US National Institute of Standards and Technology

Given that we now know that the National Security Agency (NSA) has the ability to compromise some, if not all of VPN, SSL, and TLS forms of data transmission hardening, it’s worth considering the various vectors of technical and legal data-gathering that high-level adversaries in America and Britain (and likely other countries, at least in the “Five Eyes” group of anglophone allies) are likely using in parallel to go after a given target. So far, the possibilities include:

• A company volunteers to help (and gets paid for it)
• Spies copy the traffic directly off the fiber
• A company complies under legal duress
• Spies infiltrate a company
• Spies coerce upstream companies to weaken crypto in their products/install backdoors
• Spies brute force the crypto
• Spies compromise a digital certificate
• Spies hack a target computer directly, stealing keys and/or data, sabotage.

Let’s take these one at a time.