Ben Collins Digital Ben Collins Digital Icon

The NSA Demon holding Microsoft and Verisign

What Has the NSA Done and What Can I Do About It?

I wanted to write a down to earth explanation of what the latest news about the NSA means to everyday people. There are some mislabeled headlines out there, which is understandable because the Guardian article had a number of redacted holes that exclude some important specifics.

We rely on encryption for things like ecommerce. When you submit your credit card to an online store, before that number leaves your computer it is scrambled. When it arrives at the online store, it descrambles. That way, no matter who is listening in on the lines, they can't decrypt it.

The NSA has not broken internet encryption, at least in the purest sense. Modern encryption uses very powerful math theory that prevent even 1 million computers working for 1 million years from guessing the code that decrypts everyday internet encoding (assuming Snowden is right and they don't have quantum computers that can just break the RSA algorithm). Still, they have developed a multi-pronged long term strategy to overcome this problem.

What they have done is game the system. I believe they have poisoned the well of encryption and we can no longer trust an important role player that is fundamental to the internet — the Certificate Authority.

My father John K. Harris is a computer scientist and engineer at Virginia Tech. A few years ago, he was doing some research and analysis on internet encryption. He showed me a fundamental flaw in the system — the trust we place in Certificate Authorities.

Here is a list of all the Certificate Authorities that Microsoft uses.

In Firefox, you can go to Options -> Advanced -> View Certificates.

In Chrome, go to Settings -> Advanced -> Manage Certificates -> Trust Root Authorities

These "CAs'" are part of how encryption work. If you ever have gone to a website and gotten a big error "DO NOT TRUST THIS WEBSITE! PROCEED AT YOUR OWN RISK!" it's because the certificate that you were given by the website has been flagged by a CA as "non authoritative." In order to encrypt things, both parties have to exchange certificates — they are basically like unique keys. The reason that CAs were created (in conjunction with browser development) was to ensure that all keys being issued were legitimate and unique — in other words, trusted.

What I believe has happened is that the certain CA's have been compromised by the NSA. The system developed to ensure our trust has been poisoned at it's most basic level so now that when you, say, connect to encrypted Gmail, the key you receive is NOT unique and unbreakable but your browser does not give you the warning.

This is the biggest blow to privacy yet I believe and an affront to the system of the internet itself. Obviously, the NSA hates encryption. We do not know how long they have been planning to exploit the weakness in "trusted" certificate providers, but it gets even worse. According to the Guardian article, it appears that the NSA has been working BOTH ENDS of the encryption system. Meaning they are likely in your browser as well (they are confirmed to be in your Outlook).

Is it possible that the CA / browser structure that has been developed over the last two decades has been influenced and corrupted from the beginning to give the NSA unprecedented access to encrypted content? Perhaps not from the beginning, but with a budget of 300 million dollars for who knows how many years, it seems possible that through espionage, manipulation, employee planting, and every tactic at their disposal has been deployed to achieve this goal.

I'm not a conspiracy theorist. But this time, I guess this conspiracy is actually true.

This is just my opinion and it may changed based on new information. We may never know the specifics of the CA plan leaked, but we do know that at the very least, if you care about pure privacy, you would be wise to question who is issuing your certificates.

What can you do about it? On a technical level, if you really want to encrypt something, it's possible to do so by creating your OWN certificates, which of course when used will trigger software warnings (which you can safely ignore). This is an advanced technical thing and you depend on both parties being able to follow the process. But yes, it is possible to have complete privacy by cutting out the middleman CA. Or perhaps should we call it the NSACA?

More in Strategy