What encryption tools can you trust? Leaked NSA documents offer few answers
A new report from Der Spiegel reveals more information about the National Security Agency's efforts to undermine the encryption standards on top of which much of the Web is built.
Those efforts were first revealed in a joint report from the Guardian, ProPublica, and the New York Times published in September 2013. Both reports are based on agency documents leaked by former NSA contractor Edward Snowden over 18 months ago.
The reports differ in their specificity. Der Spiegel elected to name the security tools -- virtual private networks, the HTTPS standard, and the SSL protocol, among others -- targeted by the NSA and its allies. The Guardian, ProPublica, and the Times did not.
Der Spiegel is also more specific about what security tools are supposedly resistant to the NSA's efforts. The report claims tools like Pretty Good Privacy (PGP), TrueCrypt, ZRTP, and the Tor network have all resisted efforts to compromise their protections.
But the report doesn't make it clear whether the NSA could have had a breakthrough success between the creation of the documents on which Der Spiegel's report is based and today -- more than a year-and-a-half after Snowden first leaked the documents.
It also doesn't mention the tools law enforcement can use to de-anonymize traffic on the Tor network, or the apparent ease with which hackers cybercrime journalist Brian Krebs called a "gaggle of young misfits" can target the network. (The word "target" is key -- the Tor network claims efforts to undermine its security will be unsuccessful.)
That decision is made even stranger by the report's opening, which documents the speed with which the NSA compromised the security of the Skype phone service, and the legal processes used to ensure the agency's continued access to the service's data.
The implication is clear: Der Spiegel believes some tools can be trusted and some cannot based only on its analysis of the Snowden documents instead of on more recent reports concerning attacks against the ostensibly secure communication tools. It also doesn't mention that using tools like Tor leads to increased NSA scrutiny.
And I'll just leave this here that two of the report's seven co-authors work on the Tor Project.
[illustration by Brad Jonas]