ThoughtWorks
  • Contact
  • Español
  • Português
  • Deutsch
  • 中文
Go to overview
  • Engineering Culture, Delivery Mindset

    Embrace a modern approach to software development and deliver value faster

    Intelligence-Driven Decision Making

    Leverage your data assets to unlock new sources of value

  • Frictionless Operating Model

    Improve your organization's ability to respond to change

    Platform Strategy

    Create adaptable technology platforms that move with your business strategy

  • Experience Design and Product Capability

    Rapidly design, deliver and evolve exceptional products and experiences

    Partnerships

    Leveraging our network of trusted partners to amplify the outcomes we deliver for our clients

Go to overview
  • Automotive
  • Cleantech, Energy and Utilities
  • Financial Services and Insurance
  • Healthcare
  • Media and Publishing
  • Not-for-profit
  • Public Sector
  • Retail and E-commerce
  • Travel and Transport
Go to overview

Featured

  • Technology

    An in-depth exploration of enterprise technology and engineering excellence

  • Business

    Keep up to date with the latest business and industry insights for digital leaders

  • Culture

    The place for career-building content and tips, and our view on social justice and inclusivity

Digital Publications and Tools

  • Technology Radar

    An opinionated guide to technology frontiers

  • Perspectives

    A publication for digital leaders

  • Digital Fluency Model

    A model for prioritizing the digital capabilities needed to navigate uncertainty

  • Decoder

    The business execs' A-Z guide to technology

All Insights

  • Articles

    Expert insights to help your business grow

  • Blogs

    Personal perspectives from ThoughtWorkers around the globe

  • Books

    Explore our extensive library

  • Podcasts

    Captivating conversations on the latest in business and tech

Go to overview
  • Application process

    What to expect as you interview with us

  • Grads and career changers

    Start your tech career on the right foot

  • Search jobs

    Find open positions in your region

  • Stay connected

    Sign up for our monthly newsletter

Go to overview
  • Conferences and Events
  • Diversity and Inclusion
  • News
  • Open Source
  • Our Leaders
  • Social Change
  • Español
  • Português
  • Deutsch
  • 中文
ThoughtWorksMenu
  • Close   ✕
  • What we do
  • Who we work with
  • Insights
  • Careers
  • About
  • Contact
  • Back
  • Close   ✕
  • Go to overview
  • Engineering Culture, Delivery Mindset

    Embrace a modern approach to software development and deliver value faster

  • Experience Design and Product Capability

    Rapidly design, deliver and evolve exceptional products and experiences

  • Frictionless Operating Model

    Improve your organization's ability to respond to change

  • Intelligence-Driven Decision Making

    Leverage your data assets to unlock new sources of value

  • Partnerships

    Leveraging our network of trusted partners to amplify the outcomes we deliver for our clients

  • Platform Strategy

    Create adaptable technology platforms that move with your business strategy

  • Back
  • Close   ✕
  • Go to overview
  • Automotive
  • Cleantech, Energy and Utilities
  • Financial Services and Insurance
  • Healthcare
  • Media and Publishing
  • Not-for-profit
  • Public Sector
  • Retail and E-commerce
  • Travel and Transport
  • Back
  • Close   ✕
  • Go to overview
  • Featured

  • Technology

    An in-depth exploration of enterprise technology and engineering excellence

  • Business

    Keep up to date with the latest business and industry insights for digital leaders

  • Culture

    The place for career-building content and tips, and our view on social justice and inclusivity

  • Digital Publications and Tools

  • Technology Radar

    An opinionated guide to technology frontiers

  • Perspectives

    A publication for digital leaders

  • Digital Fluency Model

    A model for prioritizing the digital capabilities needed to navigate uncertainty

  • Decoder

    The business execs' A-Z guide to technology

  • All Insights

  • Articles

    Expert insights to help your business grow

  • Blogs

    Personal perspectives from ThoughtWorkers around the globe

  • Books

    Explore our extensive library

  • Podcasts

    Captivating conversations on the latest in business and tech

  • Back
  • Close   ✕
  • Go to overview
  • Application process

    What to expect as you interview with us

  • Grads and career changers

    Start your tech career on the right foot

  • Search jobs

    Find open positions in your region

  • Stay connected

    Sign up for our monthly newsletter

  • Back
  • Close   ✕
  • Go to overview
  • Conferences and Events
  • Diversity and Inclusion
  • News
  • Open Source
  • Our Leaders
  • Social Change
Blogs
Select a topic
View all topicsClose
Technology 
Agile Project Management Cloud Continuous Delivery  Data Science & Engineering Defending the Free Internet Evolutionary Architecture Experience Design IoT Languages, Tools & Frameworks Legacy Modernization Machine Learning & Artificial Intelligence Microservices Platforms Security Software Testing Technology Strategy 
Business 
Financial Services Global Health Innovation Retail  Transformation 
Careers 
Career Hacks Diversity & Inclusion Social Change 
Blogs

