Hacker News new | ask | show | jobs
by qaruxj 4700 days ago
Did nobody look at the PowerPoint itself? From page 17 (http://www.theguardian.com/world/interactive/2013/jul/31/nsa...):

> * Show me all the VPN startups in country X, and give me the data so I can decrypt and discover the users.

> * These events are easily browsable in XKEYSCORE

As I understand it (and I may be wrong), most encrypted VPN traffic uses SSL. Given that XKeyscore data is only held for a few days (due to the immense volume) and given how nonchalantly they just throw out that they can decrypt VPN traffic, it sounds to me like they've either got the root SSL certs and are MITM'ing every connection they can or they've somehow broken SSL, either by breaking the actual encryption used or by exploiting vulnerabilities in how browsers handle it. If that's the case, then they don't need to ask Google or anyone else for your data, they can just read anything they want.
2 comments
silvestrov 4699 days ago
Poul-Henning Kamp: """With expenditures of this scale, there are a whole host of things one could buy to weaken encryption. I would contact providers of popular cloud and "whatever-as-service" providers and make them an offer they couldn't refuse: on all HTTPS connections out of the country, the symmetric key cannot be random; it must come from a dictionary of 100 million random-looking keys that I provide. The key from the other side? Slip that in there somewhere, and I can find it (encrypted in a Set-Cookie header?)."""

http://queue.acm.org/detail.cfm?id=2508864

link
nl 4699 days ago
That's an interesting idea.

Even better would be for the NSA to penetrate Thwate, Verisign etc and make the keys they "generate" non-random (perhaps only for a subset of certificates sold)

link
LeeLorean 4699 days ago
Yes, it seems like they have broken VPN or SSL in some way.

Perhaps they own or subsidize many of the cheaper VPN like has been rumoured for Private Internet Access? https://www.privateinternetaccess.com/

link
coderrr 4699 days ago
Uh, no. We aren't subsidized by the NSA or any part of any government or any organization or person for that matter. We bootstrapped Private Internet Access with 500$ and a lot of caffeine and have been profitable since our second month in operation.

We believe what the NSA is referring to when talking about "VPN startups" is the initial stages of PPTP sessions. PPTP has been crackable for a while, check out moxie's cloudcracker.com. We believe it highly unlikely that they have broken OpenVPN (which is what our application uses) or SSL.

Please see our stance on PRISM: https://www.privateinternetaccess.com/blog/2013/06/prism/

link