> DO NOT solely rely on SSL/TLS to secure data in transit.
Rationale: Numerous man-in-middle attack vectors and publicly disclosed flaws in the protocol.
In the CIA's use case (data exfiltration), this rationale is likely due to target organizations using a firewall which utilizes TLS interception to capture and inspect data, requiring the computer or mobile device to have a custom trusted root CA added in order to properly send traffic through their firewall box.
So the issue would be that TLS is going to be useless for protecting any data that is being exfiltrated, as the firewall box would obviously perform it's DLP duties and block their exfiltration attempt. Custom additional cryptography or added obfuscation makes sense in this case because they only need to get past the automated inspection, not an actual human. The data has already been sent to the LP by the time anyone has a chance to crack the additional layer of crypto/obfuscation and see the data.
See the bottom of the page where he talks about the link to their internal (previously top secret) CIA crypto standards, which is probably one of the few cryptos that is actually any good (most of it was done with the NSA and just talks about which protocols are secure).
No, the plot of Sneakers is at the end the NSA thinks they're the only ones who can break the CIA's encryption but really the only one who can do it is Robert Redford!
Postscript: Redford of course then goes ahead and basically announces it to the NSA by stealing all the Republican party's money (and someone else - can't remember) and donating it to causes like Greenpeace and Amnesty International.
This is not too surprising.
In the CIA's use case (data exfiltration), this rationale is likely due to target organizations using a firewall which utilizes TLS interception to capture and inspect data, requiring the computer or mobile device to have a custom trusted root CA added in order to properly send traffic through their firewall box.
So the issue would be that TLS is going to be useless for protecting any data that is being exfiltrated, as the firewall box would obviously perform it's DLP duties and block their exfiltration attempt. Custom additional cryptography or added obfuscation makes sense in this case because they only need to get past the automated inspection, not an actual human. The data has already been sent to the LP by the time anyone has a chance to crack the additional layer of crypto/obfuscation and see the data.