this is why you use ssl on the inside

The big lesson to be learned from the recent revelations about NSA intrusion into Google’s network is this: you need to use encryption everywhere.

103113GooglecloudNSAmaster-1383248994386

The diagram tells you everything you need to know. The real problem isn’t that all of our encryption methods are hopelessly broken. They aren’t. It is that we’re not using them. Even Google, who claimed to be using end-to-end encryption everywhere, wasn’t. The NSA (and probably others) took advantage of that lapse in professionalism (and honesty), and did an end-run around the “hard shell” to get to the “chewy center”.

I think SSL and TLS are still effective tools in defending the privacy of people and businesses. Key strength and algorithms do need to be reviewed, of course. Keep in mind, however, that VeriSign/Symantec and other commercial CA’s had already set 2048 bits as the minimum RSA key strength some time ago (in response to a NIST initiative), and that the weaknesses (and possible compromise) of ECC were already understood by the security community before the Snowden leaks. In fact I think that the existence of an massive effort to circumvent rather than directly attack encryption casts doubt upon claims that encryption can routinely be broken.

The real question is whether, knowing everything we know now, people will make the effort to take the common sense step of implementing encryption everywhere. That’s ultimately not just a question for technologists, but also for business leaders and individual citizens.

This entry was posted in Security, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).