Which Encryption Can You Trust?
The simple answer is that you can no longer trust any encryption systems. Read this again: almost all encryption systems are fully compromised at this point in time.
HTTPS, SSL, and TLS are all fully compromised. The top level certificate companies have all been compromised by the US government. Once you control the top level certificates you can fake anything else. Man in the middle attacks are trivial. Granted, secure web communications are somewhat protected against hackers, but not a whole lot. You have no protection from the government eavesdropping and then selling your secrets to it’s cozy friends. (Yes, both China and the United States spy on their citizens and companies and then sell or provide those secrets to big corporations for profit. Trust me on this.)
If you use a hotspot and trust either WEP or WPA2 to secure your communications then you are so sorely naïve. WEP is fully compromised in any hacker can listen to your communications trivially. And, I mean completely trivially. within the last six months WPA2 has been compromised enough that hackers and road warriors can use software kits that they install on ordinary laptops. These cause a disconnect and a reconnect and in that process the security keys for your communications link are compromised.
My current best advice is to always use a VPN back to your office. Don’t trust your local coffee shop and assume that your hotspot is being monitored.
Sadly, I’m still seeing people use PPTP protocol for their VPNs. You might as well not use any protocol at all if you’re going to do that. PPTP is just silly stupid. A flaw in the protocol means that encryption can simply be turned off from a man in the middle attack. Truly.
L2TP protocol provides a certain degree of encryption and protection on your VPN connection. But the truth is it’s not very good, and it is fully compromised by most governmental agencies.it was demonstrated to me this past week how L2TP can be cracked in real time by non-governmental people. (Hackers.)
The hackers tell me that the best security right now is IPSec. Using a VPN back to your home office secured by IPSec is reasonably secure. However, there is one caveat: you cannot share the certificate over the Internet. It must be installed through communications channel which you own and control fully. If you email the certificate then you can assume that it is fully compromised. And trust me on this: the US government is very busy scouring emails and archiving all of the IPSec certificates so that they can use them on demand.
In theory, we don’t have to worry about the fact that our government is spying on us. Yes, it’s happening but then it doesn’t seem so bad right now.I mean, who cares about little old me?
I’m old enough that I lived through some of the J Edgar Hoover years. The FBI was very busy doing similar spying during his era. He was blackmailing everybody right up to the president.so while we may all be insignificant enough that we don’t catch the eye of somebody in the government today, I worry about who the next J Edgar Hoover will be. Over the course of five or 10 years it would be very easy for the NSA spying mechanism to turn into something similar to the German Stasi.it just takes a J Edgar Hoover type.
There is a solution to all of this. It just needs a technical standard to be adopted. If people could create their own PGP certificates and publish the public-key encryption side then there would be no top-level authority to be compromised. That is, the solution is a peer to peer system where the public encryption certificates are readily available.
Then, when you set up a secure connection with Amazon.com you tell them what encryption certificate to use to send to you and they tell you what certificate to use to send to them. Each side of the communication is separately encrypted. Encryption keys can be public with no compromise and their integrity.all that’s needed is a public repository that they can be saved into and accessed. Let’s hope that somebody comes up with such a standard. The world needs it.