Another week, another dire warning about the technology used to secure online communications. Internet security researchers are warning about a previously undisclosed vulnerability that affected all modern Web browsers — a weakness that could allow an attacker to snoop or even change communications thought to be secure.
The government classified encryption — a process that scrambles up information so that only those authorized can decode it — as a munition and tried to limit the spread of the most robust forms outside the United States through strict export rules on military technologies. But even though the United States reversed course by the end of the decade, the rules were so ingrained in technologies that make the Web run, they're still causing problems today.
"The original goal of export controls was to keep strong encryption inside the U.S. — the hope was that by forcing the software industry to use weak encryption we could keep strong security out of the hands of bad guys," said Alan Davidson, who worked on the issue at the Center for Democracy & Technology during the '90s and was the director of New America's Open Technology Institute when interviewed. (He just accepted a position as digital economy director at the Commerce Department.)
"But even then the notion of making strong encryption a thing for people in the U.S. that couldn't be accessed by those outside of the U.S. didn't make sense," Davidson said. It created a double standard that left innocent Internet users abroad less secure, he said, and once the encryption genie was out of the bottle, it was impossible to shove back in.
And even now, long after the most restrictive export rules on encryption have been lifted, the legacy of that policy is still leaving Internet users around the world less secure, experts say.
"You mandate people do certain things that are insecure, you're going to have a lot of nasty unintended consequences that last for a long time," said Matt Green, one of the authors of the report that revealed the latest vulnerability, dubbed "LogJam," and a computer science professor at Johns Hopkins University.
LogJam, which was first reported by the Wall Street Journal last week, affects the basic design of transport layer security, or TLS, which is widely used to secure things like online payments. When in use to protect Web traffic, it is often noted with a green lock in a Web browser's address bar. It is a sort of cousin to a similar bug known as FREAK that was disclosed earlier this year by The Washington Post, also based on the work of an international team of cybersecurity researchers. Green helped coordinate the disclosure.
Here is how an attack featuring the vulnerability would work: A bad guy on the same network as a user can trick the victim's system into using an unusually short encryption "key" -- the string of characters used to keep traffic private -- when it uses a common method for exchanging those keys known as Diffie-Hellman.
Shorter keys are weaker. And if the server a user connects with is using one of a handful of common set-ups, a prepared attacker would be able to break the encryption in a matter of minutes, according to the researchers — foiling the protection users depend on to keep their data safe.
They estimate the bug affected over 8 percent of the top 1 million Web sites, along with some e-mail servers.
But the reason those weaker keys exist inside the protocol at all is that the U.S. government forced software makers to put it there decades ago, during the Crypto Wars.
The original Crypto Wars
For a long time, digital encryption research and deployment in the United States was dominated by the National Security Agency and the military. But then the first private-sector encryption software started coming out — based on concepts like Diffie-Hellman.
"The basic idea, as it came together in the late 1970s, was a way that two people who have never met before can agree on a shared encryption key over a public channel," explained Green. That turned out to be hugely important when the commercial Internet was getting started because it provided a way to secure online communications without having to physically transfer a secret key.
"People building the new commercial internet wanted encryption because the Internet was insecure at its core," said Peter Swire, a professor of law and ethics at the Georgia Institute of Technology and senior counsel at law firm Alston & Bird, who was part of the encryption debate during the Clinton administration. "Without encryption, senders and recipients didn't know what servers in the middle would have access to their communications," he said.
So encryption was a huge deal for the Internet. But it also worried law enforcement officials, who feared that criminals or militants in other countries would use the security it provides to prevent the U.S. government from tracking their activities — putting potential victims in greater danger.
At one point the NSA promoted a device called a Clipper Chip. It was designed to give the government the ability to decrypt communications with judicial process. Essentially, it was what many cryptography experts call a back door. But researchers discovered vulnerabilities in the technology, and it was never widely deployed.
The part of the Crypto Wars that played into this latest security issue are export controls: The government classified encryption technology as military equipment and set a limit on the length of keys software makers could put in products for overseas customers.
There was an "excruciating permit process" for companies hoping to export software or hardware with strong encryption, according to Swire. And the end result of export key length restrictions was "that government super computers could try all the keys and open up targeted communication." Essentially, it was a way to ensure a type of brute force back door.
Privacy advocates and technologists railed against the policy — and by the end of the decade it looked like they had won. "At the end there was, if not total consensus, a widespread belief by both sides of the aisle and those in the administration that export controls weren't sustainable -- and back doors did more harm than good," Davidson said .
