Group items matching

in title, tags, annotations or url

This was a great year for adoption of HTTPS encryption for secure connections to websites. HTTPS is an essential technology for security and privacy on the Web, and we've long been asking sites to turn it on to protect their users from spying (and from censorship and tampering with site content). This year, lots of factors came together to make it happen, including ongoing news about surveillance, advances in Web server capacity, nudges from industry, government, and Web browsers, and the Let's Encrypt certificate authority. By some measures, more than half of page loads in Firefox and in Chrome are now secured with HTTPS—the first time this has ever happened in the Web's history. That's right: for the first time ever, most pages viewed on the Web were encrypted! (As another year-in-review post will discuss, browsers are also experimenting with and rolling out stronger encryption technologies to better protect those connections.)

Sites large and small took turned on HTTPS in 2016, often using certificates from the Let's Encrypt certificate authority (sometimes with EFF's Certbot software, or a range of other options). In just a single year of broad public availability, Let's Encrypt has now helped enable secure connections for over 21 million websites, most of which never had certificates before.

A sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others. Sites they host, and visitors to those sites, can get a boost in security without having to do anything. (And we're getting ongoing benefits from providers like CloudFlare who made the switch in previous years.) A single hosting provider's decision can result in enabling encryption for hundreds of thousands or millions of customers; we hope others will take the plunge too! U.S. government sites also made significant progress adopting HTTPS this year, responding to the administration's guidance in support of HTTPS—a clear and practical explanation of why secure connections should be the default. A caveat: data from Google shows that use of HTTPS varies significantly from country to country, remaining especially uncommon in Japan. We've also heard that it's still uncommon across much of East and Southeast Asia. Next year, we'll have to find ways to bridge those gaps.

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

(U) HTTPS – HTTP traffic secured inside an SSL/TLS session, indicated by the https:// URL, commonly using TCP port 443 (U) IPSEC -- IPSec, or IP Security, is the Internet Engineering Task Force (IETF) standard for layer 3 real-time communication security. IPSec allows two hosts (or two gateways) to establish a secure connection, sometimes called a tunnel. All traffic is protected at the network layer. (U) SSH – Secure Shell. A common protocol used for secure remote computer access (U) SSL – Secure Sockets Layer. Commonly used to provide secure network communication. Widely used on the internet to provide secure web browsing, webmail, instant messaging, electronic commerce, etc. (U) TLS – Transport Layer Security. The follow-on to SSL, SSLv3 and TLSv1.0 are nearly identical. (U) VoIP – Voice over Internet Protocol. A general term for the using IP networks to make voice phone calls. The application layer protocol can be standards-based (e.g., H.323, SIP), or proprietary (e.g., Skype). (U) VPN – Virtual Private Network. A private network that makes use of the public telecommunications infrastructure, maintaining privacy via the use of a tunneling protocol and security procedures that typically include encryption. Common protocols include IPSEC and PPTP.

Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default.With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.

The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires. We’re all familiar with the warnings and error messages produced by misconfigured certificates. These warnings are a hint that HTTPS (and other uses of TLS/SSL) is dependent on a horrifyingly complex and often structurally dysfunctional bureaucracy for authentication.

The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In our tests, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds. You can help test and hack on the developer preview of our Let's Encrypt agent software or watch a video of it in action here:

How does the NSA get the private crypto keys that allow it to bulk eavesdrop on some email providers and social networking sites? It’s one of the mysteries yet unanswered by the Edward Snowden leaks. But we know that so-called SSL keys are prized by the NSA – understandably, since one tiny 256 byte key can expose millions of people to intelligence collection. And we know that the agency has a specialized group that collects such keys by hook or by crook. That’s about it. Which is why the appellate court challenge pitting encrypted email provider Lavabit against the Justice Department is so important: It’s the only publicly documented case where a district judge has ordered an internet company to hand over its SSL key to the U.S. government — in this case, the FBI. If the practice — which may well have happened in secret before — is given the imprimatur of the U.S. 4th Circuit Court of Appeals, it opens a new avenue for U.S. spies to expand their surveillance against users of U.S. internet services like Gmail and Dropbox. Since the FBI is known to work hand in hand with intelligence agencies, it potentially turns the judiciary into an arm of the NSA’s Key Recovery Service. Call it COURTINT. Oral arguments in the Lavabit appeal were heard by a three-judge panel in Richmond, Virginia last week. The audio (.mp3) is available online (and PC World covered it from the courtroom). It’s clear that the judges weren’t much interested in the full implications of Lavabit’s crypto key breach, which one of the judges termed “a red herring.”

As fast as it can, Google is sealing up cracks in its systems that Edward J. Snowden revealed the N.S.A. had brilliantly exploited. It is encrypting more data as it moves among its servers and helping customers encode their own emails. Facebook, Microsoft and Yahoo are taking similar steps.

