CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →June 2013
On 5 June 2013 The Guardian publishes the first article derived from documents provided by Edward Snowden, former NSA contractor, to journalist Laura Poitras and journalists Glenn Greenwald and Ewen MacAskill. Articles on The Washington Post, Der Spiegel, Le Monde, O Globo and others follow. The revelations made public between June and October 2013 include:
- PRISM — programme of data collection from major US internet providers (Microsoft, Google, Yahoo, Facebook, Apple)
- BULLRUN — programme of attack/weakening of public cryptographic standards
- Bulk metadata collection — mass collection of phone and internet metadata
- XKeyscore — internet traffic analysis system
- TEMPORA — GCHQ (UK) programme tapping undersea cables
- Collaboration with “Five Eyes” partners (USA, UK, Canada, Australia, New Zealand)
The revelations’ content is the subject of political and legal debate far beyond the technical scope. Here we focus on the impact on the open source technical community and on the cryptographic posture of the web.
Technical response
The IT community response is articulated and coordinated. Key events in the following 18 months:
IETF and “pervasive monitoring”
In autumn 2013 the Internet Engineering Task Force — internet’s technical standardisation body — openly discusses the topic. In May 2014 RFC 7258 is published titled “Pervasive Monitoring Is an Attack”, formally declaring mass surveillance an attack against which protocols must be designed. A historic stance of the technical community.
TLS reform
As of June 2013 TLS 1.2 is state of the art (RFC 5246 published 2008), but still minoritarian on Internet — many servers use TLS 1.0 or even SSLv3. Work on TLS 1.3 accelerates: the IETF WG, led among others by Eric Rescorla (Mozilla), will work from 2014 toward a protocol mandating forward secrecy, removing deprecated mechanisms, reducing handshake latency. TLS 1.3 will be finalised as RFC 8446 in August 2018.
HTTPS Everywhere
The HTTPS Everywhere initiative of the Electronic Frontier Foundation (EFF) existed since 2010 as a browser extension; post-Snowden, pressure to make HTTPS universal grows. Google announces in 2014 it will use HTTPS as a ranking signal in Google Search — market push for adoption.
Let’s Encrypt
In 2014 the Internet Security Research Group (ISRG) — with support from EFF, Mozilla, Akamai, Cisco — launches the Let’s Encrypt project, a free CA with automatically issued certificates via the ACME protocol. Beta in 2015, GA in April 2016. Let’s Encrypt will bring tens of millions of HTTPS sites in its first operational year.
Open source crypto library audits
OpenSSL — the most diffuse crypto library — was underfunded with a small team. Post-Snowden and after Heartbleed’s discovery (April 2014, CVE-2014-0160), the community reacts: Core Infrastructure Initiative (Linux Foundation, 2014) funds the security of critical open source libraries. LibreSSL is forked by OpenBSD in 2014. BoringSSL is forked by Google. Independent audits intensify.
Forward Secrecy as default
Perfect Forward Secrecy (PFS) — the property by which server private key compromise does not compromise past sessions — was known but optional. Post-Snowden it becomes standard practice: servers configured with ECDHE as preferred cipher suite, RSA key exchange deprecated.
NIST standard revision
Dual_EC_DRBG — NIST-standardised pseudorandom generator — was already under suspicion (Bernstein-Lange-Niederhagen 2007; Bruce Schneier 2007) for a possible backdoor. Snowden revelations confirm: BULLRUN documents suggest compromise. NIST officially withdraws the standard in 2014, updating SP 800-90A.
Growth of end-to-end encrypted messaging
- Signal Protocol (Open Whisper Systems) consolidates in 2013-2014
- WhatsApp adopts Signal Protocol in 2014-2016
- TextSecure (later Signal) becomes a standard recommendation
Industrial impact
Impact on corporate security posture is substantial:
- HTTPS everywhere on public sites
- Certificate pinning and HSTS (RFC 6797) adopted
- Extended logging audits to detect internal threats (on the Snowden model itself, insider)
- Strengthened privacy regimes — the European political response will lead to GDPR (proposed 2012, adopted 2016, applicable 2018)
- Sovereign cloud — European debate on dependence on US providers
In the Italian context
Effects on the Italian ecosystem:
- Growing HTTPS adoption in public portals (gradually completed toward end-decade)
- Revision of AgID technical rules on digital security
- Push toward sovereign cloud: attention to Italian and European providers
- Resumption of the public debate on encryption and privacy — a question periodically re-emerging in Italian and European political cycles
What remains
Years after June 2013, the trace of revelations is visible throughout the web’s technical infrastructure: universal HTTPS, TLS 1.3, Let’s Encrypt, normalised end-to-end encryption in messaging products, public scrutiny of crypto libraries. The open source community responded to events with technical self-criticism and investment: the result is an Internet measurably more cryptographically secure than in 2012.
June 2013 did not only tell what had been done by surveillance programmes; it imposed on the industry an accelerated maturation of security tools and practices that would otherwise have required decades.
References: Snowden revelations (5 June 2013 onwards), The Guardian, The Washington Post. IETF RFC 7258 “Pervasive Monitoring Is an Attack” (May 2014). RFC 8446 — TLS 1.3 (August 2018). Let’s Encrypt (ISRG, 2015-2016). Heartbleed CVE-2014-0160. Core Infrastructure Initiative (Linux Foundation, 2014). Regulation (EU) 2016/679 (GDPR).