In a recent talk at the Chaos Communication Congress, Jacob Appelbaum, who is a core member of the Tor Project and is now working with Der Spiegel and Laura Poitras to analyze the Snowden documents, unveiled some documents showing which tools NSA couldn’t crack.
OTR (Off The Record) is a crypto protocol best known for its ability to encrypt every message with a new key (a feature called Perfect Forward Secrecy) and to have plausible deniability (in that it can’t be proven you were the one sending the message). The protocol is used in multiple clients, including in Pidgin, Jitsi or Adium for desktop, or in mobile clients such as CryptoCat or ChatSecure.
TextSecure used to use it as as well, until it changed to the more modern Axolotl protocol (recently adopted by Whatsapp as well), which has the advantage of asynchronous conversations (you can leave someone messages even if they are offline). With OTR-based clients, the users need to be online to receive the messages. The Snowden documents didn’t say anything about TextSecure’s Axolotl because they date from 2012 or before, when Axolotl didn’t exist.
The PGP (Pretty Good Privacy) protocol invented by Phil Zimmerman (who is now working at Silent Circle) is more than two decades old, but it seems to have stood the test of time. The Snowden documents unveiled by Appelbaum and Laura Poitras showed how the NSA can’t decrypt PGP, either.
PGP does have at least two major weaknesses, though; one is technical, and the other is related to the user experience. PGP messages can’t be “forward secure”, so if a key is stolen, then all previous messages can be decrypted. As for the UX issue, it’s well known by now that Glenn Greenwald almost missed the reporting on the Snowden documents by not being able to set up PGP properly. Right now it’s too hard to use for most people.
Fortunately, there are multiple individuals and companies working on making it easier. One of these companies is Google, which is working on the “End-to-End” extension for email. However, we’re probably at least a year away from a public release, and we also don’t know yet if it will remain as secure as using the original PGP or if it will introduce new vulnerabilities along with a new easier-to-use design. So far it looks promising, though.
In the documents seen by Jacob Appelbaum, RedPhone is labeled as “Catastrophic” in terms of how easy it is to break. RedPhone, along with its Signal variation for iOS, is an encrypted voice app that uses the ZRTP protocol, invented by Phil Zimmerman, Jon Callas (both at Silent Circle), and other security researchers. It’s also what Silent Circle’s “Silent Phone” uses as well.
Tor is a network of over 5,000 relays that redirect user traffic, enabling online anonymity. Tor and the Tor browser seem to have posed many problems for NSA, in general making it very difficult to track people. However, we know from recent busts such as the ones involving Silk Road, that if specifically targeted by the NSA, Tor users can be identified.
Sometimes that happens because the targets don’t update to the latest version of the Tor browser with all latest patches, while other times they simply make mistakes they aren’t supposed to make, such as logging in with accounts that can be linked to their real names and addresses. Overall, Tor still remains the most privacy-friendly and censorship-resistant tool out there for the vast majority of people.
Tails is a Linux distribution that has been customized to work only through Tor to make it harder for those trying to snoop on a certain person to identify who they are. It should go without saying that a machine running Tails shouldn’t be your main machine, because if you log to Facebook or Gmail from it, then that whole anonymity provided by the system becomes pointless.
For extra security, Tails can be used from a DVD, ensuring no malware that’s meant to expose you can be written to it. Then, every time you use Tails it will be like using a clean install of it.
What seems to tie all of these projects together is that none of them are written and maintained by large corporations with billions of dollars in profits. It’s not Apple, Google, Microsoft or Facebook’s security that’s stopping NSA, but some free open source tools written by individuals that are putting the brakes on NSA’s mass surveillance programs.