A couple posts back I linked to a guy’s lengthy, complex blog post about setting up your own secure email server. I mentioned at the time that it’s only really secure if both ends of it are secure: you may have the most secure email on earth, but if you email your jihadi buddy who uses a Hotmail account, the government could just demand that email copy from Hotmail, and all your efforts are defeated.
I can prattle on all day about encryption and private keys and how it uses the algorithms to do this and that shit with prime numbers etc., but the thing about encryption… specifically, RSA encryption and SSL, the stuff you use to be secure online… is that equally important is the concept of trust. You have to trust that that SSL certificate really does belong to your bank. You have to trust that the public key you’re using to encrypt your email really does belong to your friend. And you have to trust that neither of those two will be handing out their private keys all willy-nilly.
OH BY THE WAY THE GOVERNMENT IS DEMANDING PRIVATE KEYS FROM SERVICE PROVIDERS GL HF LOL KTHX.
So far the assorted service providers at that link… Hotmail, GMail, etc., are denying that they’ve complied with or even received these requests. Most are also declining to go on record as to whether they would or would not comply.
What this means is that, if such keys were indeed provided, the NSA (or anyone with said keys) could just slurp all the data and unencrypt it at whim, rather than possibly wanting to wait on a court order that Hotmail provide your Jihadi buddy’s email, etc. As it stands they can probably brute-force decrypt a lot of the less-thoroughly encrypted stuff with no problem, but this would still be far, far faster for them.
Anyway. Even more food for thought.