Edward Snowden

US internet experts seek to rewrite web security after disclosure of NSA cracking codes

Experts push for rewrite of internet security in wake of Snowden documents, revealing how US agency can break encryption codes on websites

PUBLISHED : Monday, 09 September, 2013, 12:00am
UPDATED : Monday, 09 September, 2013, 7:15am

Internet security experts are calling for a campaign to rewrite web security in the wake of disclosures that the US National Security Agency has developed the capability to break encryption protecting millions of sites.

The head of the volunteer group in charge of the internet's fundamental technology rules said the panel would intensify its work to add encryption to basic web traffic and to strengthen the so-called secure sockets layer, which guards banking, e-mail and other pages beginning with https.

"This is one instance of the dangers that we face in the networked age," said Jari Arkko, an Ericsson scientist who chairs the Internet Engineering Task Force (IETF). "We have to respond to the new threats."

Leading technologists said they felt betrayed that the NSA, which had contributed to some important security standards, was trying to ensure they stayed weak enough that the agency could break them. Some said they were stunned the government would value its monitoring ability so much that it was willing to reduce everyone's security.

"We had the assumption that they could use their capacity to make weak standards, but that would make everyone in the US insecure," Johns Hopkins cryptography professor Matthew Green said. "We thought they would never be crazy enough to shoot out the ground they were standing on, and now we're not so sure."

Other experts likewise responded sharply to media reports based on documents from former NSA contractor Edward Snowden showing the NSA has manipulated standards.

But they acknowledged the task of rewriting security would not be easy, in part because internet security has relied heavily on brilliant government scientists who now appear suspect to many.

Green and others said a great number of security protocols had to be written "from scratch" without government help.

Vint Cerf, author of some of the core internet protocols, said he did not know whether the NSA had truly wreaked much damage.

"There has long been a tension between the mission to conduct surveillance and the mission to protect communication, and that tension resolved some time ago in favour of protection at least for American communications," Cerf said.

Yet Cerf's employer Google confirmed it is racing to encrypt data flowing between its data centres, a process that was ramped up after Snowden's documents began coming to light in June.

Author Bruce Schneier, one of the most admired figures in modern cryptography, wrote in a column in The Guardian that the NSA "has undermined a fundamental social contract" and that engineers elsewhere had a "moral duty" to take back the internet.

But all those interviewed warned that rewriting web security would be extremely difficult.

Mike Belshe, a former Google engineer who has spearheaded the IETF drive to encrypt regular web traffic, said his plan had been "watered down" in the committee process during the past few years as some companies looked after their own interests more than users.

Another problem is the relatively small number of mathematical experts working outside the NSA.

"A lot of our foundational technologies for securing the net have come through the government," said researcher Dan Kaminsky. "They have the best minds in the country, but their advice is now suspect."