‘SSL added and removed here’ – Google mocks NSA in crypto code easter egg
It’s an open secret that the NSA is keeping tabs on Internet users through various means. Whistleblower Edward Snowden’s revelations suggest that the agency does not even have to take an active role in eavesdropping, as it’s the Internet and tech companies that do this for them. Case in point: Vodafone recently published a transparency report, indicating the means and methods through which governments are spying through telecom networks.
Google is actually one of the companies that have been used by spy agencies in their data mining efforts. In particular, the movement of information between datacenters can be the chink in the armor in security. A leaked confidential presentation even gives a graphical representation, with the words “SSL added and removed here,” pointing toward where the potential vulnerability lies, and where spooks can make away with supposedly secure information.
A recent effort by Google called End-to-End aims to address the need for better consumer-grade security through a Chrome plugin, which will make encryption accessible to the masses. Still in development, the plugin has been turned into a community effort, wherein Google is seeking the support and help of developers around the world in improving the code. Funny enough, Google has included an easter egg in its code, with a line poking fun at the NSA. ssl-added-and-removed-here ;-) it says.
End-to-End is still in alpha, and developers caution that it is not yet ready for public use, since it might lull users into a false sense of security, especially mere mortals like us who are not that adept at cryptography. But once ready, the goal is to provide a painless way for users to “encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP.”
Google is not alone in its attempt to keep the Internet more private for the regular Joe, however. Just recently, digital rights nonprofit organization Fight for the Future launched an effort called Reset the Net, which provides resources for improved consumer-grade security through a “privacy pack.” This includes apps like TextSecure, Tor, CryptoCat and RedPhone, meant for mobile and desktop-based communications. Meanwhile, for companies seeking enterprise-grade security, there’s always apps and services like Strixus, and firms might opt for private cloud providers like Acclivis, which that ensure data sovereignty — outside the geographic jurisdiction of the US or the UK.
Will End-to-End and other privacy apps do the job, or will the NSA find another way to do its “SSL added and removed” trick to keep spying on us?