The timing of these failures is significant in light of the revelations of Edward Snowden and the push to encrypt all traffic on the internet for privacy and security. As more people and devices begin using encryption and SSL/TLS for communication the risk of compromise due to these flaws increases. The question is: are these flaws a mistake or are they some of the flaws that Edward Snowden claims were put in place under pressure of the NSA?
Again we have a massive number of people moving to using encryption due to privacy concerns. Google and other search providers are giving a leg up to sites using SSL, email services are quickly moving to TLS for more secure email relay and phone makers are starting to add encryption to their devices to protect them. According to Snowden the NSA and other government agencies built backdoors and hidden flaws into the most common encryption standards to ensure that they would always be able to get in. The two events are not coincidental as we are seeing flaws that have existed for 10+ years in some cases suddenly get patched without much in the way of an explanation. Why would flaws of this significance not be patched years ago?
What makes this even more suspicious is that all of these flaws are very close in scope. They allow someone else to drop in on your “secure” session and execute code. This gives the attacker quite a bit of flexibility in what they can do to you. They can drop in software to spy on you, or (if they are malicious enough) take full control over your system. How do we find flaw that match up so closely in different secure protocols unless they were intended? Conspiracy theories aside, these flaws are at least being patched by the developers quickly now that they have hit the light of day. Sadly someone has to run the patch to plug the holes before the bad guys get in. With the way we have seen corporations react lately we have a feeling that this one will not be really fixed anytime soon.
Tell us what you think