Can't say I'm particularly surprised to be honest with you.

If it's backdoors there's not much people can do. If it's supercomputer brute force, stonger encryption could be employed to defend against it. How many bits encryption do banks etc use these days?

When you're talking about web pages they serve to customers as oppose to internal data transfer, the same as everyone else. The limitation is what the client browser can decrypt.

The problem with saying 'just get better encryption' is you're starting an arms race and more than likely the NSA/GCHQ are better equipped for war than you or I. Certainly they can escalate decryption techniques and resources faster than client OS's can escalate encryption techniques. You can't beat a government with brute force because they'll always have more of it than you.

What I would suggest is a change of approach, which leads from the point I made a while ago that the majority of encryption is wasted effort, because it's used on communications nobody cares about anyway. OK, I forget exactly the mechanism involved but look at the way cash machines 'talk' to the bank back end. That transmission is barely encrypted but it has a specific property (and this is the bit I forget how it works, sadly) that if the transmission is intercepted the bank will always know about it. And this is impossible to fake, we 're talking 'breaking the laws of physics' impossible.

What we need is not the assumption that our transmissions can't be read because we now know they can be pretty much whatever we do. What I would suggest we need instead is a way to know, to an absolute degree, whether our communications have been intercepted. We can't make the assumption that our communications can't be read any more, so the best thing to have is the certain knowledge of when they have or haven't.

Think about it - you know in theory someone can steal your credit card, but that's not something you're paranoid about because obviously you'll know when someone has. If we can make internet communications work in that way we can at least all be aware of what's happening, rather than relying on hiding everything when it now turns out the government can read it anyway.

We know that they have been broken anyway (exploits shown at a hacker conference in 2011), the newer versions are stronger and it isn't known if they have been cracked, but it is moot as many web servers and browsers still don't support TLS 1.1 and 1.2.

For example Firefox only introduced TLS 1.1 recently and hasn't implemented 1.2 yet.

On the other hand, if you set Internet Explorer to only accept TLS 1.1 and 1.2 connections, many websites will fail to connect, because they don't work with the newer standards. Interestingly Facebook and Google now seems to support TLS 1.1

On the other hand, as the NSA is storing the information, they just need to pressure Internet firms into handing over expired certificates, then they can easily encrypt the stored information (although actual communications would still not be automatically decryptable).

I think banks have 256 bit encryption which is as strong as much out there. Though if you are really paranoid then PGP allows up to 4096 bits which makes brute force attacks next to impossible. There are mathematical techniques that allow the shortcuts to encryption. If they use these to cut a 256 bit to 48 bit then this is easily crackable with brute force.

You should be looking at at least 2048 bits these days, especially for SSL certificates, when not 4096.

Make sure you read the full article. Power-hungry scumbags. And their capability will only ever get stronger as weeks go by, never mind years. I'm not easily sickened, but this'll do it.

these people do not realise what they have done
who is watching the watchers that are meant to protect

they have now made themselves the 'enemy' ...

For that comment they might consider you the enemy. But I do agree with you. If they were riffling through the bins or tapping our phones we would be up in arms. The vast vast majority of us have absolutely no terrorist or criminal inclinations or connections but over time this seriously erodes the fabric of the state. The public will treat the government as hostile to them and we will eventually bring in a new government be it via elections or revolution.

It does remind me of that Texan judge who was talking about forming a militia to protect Texas from Obama. Every day now that guy looks less crazy

NSA decryption revelations 'provide roadmap' to adversaries, US warns

http://www.theguardian.com/world/2013/s ... roadmap-us

Oh, I'd put money on your adversaries using it against not just you but the average citizen when it's convenient for them. You dumb fcuks.

Already the Chinese have ordered all their companies to replace all US telecoms equipment with Chinese telecoms equipment as fast as possible. If none is available to use European sourced telecoms equipment. This could cost US tech companies hundreds of billions of lost sales.

The worst part is GCHQ, MI5 etc aren't even subject to proper scrutiny or oversight - everything's hush-hush, secret and behind closed doors. Outside of the Home and Foreign Secretaries, and perhaps the Prime Minister, no-one knows what they're up to.

How the British public are ever supposed to voice their displeasure at the way they are governed when they aren't even told about it is beyond me. All that hoo-ha we had over the "Snooper's Charter" and it turns out GCHQ has been happily harvesting everyone's internet traffic for years anyway.

What ever happened to targeted action or reasonable suspicion?

Couple all this nonsense together with what happened to David Miranda and the old mantra "if you have nothing to hide" starts to ring very hollow indeed.

People berate the 'standard' civil service for being opaque and secretive but even the Home Department hasn't got a patch on these clowns.

The Patriot Act alone means that you cannot, theoretically, use any cloud service in Europe, if the hosting company has even a branch office in America, let alone headquarters there.

The problem is that they have to hand over your data under American law, but unless they receive written permission from the people affected (e.g. all the people in you contact list) they can't hand over the data under European law, without a valid EU court order. The problem is, if they hand over the data under a FISA request, then YOU are liable to prosecution in Europe, not the cloud service.