So let's assume the NSA still has these capabilities (a fairly reasonable assumption), and with SSL/HTTPS as a fairly feasible security option, how would these capabilities be possible? Either services aren't committed to and endorsing the use HTTPS/SSL and/or they are actively granting access to user information. Are those two reasonable conclusions?
I'm trying to understand why services are not taking a more active role in protecting their users' information if they are claiming to taking our privacy seriously.
To me, it comes down to being either incompetent or a liar, or both.
> * Show me all the VPN startups in country X, and give me the data so I can decrypt and discover the users.
> * These events are easily browsable in XKEYSCORE
As I understand it (and I may be wrong), most encrypted VPN traffic uses SSL. Given that XKeyscore data is only held for a few days (due to the immense volume) and given how nonchalantly they just throw out that they can decrypt VPN traffic, it sounds to me like they've either got the root SSL certs and are MITM'ing every connection they can or they've somehow broken SSL, either by breaking the actual encryption used or by exploiting vulnerabilities in how browsers handle it. If that's the case, then they don't need to ask Google or anyone else for your data, they can just read anything they want.
Poul-Henning Kamp: """With expenditures of this scale, there are a whole host of things one could buy to weaken encryption. I would contact providers of popular cloud and "whatever-as-service" providers and make them an offer they couldn't refuse: on all HTTPS connections out of the country, the symmetric key cannot be random; it must come from a dictionary of 100 million random-looking keys that I provide. The key from the other side? Slip that in there somewhere, and I can find it (encrypted in a Set-Cookie header?)."""
Even better would be for the NSA to penetrate Thwate, Verisign etc and make the keys they "generate" non-random (perhaps only for a subset of certificates sold)
Uh, no. We aren't subsidized by the NSA or any part of any government or any organization or person for that matter. We bootstrapped Private Internet Access with 500$ and a lot of caffeine and have been profitable since our second month in operation.
We believe what the NSA is referring to when talking about "VPN startups" is the initial stages of PPTP sessions. PPTP has been crackable for a while, check out moxie's cloudcracker.com. We believe it highly unlikely that they have broken OpenVPN (which is what our application uses) or SSL.
I'm trying to understand why services are not taking a more active role in protecting their users' information if they are claiming to taking our privacy seriously.
To me, it comes down to being either incompetent or a liar, or both.