Comment by mladenkovacevic
12 years ago
So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
If this is true my next question would be does NSA have access to the keys or are they removing encryption in some other more technically involved way?
> So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
Well, yes, if you are Google. The removal of SSL is done by Google's own front end servers at the boundary between the public internet and Google's own network, and Google's own network (including its private datacenter-to-datacenter fiber connections) are apparently not encrypted (which saves compute overhead.)
The revelation in the article (assuming it is correct) is that the GCHQ is taking advantage of this fact to evade Google's move to encrypt user-to-Google connections by simply tapping Google's datacenter-to-datacenter connections and (as well as whatever use GCHQ itself makes of the captured data) providing the NSA the ability to provide search terms that are matched against the captured data, with matching data fed from GCHQ to the NSA.
(This neatly also avoids any US legal limits on domestic electronic surveillance by the NSA, since, first, the surveillance isn't conducted by the NSA or any other US agency, and, second, its presumably not physically conducted in the US at all.)
Tell me if I understand this right: Google thought it was okay to not encrypt that 'internal' traffic, because even when trans-continental, that traffic was on 'private' Google fiber carrying only Google traffic, not the public internet. It was theoretically on a network that only Google had access to.
That's why it seemed okay not to encrypt it, right? (Otherwise, I don't know why Google would have thought it didn't have to encrypt it).
But the NSA managed to tap into this 'private' fiber anyway, perhaps with the cooperation of the actual telecoms that run it?
Do I have that right?
Essentially, that is what the article seems to indicate, except that it was Britain's GCHQ, not the US's NSA, that did the tapping. The GCHQ, as part of the "Five Eyes" intelligence cooperation [1], lets the NSA do searches against the data they get from the taps.
[1] http://en.wikipedia.org/wiki/UKUSA_Community
The spies tap the side where there's no encryption. SSL encryption is by Google's design removed by Google at the point marked with the smiley face.
The trick is that Google has to move a lot of data between their own servers on the different locations (even different continents) and that traffic is not encrypted. That's why "Two engineers with close ties to Google exploded in profanity when they saw the drawing." It was that easy.