic, expensive and violent failure that it is.

-Correctly called out our imperialist aggression abroad for the catastrophic, expensive and violent failure that it is.

-Correctly called the 2008 meltdown years before it happened because he knew a bubble was being blown by the government and the Federal Reserve.

-Correctly called out our cradle to grave social welfare state for the immoral theft that it is.

-Correctly called out our corporate welfare state for the immoral theft and misallocation of resources that it is.

The list goes on. He has been consistently right before, during, and after he was in office. Compare that with the rest of the garbage in Washington and it becomes clear that the opposite of what you said is true: Ron Paul was the only sane one, the rest have literally lost their minds as they carry us off a cliff.

RE: Too little too late
By Ammohunt on 7/29/2013 1:21:02 PM , Rating: 2
Like so many others....

Legalizing all drugs and isolationist stance in the world are non starters for conservatives like me. Both ideas if implemented would make our current issues seem like a rainy day as compared to a hurricane...libertarians are delusional anarchists nothing more.

RE: Too little too late
By Piiman on 7/27/2013 11:24:22 AM , Rating: 2
"without having people throw their votes away by voting for crackpots"

Then stop voting because they're all crackpots.

RE: Too little too late
By Flunk on 7/29/2013 9:35:26 AM , Rating: 2
Since when was voting for the Democrats or Republicans not voting for the "Christian Party". When was the last time there was a non-Christian president?

RE: Too little too late
By Flunk on 7/29/2013 9:36:21 AM , Rating: 2
You could argue that voting for a mainline party is throwing your vote away because they're going to win regardless if you vote for them or not.

RE: Too little too late
By Reclaimer77 on 7/28/2013 5:42:14 PM , Rating: 2
That's a complete tucking lie! Ive had it with people blaming Bush for everything Obama has done. ENOUGH!!

There is nothing in the Patriot Act that grants the Government the authority to spy en mass on all Americans. There is nothing granting the NSA authority to collect "meta data" on everyones phone and Internet activity. And exactly when the Fuck did Bush go after All Internet encryption keys!

This is ALL Obama. Stop being a pussy and hiding behind Bush on every goddamn issue!

RE: Too little too late
By fleshconsumed on 7/30/2013 12:00:33 PM , Rating: 2
Which part of it specifically is a lie?

The Prism signed up Microsoft, Yahoo, and Google during Bush administration. That's a fact.

Mark Klein blew the whistle on AT&T diverting all of its call traffic to NSA as early as 2003. That's a fact.

In the final days of its administration Bush granted retroactive immunity to any ISPs (including AT&T) that might have passed information to the government without proper warrant. That's a fact.

And on the most recent vote on funding the NSA surveillance program only 94 republicans out of 234 voted to defund the program. Also a fact.

As I said before, I'm not defending Obama's record on this matter. While he may not have started any of these programs, he did nothing to stop them either. Instead he greatly expanded them.

However, if your argument is to vote republican, then it's nothing but a folly for you cannot be seriously suggesting voting Republicans as more than half of them voted to keep the NSA system in place. Republicans want to keep the program in place even more so than Democrats.

In the big picture both parties are complicit on this issue, democrats and your beloved republicans alike.

Here, go educate yourself:

The only way you can show your disapproval is to keep voting third party of "none of the above". Yes, in the former case you would be throwing your vote away, and in the latter case it would be just a symbolic gesture that would accomplish nothing. However, voting for either of the two main parties will ensure that the program will keep running.

RE: Too little too late
By seraphim1982 on 7/26/2013 3:06:22 PM , Rating: 2
He's like every politician before him... lies to get in... lies while in.... lies on the way out.... and lies in the autobiography.

RE: Too little too late
By Piiman on 7/27/2013 11:22:41 AM , Rating: 2
We're just as happy as you were with GB.

hypocrite much?
By alpha754293 on 7/26/2013 8:31:01 AM , Rating: 5
Funny how Americans are always talking about how bad China/North Korea/Iran are when they're looking to do the EXACT SAME THING.

It's pretty funny when you hear Russians (and former Soviets) talk about "I came to America to escape the Soviet shit and this is what I get..."

