I don't doubt of the importance of this revelations, but... "most encryption"?
Should we suppose that open source encryption is not used too much, in favor of closed source encryption systems?
Or should we suppose that open source encryption systems have backdoors too? See references below.
via Christopher M. Hobbs ( email@example.com )
"I think today's revelations make it unavoidable: #SELinux and #OpenBSD ( and possibly #OpenSSL ) need full audits. At least the first two had some #NSA assistance in the past, so very likely to have backdoors."
I have no idea of the spread (or not) usage or open source encryption, but it makes common sense for me to use precisely open source software (or home made software) for that kind of tasks (encryption). If I am a government, public administration, company or individual that needs to share secrets, how can I trust a program that I cannot audit? Even more if the program comes from a different country/group of interest than yours).
Other thing that came to my mind reading the article is that it mentions "Google + Facebook + Hotmail + Yahoo". I don't discuss that the importance of all that services and the importance of this issue, but frankly, I doubt that the messages that they (NSA, GCHQ) say that they try to intercept are transmitted by those channels. Even me (a poorwoman IT assistant in a public University in Spain) advice teachers and researchers to not share confidential data or sensible research data by Dropbox, Gmail or Google sites, and better use our inhouse facilities or other (safer) means...
"...if the NSA wants in to your computer, it's in. Period."
"Closed-source software is easier for the NSA to backdoor than open-source software"
"Trust the math. Encryption is your friend."
NSA surveillance: A guide to staying secure
Free software alone is not enough, unfortunately. For example, remember that a buggy implementation for SSH key generation has been in use for some time until someone noticed it. The good thing is: someone noticed it precisely because source was open, to begin with.
But most people use windows, that's a fact. Everyone knows it is inherently insecure, everybody knows microsoft tells exploits to the NSA months in advance before publishing a patch, and people still close their eyes and keep on using it. However, I don't blame the common windows user: it came with their laptop, after all. It is a de facto monopoly. To use free software only, of course you have to work it hard, but then it gives a heaven of advantages in return.
Christopher M. Hobbs (inactive) likes this.
Well, if they had backdoors in those they wouldn't need to ask the companies for the keys to decrypt all the encrypted communications they archived (they can get the session key used for a SSL-connection with the server's SSL-key and the archived traffic of key negotiation phase).
If everyone would implement ephemeral session keys / perfect forward secrecy they would try to a) get a way to get the cleartext from the company (or push for means to collect it inside the company) and b) probably also try harder to get backdoors in the software on both ends.