Is Encryption Broken? REDUX

I spent the days between Christmas and New Years in Hamburg, Germany at the Chaos Communication Congress. I had a fantastic time as usual, and there were a lot of great discussions and talks. I wanted to quickly cover the new revelations that Jake Appelbaum and Laura Poitras dropped on us on a Sunday evening. The video can be found here. At the same time, Der Spiegel published two articles about this subject. They also dropped over 600 pages of documents from the Snowden archive about it.

There are a lot of potentially scary revelations in these documents and the presentation. An observer might want to ask the question if encryption is broken and whether we should give up right now. I would like to put some context on some of these findings based on a few days of thinking and talking about these issues. What does it all really mean?

Let us begin with the really simple pieces. Skype is completely broken, and has been for a significant amount of time. This shouldn't come as a surprise - the truth is we should trust Skype as much as we trust a postcard for keeping our information secret. Another one that is problematic is the VPN technology called PPTP - it should never be used because it is completely broken.

The more dangerous thing seems to be that a lot of other VPN technologies are also broken in one way or another. If you depend on VPNs for security, you should be careful - and compose it with other encryption in order to be safer.

Let's take a break and talk about some of the good news. Tor still seems to cause a lot of problems for even the strongest attackers - and Tails is even better. This confirms our hopes. Of course, the intelligence services are working to break Tor and Tails, and they are trying out a lot of different methods for this. However, it doesn't seem to have been successful so far.

It also seems that the intelligence services aren't attacking AES very successfully. Of course they have studies and methods against it, but not to a very large degree, and nothing that seems like real breaks.

OK, what about SSL/TLS then? It's a bit more unclear. Some decrypts of SSL/TLS traffic definitely seem to be happening, but it's still unclear if this is something that is done by stealing keys from providers, doing man-in-the-middle attacks with fake certificates, directly breaking some crypto in real time, or anything inbetween. Occam's razor tells us that we should assume that mostly there are no major breaks involved, although I wouldn't be surprised if for example RC4 can be decrypted on the fly.

So what about SSH? This one is potentially scary. The real problem is that the published documents don't contain all the information that the journalists used to come to the conclusion that some SSH sessions can be broken. After talking with some of them about this, it seems that we don't know exactly what is broken and what is not - it's unclear. However, it seems to indicate that there are specific issues. Not all SSH connections are possible to decrypt. So what can happen? Well, first a MITM attack can be used. People don't necessarily always check the fingerprints. There could be a weakness in one of the algorithms used, but this is not very likely, since most of them are used in other settings where they seem to be secure. The most likely thing is that there is a vulnerability in one of the specific implementations of SSH. This could have to do with how the intelligence services steal keys for VPN appliances and things like that. So, in other words it doesn't seem like the SSH breaks are against your server or client machine SSH. How can you protect yourself? Use layers. The easiest way is to expose your SSH over a Tor hidden service and connect to that.

Finally we come to OTR and GPG. The articles claim that these are safe. However, what the documents say is that there are circumstances where OTR and GPG were not possible to decrypt - that is not exactly the same thing. I would feel cautiously optimistic about these things - but we should be careful to not overstate the case. Security and crypto in depth is still very important, and every precaution will fall down if you make other mistakes or if the endpoint is owned.

Finally - nothing in here that really would change our behavior in most cases if we are doing things correctly already. Soft indications about how to build and think about systems are quite useful though.