Archive 2013


Cryptography Mailing List


Is HTTPS A Lost Cause?

Following the allegations that the NSA is capable of reading encrypted communications many people wonder if using HTTPS is beyond help. Is any trust left in HTTPS at all?

And we're not talking about forged certificates. The question is whether or not the encryption built into HTTPS can be circumvented and if so, whether or not there is a cure.

The NSA's Surveillance and Attack Workbench

According to Bruce Schneier who has helped the Guardian journalists to make sense of the documents Edward Snowden handed them, the NSA has acquired a number of capabilities to turn the internet into a global surveillance tool:

As to Bruce Schneier's interpretation of the Snowden documents there is little doubt that

  • the NSA monitors the internet traffic to an extend, that interesting activity of individual users can be identified. By storing fingerprints of interesting HTTPS requests in large databases the NSA can trigger their activities by those fingerprints and is able to react to individual user's actions.

  • The NSA can redirect HTTPS traffic to a set of their own (quantum) servers, which are located at the core backbone of the internet and they can use their quantum servers to impersonate ordinary websites to launch an infection attack on a user's browser and computer system.

    This is possible, because NSA's quantum servers are based at a privileged position on the internet backbone, so they can react much faster to a HTTPS request than the legitimate website does. This speed advantage is being used to prevent the browser to build a connection with the original, legitimate website. Think of this as a better version of DNS spoofing without altering the IP.

  • Once the traffic has been redirected to quantum servers, these servers launch a variety of pre-arranged attacks against the user's computer system exploiting vulnerabilities of the OS and installed applications to download more pre-fabricated, NSA-prepared payloads of infecting code that help to compromise the computer system long-term. These activities read pretty much like a sophisticated version of what you'll expect from the ordinary, criminal malware industry that bothers internet users for the last couple of years.
All this sounds scary enough to fuel severe concerns about the online security of every single individual using the internet. But let me focus on the security of HTTPS for a moment.

How would someone who has this kind of abilities use it to make HTTPS traffic insecure?