title: this is why you use ssl on the inside link: https://onemoretech.wordpress.com/2013/11/09/this-is-why-you-use-ssl-on-the-inside/ author: phil2nc description: post_id: 6598 created: 2013/11/09 13:25:15 created_gmt: 2013/11/09 18:25:15 comment_status: closed post_name: this-is-why-you-use-ssl-on-the-inside status: publish post_type: post

this is why you use ssl on the inside

The big lesson to be learned from the recent revelations about NSA intrusion into Google's network is this: you need to use encryption everywhere. The diagram tells you everything you need to know. The real problem isn't that all of our encryption methods are hopelessly broken. They aren't. It is that we're not using them. Even Google, who claimed to be using end-to-end encryption everywhere, wasn't. The NSA (and probably others) took advantage of that lapse in professionalism (and honesty), and did an end-run around the "hard shell" to get to the "chewy center". I think SSL and TLS are still effective tools in defending the privacy of people and businesses. Key strength and algorithms do need to be reviewed, of course. Keep in mind, however, that VeriSign/Symantec and other commercial CA's had already set 2048 bits as the minimum RSA key strength some time ago (in response to a NIST initiative), and that the weaknesses (and possible compromise) of ECC were already understood by the security community before the Snowden leaks. In fact I think that the existence of an massive effort to circumvent rather than directly attack encryption casts doubt upon claims that encryption can routinely be broken. The real question is whether, knowing everything we know now, people will make the effort to take the common sense step of implementing encryption everywhere. That's ultimately not just a question for technologists, but also for business leaders and individual citizens.

Copyright 2004-2019 Phil Lembo