After years of cooperating with the government, the immediate goal now is to thwart Washington — as well as Beijing and Moscow. The strategy is also intended to preserve business overseas in places like Brazil and Germany that have threatened to entrust data only to local providers. Google, for example, is laying its own fiber optic cable under the world’s oceans, a project that began as an effort to cut costs and extend its influence, but now has an added purpose: to assure that the company will have more control over the movement of its customer data.

A year after Mr. Snowden’s revelations, the era of quiet cooperation is over. Telecommunications companies say they are denying requests to volunteer data not covered by existing law. A.T.&T., Verizon and others say that compared with a year ago, they are far more reluctant to cooperate with the United States government in “gray areas” where there is no explicit requirement for a legal warrant.

It’s hard to overestimate the value of planning in advance, especially when it comes to getting reservations in popular restaurants and invading countries by military force. In the week of the May 9th Victory Day two significant failures took place  each one remarkable in its own way. Each event went completely unreported by the Western corporate and government media, but discussed on Social Media.

In the following three weeks after the incident with the USS Florida, while Russia was preparing for Victory Day celebrations and all eyes were on Moscow, attention of Ukrainians was fully concentrated on the visit of Victoria Nuland to Kiev on April 26th allegedly to discuss the implementation of the Minsk II Agreement and the future elections in Donetsk and Lugansk republics. Since the day when President Putin said that the republics can have their elections anytime they want, the question of these elections ceased to be a subject of blackmail toward the Kremlin.   It appeared that the true reason for Nuland’s visit could be located to the west of Kiev, rather than the east. Just recently, Robert D. Kaplan, a former Stratfor’s Chief Geopolitical Analyst, and currently a senior fellow at the Center for a New American Security (CNAS) has published a book “In Europe’s Shadow” where he lays out a plan to reunite Romania with “its lost province of Moldova.” Nuland visited Moldova back in January, with the task to coerce Moldova’s government and its oligarchs to change the country’s Constitution provision of neutrality. Before she left, she gave a short speech at the American Embassy in Bucharest after a private dinner with PM Ciolos and President Klaus. “We powerfully support the desire of the people in Moldova to have responsible leaders who can implement reforms. This is the best way to assure the future of Moldova. Romania and the United States, in conjunction with NATO, have support programs in place to assure the security of Moldova but the government has to work to implement these programs.”

Moldova is one of the poorest countries in Eastern Europe, and its economy heavily relies on Russia. According to the CIA Fact Book: Moldova’s annual remittances of about $1.12 billion comes from the roughly one million Moldovans working in Europe, Russia, and other former Soviet Bloc countries; Moldova imports almost all of its energy supplies from Russia and Ukraine; Moldova’s dependence on Russian energy is underscored by a more than $5 billion debt to Russian natural gas supplier Gazprom; Moldova signed an Association Agreement and a Deep and Comprehensive Free Trade Agreement with the EU during fall 2014, however its biggest trade partner remains Russia. Everyone understands that a NATO membership will cut all economic ties with Russia, including jobs, and it will turn Moldova into a failed state, or in the CIA doublespeak, the country would stop being vulnerable to “Russian pressure.” Apparently, the failure of Moldova as a state, and its disappearance as a nation is also what the EU wants. On January 6, the new Moldovan Ambassador to Germany was presenting his credentials when, out of the blue, the German president asked the new ambassador what the procedure was for Republic of Moldova to formally unite with Romania. On May 4th, the Katehon reported on Vladimir Plahotniuc’s (the infamous Moldavian oligarch and mafia boss) visit to the US and his meeting with Victoria Nuland there. As the Victory Day celebration was approaching, we all fully anticipated from the US to conduct terror acts, military excursions/drills, and political and legal attacks on Russia as the US and the EU always do to harass Russia during its major national and Church holidays.

The National Security Agency has been secretly granted legal authority to operate a massive domestic eavesdropping system that vacuums up Americans' phone calls and Internet communications, newly leaked documents show. A pair of classified government documents (No. 1 and No. 2) signed by Attorney General Eric Holder and posted by the Guardian on Thursday show that NSA analysts are able to listen to Americans' intercepted phone calls without asking a judge for a warrant first. That appears to be at odds with what President Obama said earlier this week in defense of the NSA's surveillance efforts. "I can say unequivocally is that if you are a U.S. person, the NSA cannot listen to your telephone calls and the NSA cannot target your e-mails," Obama said. The new documents indicate, however, that NSA, CIA, and FBI analysts are granted broad access to data vacuumed up by the world's most powerful intelligence agency -- but are supposed to follow certain "targeting" and "minimization" procedures to limit the number of Americans who become individual targets of warrantless surveillance.