In September 1999, while Swire was serving as the chief counselor for privacy at the Office of Management and Budget, the Clinton administration reversed course on export controls. There remain some restrictions on exporting encryption products today, but they pale comparison to the ones in place during the heyday of the Crypto Wars.
Unfortunately, the aftershocks of the old restrictions are still being felt by consumers, who live in a less secure digital world now because of them.
Even though the export control policy was changed more than a decade and a half ago, researchers are still finding that protocols relied upon by the Internet at large and used in the default settings of some systems retain traces of the restrictions.
Because of the rapid growth in processing power available to the public over the past few decades, decryption that once required government super computers is within reach of more run of the mill cybercriminals. Or, as the researchers who documented LogJam proved, academics.
A Crypto Cold War?
Revelations from former NSA contractor Edward Snowden suggest the Crypto Wars may not have actually ended. Instead, it seems as though intelligence agencies took the debate underground resulting in a sort of Crypto Cold War that privacy advocates weren't even aware they were fighting.
The NSA waged a covert fight against encryption, according to a story based on Snowden documents published in 2013 in partnership between the Guardian, the New York Times and ProPublica. As part of that campaign, the agency worked to undermine encryption security standards issued by the National Institute of Standards and Technology, the outlets reported. (NIST has denied it would "deliberately weaken a cryptographic standard.")
"That was a huge blow to trust in the system — it crossed a line that many had not expected," said Davidson.
But that wasn't all: In 2010 the spy agency had a breakthrough that made "vast amounts" of encrypted data collected by tapping into the Internet backbone "exploitable," according to a document from the NSA's partners at the British intelligence agency GCHQ, published by the Guardian, the New York Times and ProPublica.
The details of the breakthrough weren't revealed in the documents. But in the paper on LogJam, researchers speculate that the NSA's level of access to computing power and Internet infrastructure means they might be able to use the same type of attack possible against the short keys left behind because of '90s-era export controls against more robust key lengths in use today.
Because there are a small number of fixed or standard Diffie-Hellman groups relied upon by many servers today, a nation-state actor like the NSA may be able to pre-compute enough of the information needed to decrypt the data in near real-time, the researchers argue.
This particular method, they speculated in the paper, seems to match up with Snowden documents describing how the spy agency is able to break into encryption Virtual Private Networks — a tool used to protect Web traffic from eavesdroppers via encryption — released by German magazine Der Spiegel. Green is quick to note that there is no smoking gun, but said "if you look at those documents and read them in light of what we know about these attacks, it's really consistent."
The NSA did not immediately respond to a Washington Post request for comment on this theory.
Crypto Wars Redux
Now, thanks in part to the Snowden revelations, the debate over encryption is back in the public sphere. In a bid to regain customer trust, tech companies like Apple and Google are working to automatically encrypt more devices and services in ways that even they can't unlock if faced with a legitimate court order.
This has law enforcement officials returning to calls for mandates that tech companies build in ways for the government to access protected communications — albeit with some new twists, such as an idea floated by NSA director Adm. Michael Rogers that would involve splitting up encryption keys in an effort to make them harder for hackers to exploit.
But tech companies and encryption experts appear unconvinced — arguing so-called back doors would undermine the security of the users.
"Whether you call them 'front doors' or 'back doors', introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers," a recent letter to President Obama signed by companies like Google, Microsoft, Apple and Facebook as well as civil liberties groups and computer security experts said. "We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products."
A recent report from the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression echoed those concerns. "States should avoid all measures that weaken the security that individuals may enjoy online, such as back doors, weak encryption standards and key escrows."
Meanwhile, the LogJam vulnerability serves as a case study on the long-term chaos that can result from weakening the security of software.
Major browser makers and security researchers deliberated for months about how to respond to the issue, according to Green, ultimately deciding on a fix that would leave thousands of Web sites unavailable once enacted. And when the vulnerability was disclosed, only Microsoft had released a patch for the latest version of Internet Explorer already out, although others were at work on their versions.
Essentially, cleaning up the fallout from ideas that seemed like reasonable compromises to policymakers at the time in the '90s has turned into a headache that is still still hurting innocent Internet users today.
And that is making computer security advocates even more committed to fight against what they see as a revival of the Crypto Wars. "The reason you saw so many people now coming out against back doors is because we already had this debate — and the lessons from the '90s are still true," Davidson said.
This post has been updated to clarify Green's role in the disclosing the FREAK vulnerability.