Newly published documents leaked by Edward Snowden reveal that the National Security Agency has secretly developed various methods of circumventing widely used Internet commercial encryption technologies, including HTTPS and SSL, which are used to secure anything from banking transactions to email services.
The NSA uses a wide range of ways to circumvent web encryption, include using supercomputers to brute-force the intercepted communications, pressuring vendors to install backdoors behind the scenes, obtain encryption keys by hacking into corporate servers, and even manipulating processes to set international encryptions standards.
See also: Is It the Dawn of the Encryption App?
These latest revelations were published by The New York Times, The Guardian and ProPublica. The three publications jointly reported on the documents leaked by Snowden, which were shared by the British newspaper with its two American partners.
The NSA's efforts have allegedly been very successful.
"For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies [...] Vast amounts of encrypted internet data which have up till now been discarded are now exploitable," according to a 2010 document from the British Government Communications Headquarters (GCHQ) — the UK's NSA.
The intelligence agency was referring to a 10-year-old top secret NSA program called Bullrun, which apparently included the different efforts described above.
Another document, an internal agency memo, said that British analysts who were briefed on the NSA's progress and didn't know about it before were "gobsmacked" by what they learned.
The NSA also spends more than $250 million every year on the "Sigint Enabling Project," a program that allows the NSA to crack Internet traffic that is encrypted with the collaboration of Internet companies. The program "actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them "exploitable," according to the documents.
The latest revelations were received with outrage by technologists working at privacy and civil liberties advocacy groups.
"The encryption technologies that the NSA has exploited to enable its secret dragnet surveillance are the same technologies that protect our most sensitive information, including medical records, financial transactions, and commercial secrets," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU) said in a statement.
"Even as the NSA demands more powers to invade our privacy in the name of cybersecurity, it is making the Internet less secure and exposing us to criminal hacking, foreign espionage, and unlawful surveillance. The NSA's efforts to secretly defeat encryption are recklessly shortsighted and will further erode not only the United States' reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies," he continued.
Joseph Lorenzo Hall, a technologist at the Center for Democracy and Technology echoed Soghoian's words in an email to reporters: "These revelations demonstrate a fundamental attack on the way the Internet works. In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, it’s incredibly destructive for the NSA to add flaws to such critical infrastructure."
Despite the NSA's ability to crack web encryption with these means, Wired's Kim Zetter notes that "these methods don’t involve cracking the algorithms and the math underlying the encryption, but rather rely upon circumventing and otherwise undermining encryption."
And Snowden himself said during a Q&A with The Guardian in June that cryptography works.
"Properly implemented strong crypto systems are one of the few things that you can rely on," he said.
Image: Saul Loeb/AFP/Getty Images