With the latest NSA allegations, can we still trust encryption?

The New York Times and the Guardian published news stories last week alleging that the National Security Agency (NSA) spent billions of dollars to crack encryption technologies and has worked closely with tech companies to insert backdoors in their software.

Allegedly, the NSA have cracked HTTPS and Secure Sockets Layer (SSL), two types of encryption heavily used in secure online transactions (banking, email, etc).

Virtual Private Network (VPN) and 4G wireless signal technologies were also on the list of achievements for a top-secret project code-named “Bullrun.”

As always, one of the explanations for such programs is that the US government needs to protect its citizens from terrorist attacks. This reason alone may have been enough to appease public opinion shortly after 9/11 but it does not appear to work any longer.

While public safety is a legitimate matter, many people are seeing this as an excess of power eroding their privacy and civil liberties while even actually producing the opposite effect: creating more insecurities.

Case in point, word that the NSA worked with software companies to introduce backdoors and vulnerabilities in their devices and products could have serious consequences.

One would have thought that zero-days (unknown vulnerabilities) already abounded and the simple of thought of intentionally adding more simply boggles the mind.

While a backdoor may give the US government the ability to tap into any device of their choice with full privileges, what would prevent an attacker from exploiting it as well?

We all remember the Sony rootkit which had good intentions to begin with (defending copyrights) but was quickly adapted by the bad guys to distribute malware.

Imagine for a second that China successfully infiltrates some of the US most sensitive networks and uncovers the tools and intelligence used to break encryption.

Considering China has succeeded in robbing US firms from years of R&D by stealing blueprints and the like, this thought might not be too far-fetched. Now if those powerful decryption tools were in the wrong hands, everybody would be in serious trouble.

It might seem unfair to only point the finger at the NSA and the US as certainly there are other secret agencies and nation states in the world doing the exact same thing and getting away with it.

It would be, except for the fact that when it comes to human skills and financial resources, the US is probably at the top of the chain.

Without a doubt, each new revelation about the NSA programs is changing the security landscape and opening up overdue debates on the fine line between public safety and privacy.

Jerome Segura (@jeromesegura) is Senior Security Researcher at Malwarebytes.


Jérôme Segura

Principal Threat Researcher