Topics

Choose a topic
  • Technology
    Technology
  • Technology Overview
  • Agile Project Management
  • Cloud
  • Continuous Delivery
  • Data Science & Engineering
  • Defending the Free Internet
  • Evolutionary Architecture
  • Experience Design
  • IoT
  • Languages, Tools & Frameworks
  • Legacy Modernization
  • Machine Learning & Artificial Intelligence
  • Microservices
  • Platforms
  • Security
  • Software Testing
  • Technology Strategy
  • Business
    Business
  • Business Overview
  • Financial Services
  • Global Health
  • Innovation
  • Retail
  • Transformation
  • Careers
    Careers
  • Careers Overview
  • Career Hacks
  • Diversity & Inclusion
  • Social Change
SecurityDefending the Free InternetSocial ChangeDiversity & InclusionTechnologyCareers

Is Encryption Broken? REDUX

Ola Bini Ola Bini

Published: Feb 5, 2015

I spent the days between Christmas and New Years in Hamburg, Germany at the Chaos Communication Congress. I had a fantastic time as usual, and there were a lot of great discussions and talks. I wanted to quickly cover the new revelations that Jake Appelbaum and Laura Poitras dropped on us on a Sunday evening. The video can be found here. At the same time, Der Spiegel published two articles about this subject. They also dropped over 600 pages of documents from the Snowden archive about it.

There are a lot of potentially scary revelations in these documents and the presentation. An observer might want to ask the question if encryption is broken and whether we should give up right now. I would like to put some context on some of these findings based on a few days of thinking and talking about these issues. What does it all really mean?

Let us begin with the really simple pieces. Skype is completely broken, and has been for a significant amount of time. This shouldn't come as a surprise - the truth is we should trust Skype as much as we trust a postcard for keeping our information secret. Another one that is problematic is the VPN technology called PPTP - it should never be used because it is completely broken.

The more dangerous thing seems to be that a lot of other VPN technologies are also broken in one way or another. If you depend on VPNs for security, you should be careful - and compose it with other encryption in order to be safer.

Let's take a break and talk about some of the good news. Tor still seems to cause a lot of problems for even the strongest attackers - and Tails is even better. This confirms our hopes. Of course, the intelligence services are working to break Tor and Tails, and they are trying out a lot of different methods for this. However, it doesn't seem to have been successful so far.

It also seems that the intelligence services aren't attacking AES very successfully. Of course they have studies and methods against it, but not to a very large degree, and nothing that seems like real breaks.

OK, what about SSL/TLS then? It's a bit more unclear. Some decrypts of SSL/TLS traffic definitely seem to be happening, but it's still unclear if this is something that is done by stealing keys from providers, doing man-in-the-middle attacks with fake certificates, directly breaking some crypto in real time, or anything inbetween. Occam's razor tells us that we should assume that mostly there are no major breaks involved, although I wouldn't be surprised if for example RC4 can be decrypted on the fly.

So what about SSH? This one is potentially scary. The real problem is that the published documents don't contain all the information that the journalists used to come to the conclusion that some SSH sessions can be broken. After talking with some of them about this, it seems that we don't know exactly what is broken and what is not - it's unclear. However, it seems to indicate that there are specific issues. Not all SSH connections are possible to decrypt. So what can happen? Well, first a MITM attack can be used. People don't necessarily always check the fingerprints. There could be a weakness in one of the algorithms used, but this is not very likely, since most of them are used in other settings where they seem to be secure. The most likely thing is that there is a vulnerability in one of the specific implementations of SSH. This could have to do with how the intelligence services steal keys for VPN appliances and things like that. So, in other words it doesn't seem like the SSH breaks are against your server or client machine SSH. How can you protect yourself? Use layers. The easiest way is to expose your SSH over a Tor hidden service and connect to that.

Finally we come to OTR and GPG. The articles claim that these are safe. However, what the documents say is that there are circumstances where OTR and GPG were not possible to decrypt - that is not exactly the same thing. I would feel cautiously optimistic about these things - but we should be careful to not overstate the case. Security and crypto in depth is still very important, and every precaution will fall down if you make other mistakes or if the endpoint is owned.

Finally - nothing in here that really would change our behavior in most cases if we are doing things correctly already. Soft indications about how to build and think about systems are quite useful though.

  • What we do
  • Who we work with
  • Insights
  • Careers
  • About
  • Contact

WeChat

×
QR code to ThoughtWorks China WeChat subscription account

Media and analyst relations | Privacy policy | Modern Slavery statement ThoughtWorks| Accessibility | © 2021 ThoughtWorks, Inc.