Betraying Internet Security

One of the standards of internet security is the trusted encryption key. These keys are sold by a number of companies, VeriSign is one. The encryption certificates by one of these companies guarantee the security of internet session. I’m not going to describe how this technology works. It’s been a standard methodology for a number of years and if you want more info, do a Google/Yahoo/Bing search.

What you need to know is that this technology is what makes your on-line purchases using your credit card, on-line private chats and other internet communication private and secure. It’s true that no encryption is 100% unbreakable. I’m sure the NSA can do the job. But, it will take a while and the effort is beyond the capability and budget of most of the world. Even those institutions with the capability, such as the NSA here at home and comparable groups across the world, cannot break those keys quickly.

So, for most of the current applications, your communications is secure. It’s just not worth the effort to break the key to acquire information that may, in many cases, already be out of date.

That is no longer true.

At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.