Analysts are expected to exercise "reasonable judgment" in determining which data to use, according to the documents, and "inadvertently acquired communications of or concerning a United States person may be retained no longer than five years." The documents also refer to "content repositories" that contain records of devices' "previous Internet activity," and say the NSA keeps records of Americans' "electronic communications accounts/addresses/identifiers" in an apparent effort to avoid targeting them in future eavesdropping efforts. The Holder procedures were blessed in advance by the secret Foreign Intelligence Surveillance Court, the Guardian reported, meaning that the judges would have issued a general order that authorizes the NSA to engage in warrantless surveillance as long as it's primarily aimed at foreign targets, subject to some limited judicial oversight. Today's disclosure jibes with what Edward Snowden, the former NSA contractor who leaked top-secret documents, alleged in an online chat earlier this week. Snowden said, referring to the contents of e-mail and phone calls, that "Americans' communications are collected and viewed on a daily basis on the certification of an analyst rather than a warrant."

On Sunday, Director of National Intelligence James Clapper released a carefully-worded statement in response to a CNET article and other reports questioning when intelligence analysts can listen to domestic phone calls. Clapper said: "The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress." Clapper's statement was viewed as a denial, but it wasn't. Today's disclosures reveal why: Because the Justice Department granted intelligence analysts "proper legal authorization" in advance through the Holder regulations. "The DNI has a history of playing games with wording, using terms with carefully obscured meanings to leave an impression different from the truth," Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation who has litigated domestic surveillance cases, told CNET earlier this week.

"Danny Sullivan reports that in the past month, Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity. In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy. Now, Google has flipped on encryption for people who aren't even signed-in. In June, Google was accused of cooperating with the NSA to give the agency instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. 'I suspect the increased encryption is related to Google's NSA-pushback,' writes Sullivan. 'It may also help ease pressure Google's feeling from tiny players like Duck Duck Go making a "secure search" growth pitch to the media.'"

The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it’s deployed properly, reducing the errors that could make surveillance and other attacks easier.

“There is a renewed and urgent interest in the IETF to increase the security of transmissions over the Internet. Many application protocols have defined methods for using TLS to authenticate the server (and sometimes the client), and to encrypt the connection between the client and server. However, there is a diversity of definitions and requirements, and that diversity has caused confusion for application developers and also has led to lack of interoperability or lack of deployment. Implementers and deployers are faced with multiple security issues in real-world usage of TLS, which currently does not preclude insecure ciphers and modes of operation,” the description in the working group’s charter says.

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The agency’s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month. “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” according to an e-mailed statement from the Office of the Director of National Intelligence.

Edward Snowden's leaks show that the NSA and GCHQ have been systematically subverting key technologies that underlie the Internet. That betrayal of trust has prompted some soul-searching by the Net engineering community, which realizes that it needs to come up with more surveillance-resistant approaches. This story from Radio Netherlands Worldwide (RNW) provides information about the kind of thing they are working on in one key group, the Internet Engineering Task Force (IETF). It reports on a speech given by the IETF's chair, Jari Arkko, at the recent Internet Governance Forum in Bali, Indonesia.

Firstly, the IETF wants to eventually apply encryption to all web traffic. "Today, security only gets switched on for certain services like banking," Arkko explained, referring to IETF-developed standards like SSL -- the little lock that appears in the upper left corner of your browser to secure online purchases. "If we work hard, we can make [the entire internet] secure by default." To this end, the IETF might make encryption mandatory for HTTP 2.0, a new version of the basic web protocol. Secondly, the IETF plans to remove weak algorithms and strengthen existing algorithms behind encryption. This means that the US National Security Agency and other surveillors will find it harder to crack current forms of encryption.

Putting that in context, Axl Pavlik, the managing director of Europe's Internet Registry (RIPE NCC), notes that you can never stop surveillance completely, but you can make it more expensive: "You and I have limited resources, and the surveillor has limited resources -- maybe more than we have -- but if millions of users of the internet raise the bar a little bit, the requirements to surveil every little bit of internet traffic would be much higher," he explained to RNW. Mandatory use of encryption helps do that. And here's another good reason for adopting it: The IETF's plans also benefit people who are already encrypting their online activities themselves, argued Marco Hogewoning, technical adviser to RIPE NCC. According to him, these people currently stick out like a sore thumb to the very surveillors they hope to evade.