RE: hypocrite much?
By conq on 7/26/2013 8:49:36 AM , Rating: 2
While there's certainly plenty of truth to this let's not completely exaggerate the comparison. People don't regularly "disappear" in the US, regularly get incarcerated for their political beliefs, or have a infamous "3 generation imprisonment" rules.

I am certainly not saying the actions of the NSA are permissible, I stand on the very opposite end of the spectrum in fact. What I am trying to say is you're comparing crimes of a crack cocaine dealer (US) to the crimes of a pedo (N. Korea), serial killer (Iran), and a crime kingpin (China). Yes, they're all bad people but different levels of bad.

RE: hypocrite much?
By ClownPuncher on 7/26/2013 11:43:42 AM , Rating: 2
Yea, honestly - as bad as things are in the US, it really makes light of the horrible things people had to endure in Soviet countries to say it is the same. I mean TENS of millions of people died as a direct and indirect result of actions taken by the Soviet government. Same with Mao in China.

I think that's disrespectful.

RE: hypocrite much?
By Ammohunt on 7/26/2013 3:34:32 PM , Rating: 2
Not to mention there isn't a shred of evidence that the NSA has done anything at all illegal none, nada, zilch!

RE: hypocrite much?
By Arls on 7/26/2013 7:31:37 PM , Rating: 3
No but it could be deemed unconstitutional. I'm not a US citizen but I believe that process goes to the supreme court.

Illegal or not, having the capacity to spy on every citizen simultaneously just seems wrong. If Americans just take this lying down then you deserve to be subjugated and controlled.

RE: hypocrite much?
By Arls on 7/26/2013 7:16:23 PM , Rating: 2
I'm pretty sure he means spying on its citizens. All those countries have or had massive surveillance programs.

RE: hypocrite much?
By misuspita on 7/29/2013 10:19:55 PM , Rating: 2
People don't regularly "disappear" in the US, regularly get incarcerated for their political beliefs, or have a infamous "3 generation imprisonment" rules.

....yet! A few more invasions of privacy and you will get there...

RE: hypocrite much?
By Piiman on 7/27/2013 11:26:47 AM , Rating: 2
Yeah and Snowden didn't like the spying here so he runs to China and Russia WTF!

RE: hypocrite much?
By NellyFromMA on 7/31/2013 11:51:16 AM , Rating: 2
Um I think we can start comparing America to those countries you list when we start imprisoning people for their political, moral, and religious beliefs.

That you don't make this connection and instead attribute America to China, NK or Iran is kind of disturbing.

So that means...
By ipay on 7/26/2013 1:27:06 AM , Rating: 3
Microsoft, Google and Facebook all said that they haven't given any SSL keys to the government, and agreed that they would fight against doing so.

In other words they've already given them freely to the government and didn't fight it at all.

RE: So that means...
By dodjer42 on 7/26/2013 8:29:45 PM , Rating: 2
Spot on!

RE: So that means...
By Piiman on 7/27/2013 11:31:48 AM , Rating: 2
How did you come up with that?

By Motoman on 7/25/2013 8:56:09 PM , Rating: 5
You want the master key? First, open your mouth real wide...


No, wider!


There we go. Ready for the key? Here it comes!

:O <============3


[/carlos danger]

Constitutional Amendment
By Scaredy Retard on 7/25/2013 10:56:23 PM , Rating: 5
"Congress shall make no law abridging the right of the people to engage in communication, via any communication methods presently known or currently unknown, that is subject to surreptitious monitoring without a publicly-accessible court warrant authorizing said monitoring."

Pretty please? I think it's time to just quit being disgusted with my government and ranting and raving about it in online echo chambers with like-minded individuals and actually... write my House rep and Senator. I suggest all Americans take the time to do the same. It's better than doing nothing at all.

By unimatrix725 on 7/28/2013 1:05:17 PM , Rating: 2
This ia one of many reasons why! I forsee in my lifetime a civil war that will tear this country apart. We the people are getting tired of a over bearing government. The FBI and or NSA has done nothing good with their "Stasi Like" information. Did they stop any bombers or mass shootings? Lets ask them what information they had on recent terrorists. I am sure it is another "twin towers", failure to inform/action!

Work From Home
By jimmorris on 7/28/13, Rating: 0
Work From Home
By jimmorris on 7/28/13, Rating: 0
"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki