Internet security experts are calling for a campaign to rewrite web security in the wake of disclosures that the US National Security Agency has developed the capability to break encryption protecting millions of sites.
But they acknowledged the task would not be easy, in part because internet security has relied heavily on brilliant government scientists who now appear suspect to many.
Leading technologists said they felt betrayed that the NSA, which has contributed to some important security standards, was trying to ensure they stayed weak enough that the agency could break them. Some said they were stunned that the government would value its monitoring ability so much that it was willing to reduce everyone’s security.
“We had the assumption that they could use their capacity to make weak standards, but that would make everyone in the US insecure,” said Johns Hopkins cryptography professor Matthew Green. “We thought they would never be crazy enough to shoot out the ground they were standing on, and now we’re not so sure.”
The head of the volunteer group in charge of the internet’s fundamental technology rules told Reuters on Saturday that the panel will intensify its work to add encryption to basic internet traffic and to strengthen the so-called secure sockets layer, which guards banking, email and other pages beginning with Https.
“This is one instance of the dangers that we face in the networked age,” said Jari Arkko, an Ericsson scientist who chairs the Internet Engineering Task Force. “We have to respond to the new threats.”
Other experts likewise responded sharply to media reports based on documents from former NSA contractor Edward Snowden showing the NSA has manipulated standards.
Documents provided to the Guardian, the New York Times and others by Snowden and published on Thursday show that the agency worked to insert vulnerabilities in commercial encryption gear, covertly influence other designs to allow for future entry, and weaken industry-wide standards to the agency’s benefit.
In combination with other techniques, those efforts led the NSA to claim internally that it had the ability to access many forms of internet traffic that had been widely believed to be secure, including at least some virtual private networks, which set up secure tunnels on the internet, and the broad security level of the secure sockets layer web, used for online banking and the like.
The office of the Director of National Intelligence said on Friday that the NSA “would not be doing its job” if it did not try to counter the use of encryption by such adversaries as “terrorists, cybercriminals, human traffickers and others”.
Green and others said a great number of security protocols needed to be written “from scratch” without government help.
Already Google is racing to encrypt data flowing between its data centres, a process that was ramped up after Snowden’s documents began coming to light in June.