Given that we now know that the National Security Agency (NSA) has the ability to compromise some, if not all of VPN, SSL, and TLS forms of data transmission hardening, it’s worth considering the various vectors of technical and legal data-gathering that high-level adversaries in America and Britain (and likely other countries, at least in the “Five Eyes” group of anglophone allies) are likely using in parallel to go after a given target. So far, the possibilities include:
- A company volunteers to help (and gets paid for it)
- Spies copy the traffic directly off the fiber
- A company complies under legal duress
- Spies infiltrate a company
- Spies coerce upstream companies to weaken crypto in their products/install backdoors
- Spies brute force the crypto
- Spies compromise a digital certificate
- Spies hack a target computer directly, stealing keys and/or data, sabotage.
Let’s take these one at a time.
As Ars has reported before, one of the major telecommunications companies in America—either Verizon or AT&T—went to the NSA in the days after September 11, 2001 because it “noticed odd patterns in domestic calling records surrounding the events of 11 September and offered call records and analysis."