Bruce Schneier wrote an excellent piece on how the NSA has actually threatened national security rather than strengthened it. I agree with Bruce on this one – they have most assuredly changed the game, and you can be sure that other nations are going to alter the way they conduct their intelligence gathering and counterintelligence activities. For those of you who don’t follow Schneier’s excellent blog, I made the following comment, which I think is pertinent enough to mirror on this blog.
The NSA have essentially changed the game, so to speak. The Internet was founded upon collaboration and just being friendly to the extent that for much of its early life some of the most critical infrastructure relied on unencrypted protocols like plain snmp or telnet, or BGP without any authentication extensions.
Well, the game has most definitely been changed. I think in the next twelve to thirty six months we will see:
- any site that processes user information in the form of a submitted form, no matter how mundane will be compelled to use TLS to protect that data. Moreover, sites that typically wouldn’t have a need for TLS will start offering a mirrored version of their site on https for privacy concerned users. Some may make it their default.
- a complete review into the completely broken certification authority model which our browsers are programmed to implicitly trust. It is broken. Root certs are in the hands of those who you just can’t trust and the game is over. It is time for a better solution. Hell, even an openssh style solution where the browser keeps a cache of site information and alerts on a change would be an improvement. Personally I think that with a little initiative a crowdsourced distributed “web of trust” could be created. The more entrepreneurial could probably see a way to bind this to a cryptocurrency in the form of a bond, ie: “XXX industries puts up XXX BTC to assure that YYY LLC is who they say they are.”
- an open revolt against advertisers and conglomerates like Google from mining our personal data, identifying us through browser profiling, etc.
That’s why I use Certificate Patrol https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/
I wish there also was a “CloudFlare alert” extension.