How to Secure Corporate Communications

September 18, 2013 by Colin Berkshire

Colin here.

Probably the question that I am most asked anymore is whether we should use more encrypted communications to protect our corporate secrets and confidential information. The undercurrent is whether by using SSL or security certificates our organization may protect itself from the prying eyes of the NSA.

Sorry folks, but the answer is no, and no, and no.

The basic problem is that all of the top-level/root-level certificates and certificate authorities are compromised by the NSA.

So, while you can encrypt the information, the NSA can generate the decrypted data like a hot knife cuts through butter. With the top-level keys and compromised certificate authorities they can not only decrypt whatever they want, but they can perform real-time man-in-the-middle attacks.

Besides, installing and using security certificates on email is a hassle, and it mostly doesn’t really work anyway.

It’s rather interesting that solving the problem with email being insecure goes way, way back to about 1993. Back then, a standard was proposed by Russ Housley which would provide secure, encrypted, peer-to-peer emails for almost the entire Internet. This standard, had it been adopted would have provided reasonable peer-to-peer security of the content of email communications.

But that standard was highly resisted by the US Government and eventually was never adopted. Its author and champion relented and decided not to pursue it (at the request of the US Navy). From 2007 until this year he was the chairperson of the IETF…the organization responsible for setting all Internet technical standards. Now, he is the chair of the Internet Architecture Board (IAB). Probably nobody knows encryption and security better then him, and he seems from all outward appearances to being disinterested in any security which is “too secure” for the comfort of the NSA.

So, the basic answer for your top level management is that everything on the Internet is visible by the NSA. It just doesn’t matter if it is encrypted or not.

By Colin Berkshire

Colin Berkshire is a highly technical HR executive in the Pulp and Paper Industry. Colin has an engineering and voice background, and is currently on assignment in Asia. NOTE: Colin does not respond to comments, and does not Tweet.

Look ma, no ads!

Admit it! You just can’t look away. Yet, there’s so much more.

Become a subscriber to TalkingPointz for access to reports and premium posts.

There are several ways to stay informed:

Visit this site regularly.
Receive new posts in your email once a week.
Become an Insider or All Access Subscriber for alerts and access to uncensored content.

Become a Member from $49 / month

TalkingHeadz Podcast

The TalkingHeadz podcasts are @DaveMichels and @EvanKirstel chatting with interesting guests. These are unsponsored and unscripted for your enjoyment. You can subscribe on most podcast apps including iTunes.

Listen on iTunes

Podcast mitel TalkingHeadz

TalkingHeadz Podcast with David Petts of Mitel

February 13, 2023

Mitel is back in the news again – this time for its planned acquisition of Unify from Atos. This podcast only touches on that – the news was very fresh and the deal hasn’t closed yet. However, it’s an interesting…

Discussion

mjgraves September 23, 2013

Colin,

The post title is a bit of a bait & switch, as you don’t describe “how-to” anything but answer your superiors. I can’t help but think that it’s not as bad as many are making out. If anything all of the attention to security is long overdue. So much VoIP traffic travels literally in-the-clear.

Anyone can break into my home, at any time they like. That doesn’t diminish the value of locking the door. It keeps out the casual thief, if not the determined professional. Living across the road from an elementary school I appreciate that there are a lot of potential casual thieves out there.

Reply