This whole morning, while all these stories of the NSA hacking directly into Google and Yahoo's network have been popping up, I've been at the Inbox Love conference, all about the future of email. The "keynote" that just concluded, was Ladar Levison from Lavabit (with an assist from Mike Janke from Silent Circle), talking about the just announced Dark Mail Alliance, between Lavabit and Silent Circle -- the other "security" focused communications company who shut down its email offering after Lavabit was forced to shut down. Levison joked that they went with "Dark Mail" because "Black Mail" might have negative connotations. Perhaps just as interesting, Levison is going to be releasing the Lavabit source code (and doing a Kickstarter project to support this), with the hope that many others can set up their own secure email using Lavabit's code, combined with the new Dark Mail Alliance secure technology which will be available next year. As noted, the Alliance is working on trying to create truly secure and surveillance-proof email. Of course, nothing is ever 100% surveillance proof -- and both members of the alliance have previously claimed that it was almost impossible to do surveillance-proof email. However, they're claiming they've had a "breakthrough" that will help.

The newly developed technology has been designed to look just like ordinary email, with an interface that includes all the usual folders—inbox, sent mail, and drafts. But where it differs is that it will automatically deploy peer-to-peer encryption, so that users of the Dark Mail technology will be able to communicate securely. The encryption, based on a Silent Circle instant messaging protocol called SCIMP, will apply to both content and metadata of the message and attachments. And the secret keys generated to encrypt the communications will be ephemeral, meaning they are deleted after each exchange of messages. For the NSA and similar surveillance agencies across the world, it will sound like a nightmare. The technology will thwart attempts to sift emails directly from Internet cables as part of so-called “upstream” collection programs and limit the ability to collect messages directly from Internet companies through court orders. Covertly monitoring encrypted Dark Mail emails would likely have to be done by deploying Trojan spyware on a targeted user. If every email provider in the world adopted this technology for all their users, it would render dragnet interception of email messages and email metadata virtually impossible.

Importantly, they're not asking everyone to just trust them to be secure -- even though both companies have the right pedigree to deserve some level of trust. Instead, they're going to release the source code for public scrutiny and audits, and they're hoping that other email providers will join the alliance. At the conference, Levison recounted much of what's happened over the last few months (with quite a bit of humor), joking about how he tried to be "nice" in giving the feds Lavabit's private keys printed out, by noting that he included line numbers to help (leaving unsaid that this would make OCR'ing the keys even more difficult). He also admitted that giving them the paper version was really just a way to buy time to shut down Lavabit.

The Islamic State in Iraq and Syria (ISIS) is being touted as the newest "threat" to the American homeland: hysterics have pointed to Chicago as the locus of their interest, and we are told by everyone from the President on down that if we don’t attack them – i.e. go back into Iraq (and even venture into Syria) to root them out – they’ll soon show up on American shores.

If we step back from the hysteria generated by the beheading of US journalist James Foley, what’s clear is that this new bogeyman is the creation of the United States and its allies in the region. ISIS didn’t just arise out of the earth like some Islamist variation on the fabled Myrmidons: they needed money, weapons, logistics, propaganda facilities, and international connections to reach the relatively high level of organization and lethality they seem to have achieved in such a short period of time. Where did they get these assets? None of this is any secret: Saudi Arabia, Qatar, and the rest of the oil-rich Gulf states have been backing them all the way. Prince Bandar al-Sultan, until recently the head of the Kingdom’s intelligence agency – and still the chief of its National Security Council – has been among their biggest backers. Qatar and the Gulf states have also been generous in their support for the Syrian jihadists who were too radical for the US to openly back. Although pressure from Washington – only recently exerted – has reportedly forced them to cut off the aid, ISIS is now an accomplished fact – and how can anyone say that support has entirely evaporated instead of merely going underground?

Washington’s responsibility for the success of ISIS is less direct, but no less damning. The US was in a de facto alliance with the groups that merged to form ISIS ever since President Barack Obama declared Syria’s Bashar al-Assad "must go" – and Washington started funding Syrian rebel groups whose composition and leadership kept changing. By funding the Free Syrian Army (FSA), our "vetted" Syrian Islamists, this administration has actively worked to defeat the only forces capable of rooting out ISIS from its Syrian nest – Assad’s Ba’athist government. Millions of dollars in overt aid – and who knows how much covertly? – were pumped into the FSA. How much of that seeped into the coffers of ISIS when constantly forming and re-forming chameleon-like rebel groups defected from the FSA? These defectors didn’t just go away: they joined up with more radical – and militarily effective – Islamist militias, some of which undoubtedly found their way to ISIS. How many ISIS cadres who started out in the FSA were trained and equipped by American "advisors" in neighboring Jordan? We’ll never know the exact answer to that question, but the number is very likely not zero – and this Mother Jones piece shows that, at least under the Clinton-Petraeus duo, the "vetting" process was a joke. Furthermore, Senator Rand Paul (R-Kentucky) may have been on to something when he confronted Hillary with the contention that some of the arms looted from Gaddafi’s arsenals may well have reached the Syrian rebels. There was, after all, the question of where that mysterious "charity ship," the Al Entisar, carrying "humanitarian aid" to the Syrian rebels headquartered in Turkey, sailed from.