Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Neither SSL or cryptography are broken. However, it's widely known that the government has its hands on most root-level private keys. All of cryptography comes down to how well we manage keys, whose weakest link is humans :)

Having the internet's root keys does two things:

1) The government can impersonate as most sites to perform a MITM, which is rare and would only happen on specific, targeted people.

2) The private keys reduce the search space for brute force 128-bit decryption to the point that it can be completed in near real time. If the government were to have direct access to the fiber backbones, then they could monitor SSL traffic as easily as plain-text traffic. Hence, "solved problem." Part of the trick behind this is pre-computing a lot of commercial site's individual private keys ahead of time. If you do nothing but monitor headers you would know the top 90% of hosts to pre-compute first.

To be clear -- I don't know what the government does or does not do. But I know a little bit about crypto and the industry, and I'm inferring what the government does based on 'innocuous' requests it makes regularly to a popular crypto products such as the one I worked on.



By root level private keys you mean the third-parties like Verisign etc, not just the ones explicitly belonging to the US government?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: