Yahoo! To! Switch! On! Webmail! Crypto! By! Default! Next! Year! Following in the footsteps of Facebook, Google, and Microsoft, Yahoo! has said that it will make SSL encryption the default for all users of its Yahoo! Mail service beginning in January. The Purple Palace confirmed the plan in an emailed statement to the Washington Post on Monday. Yahoo! has only offered SSL encryption for …
Why does the NSA have to crack SSL? You have a secret court issuing secret orders with a hush order to make sure it all stays a secret for the provider to turn over the keys. The court required Lavabit to turn them over for not just Snowden but *ALL* users. That was well beyond the authority of the court as it violated the privacy of everyone using the service, not just whom they wanted to monitor. So the same could be done for any company based or has a physical presence in the US.
Connecting the dots, NSA likely already has the keys to Yahoo, Google, etc. because at some point there will have been a limited court order, similar to the one issued to Lavabit. Once the key is handed over it's enough.
Remember Bullrun?
BULLRUN is NSAs database of encryption keys. They get keys using warrants issued by secret court orders. The Judge is persuaded by the FBI story that it will *only* be used to filter out the target and the rest will be thrown away so he issues the order on those limits.
Lavabit for example were forced to hand over their SSL keys to the FBI, the FBI in turn hands them to NSA to do the actual surveillance.
Once NSA has the keys it DOESN'T REALLY NEED THE INTERCEPTION BOX[5]. It has a tap on the backbones [1], and RECORDS AND STORES encrypted traffic for later decryption[2]. So really when they get the keys, that's all they need to decrypt all the HISTORIC traffic[3].
They can then mine those emails for further passwords, keys etc. even on Americans[4]
The Judge thinks he's issued a limited warrant, but that's not what's happened. NSA hands back the FBI only the data that falls within the judges warrant.
The only purpose the box on Lavabit's network serves is to add an extra tap point, and it would let them fake email messages in a convincing way that look like they really came from Lavabit and really came from the account.
[1] We know they tap the backbone
[2] Encrypted traffic is one of the excuses used to keep US data
[3] Ergo, once they get the keys they can decode that historic traffic too
[4] Data of Intelligence value can be kept even on Americas,its one of the exceptions and we know they mine emails and conversations for passwords and other data. Hence they can have a go back through that now unencrypted data and have a good look.
[5] Using the historic data and the ongoing taps, it doesn't need the box on Lavabits network. I think that's just a toy to get the judge to focus on, when the real prize is the SSL key.
So to sum up, if you use Yahoo, Google, Hotmail, Facebook etc. once they've handed over those keys, all your future and past discussions are then available in the giant database General Alexander has built. Even if the FBI is handed a subset that complies with the judges order, it is likely everything is still stuck in the database, aka 'lockbox' and continue to be used to populate the database via Bullrun.
Does that mean they're going to fix their SSL implementation or just flip the switch?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
