This is a bit of a follow-up to yesterday's post on how NSA hacks into email accounts. The information comes courtesy of a talk I had with the ACLU's Chris Sogohoian, who is probably one of the leading intellectual forces probing the intersection of technology, privacy, and surveillance. (If I've gotten any of it wrong, it's on me, not him.)
Let's call it the Yahoo problem.
Google and most other internet content providers use SSL, a protocol that encrypts data as it passes through a network.
Yahoo does not use SSL encryption by default.
Yahoo users who communicate with other Yahoo users are sending their data through the networks without encryption. (If they're savvy enough, they can, as of January 2013, enable it, but, honestly, how many Americans know what SSL actually is?)
Ok, you might be saying to yourself: I don't use Yahoo. I use Gmail.
But many Gmail users send email messages to Yahoo users.
So when a Yahoo communication communicates with a Google communication, by default, it can't be encrypted unless the Yahoo sender has enabled encryption, which, again, requires a basic understanding of why doing so would be worth the time.)
If someone wanted to tap into Google-to-Yahoo communications, she could do so by finding a place on the fiber optic wire that the electrons zip through, tap in, and simply read and see everything in real-time.
This is why, incidentally, you need to make sure to use the "https" indicator whenever you're using public Wifi; it's very easy to for malevolent folks to sniff data from unsuspecting users at Starbucks, and then exploit it for all sorts of nefarious purposes.
Why doesn't Yahoo make SSL the default? Cost, maybe. Or maybe, since the NSA acquires unencrypted Yahoo email in bulk overseas, it doesn't want to give the government a reason to serve Yahoo with a lot of FISA orders and requests. Don't ask, don't tell. There is also a tradeoff of sorts.
Google has been a leader in the field of forcefully and willfully adding security to its communications over time. Microsoft, Yahoo, and other internet firms have followed Google's lead in many instances.
Where Google leads today in the practice of only certifying a specific set of certifying authorities, or transactional middlemen, who give both ends of a communication a measure of security by verifying that the sender of a communication is indeed the sender who sent it.
Chrome browsers are embedded with a list of certificates that Google has pre-cleared, in essence, for use with its own email and content. These are stored locally and checked against the certificates that Google has already validated for the pipeline in question.
Think of it this way. Certifying authorities are the friendly patrol officers on the net. You are an email. You need to find an officer to escort you somewhere else. So you interrogate the officer you find. Is he a real officer? Does he have credentials? Do you recognize him? If the answer is yes, then you let him be your escort. If the answer is no, then you run to the police station and make a complaint. This is how Google's certificate pinning is supposed to work. It makes sure that the patrol officer's name is the same name that's on his police badge, and also makes sure that the police officer is a legitimate part of the force and is working the right beat at the right time.
Of course, a lot of content providers don't make sure that the police officers escorting their messages through the internet are actually the ones who are supposed to be there. They accept most of the 400 or so certifying authorities. Valid sites might let their certificates expire, and most browsers won't interrupt your experience with this news unless you ask it to. It's hard, but not impossible, to hack into a certifying authority and pose as someone you're not.
One reason why Google leads on certifying authorities is because they were burned by a fake one in 2011. Google caught hackers in the act because a user in Iran complained to the company that his browser was having difficulty accepting the certificate. That's because the certificate was being spoofed by hackers associated with the government. They managed to burrow into the servers of a small Dutch certifying authority used mainly by the Dutch government. Using the fake certificate, the Iranian government could easily read real-time communication from 250,000 Gmail users inside the country.
The internet is much larger than Google mail or website content, so what researchers like to call "SSL certificate vulnerability" ought to be an urgent matter for companies to work together to fix.
I'll end with this paradox.
The more secure a system is, the harder it is for the government to hack into.
If all the world's gatekeepers used SSL and certificate pinning, the NSA would not be able to collect nearly as much digital communications as they do now. (There are ways to break SSL, but it is not scalable and requires midstream collection. See here.)