How to Secure Corporate Communications

by Colin Berkshire

Colin here.NSAEYES

Probably the question that I am most asked anymore is whether we should use more encrypted communications to protect our corporate secrets and confidential information. The undercurrent is whether by using SSL or security certificates our organization may protect itself from the prying eyes of the NSA.

Sorry folks, but the answer is no, and no, and no.

The basic problem is that all of the top-level/root-level certificates and certificate authorities are compromised by the NSA.

So, while you can encrypt the information, the NSA can generate the decrypted data like a hot knife cuts through butter. With the top-level keys and compromised certificate authorities they can not only decrypt whatever they want, but they can perform real-time man-in-the-middle attacks.

Besides, installing and using security certificates on email is a hassle, and it mostly doesn’t really work anyway.

It’s rather interesting that solving the problem with email being insecure goes way, way back to about 1993. Back then, a standard was proposed by Russ Housley which would provide secure, encrypted, peer-to-peer emails for almost the entire Internet. This standard, had it been adopted would have provided reasonable peer-to-peer security of the content of email communications.

But that standard was highly resisted by the US Government and eventually was never adopted. Its author and champion relented and decided not to pursue it (at the request of the US Navy). From 2007 until this year he was the chairperson of the IETF…the organization responsible for setting all Internet technical standards. Now, he is the chair of the Internet Architecture Board (IAB). Probably nobody knows encryption and security better then him, and he seems from all outward appearances to being disinterested in any security which is “too secure” for the comfort of the NSA.

So, the basic answer for your top level management is that everything on the Internet is visible by the NSA. It just doesn’t matter if it is encrypted or not.