Google, the NSA, and the need for locking down datacenter traffic

UPDATED, the evening of Oct. 30 with Google's Response. Not that this is going to come as any real surprise to anyone who's been following the Snowden NSA revelations but it appears that the NSA's newly revealed MUSCULAR project has been listening in to Google and Yahoo's datacenter-to-datacenter communications.

The NSA has denied that they're doing this. Politico reported that a NSA representative said, "The assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true." 

But, what is the NSA doing, if anything, anyway? Good question. The NSA PowerPoint post-it note of a slide on Google Cloud Exploitation simply shows a sketch where the Public Internet meets the internal Google Cloud at a Google Front-End (GFE) server. This is not exactly a detailed technical document. 

Here's are some of the ways this could work. First, you should know that Google, Yahoo, and other major multinational Internet traffic companies store multiple copies of data across datacenters. That way when you do a search, read a Facebook post, what-have you, when your Web request goes to the closest possible datacenter it will get the fastest possible results.

Six ways to protect yourself from the NSA and other eavesdroppers

To make that happen, and to ensure that you have the freshest information, the big boys use either their own or privately leased fiber-optic connections. These use networking technologies such as OC-768 and 100Gigabit Ethernet for data transmission rates of up to 100 Gigabits per second to hook up datacenters.

This traffic, over these network connections, is not being encrypted at this time. The companies seem to have thought that since encryption does take up some time, and the traffic goes over a private connection, this was safe enough. They were wrong.

After the news about NSA snooping first broke over the summer, Google decided it was time to start encrypting its datacenter-to-datacenter communications. Google also started automatically encrypting Google Cloud Storage data with 128-bit Advanced Encryption Standard (AES-128) before it's written to disk. Yahoo, for its part, is finally turning Secure-Socket Layer (SSL) on as its default Yahoo Mail setting for improved end-user security.

Will these methods solve the major Internet players' privacy problem? Probably not.

For starters, it's not at all clear from The Washington Post report how the NSA is listening in. Is the NSA is squatting in international telecommunications centers snooping on clear-text traffic between datacenters, or is the NSA actually breaking SSL, Advanced Encryption Standard (AES), and Transport Layer Security (TLS) traffic as it moves from Google's datacenters to the Internet? We don't know. For that matter, the Post story also implies that the GFE servers themselves may have been compromised.

If SSL and its related security protocols have indeed been compromised there are ways they could be toughened. One such possible fix is Perfect Forward Secrecy (PFS).

With PFS encrypted Web connections, when a secure connection is made between a browser and a server, a temporary secure session key is generated using Diffie-Hellman (DHE) or Elliptic Curve cryptography (ECDHE). As you continue to interact with a site new secure keys are generated.

The good news is that this makes it much harder to break such secure connections. Instead of having to break one key, a would-be snooper must break multiple ones. The bad news is that both algorithms can slow down connections and they're not universally supported by Web servers and browsers.

Of course, it's a cryptography truism that it's easier to get around cryptography than it to break it. So if the NSA, or one of its partners such as the UK's Government Communications Headquarters (GCHQ) could tap into Google's and Yahoo's private networks, that would be their method of choice.

David Drummond, Google's Chief Legal Officer, said, "We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."

ZDNet has asked Yahoo for their take on the matter, but Yahoo hasn't responded yet. When they do, we'll update this story.

For now, we just don't know, which, if not all three, methods the NSA used and what the companies will be doing in reaction to this. What we do know, and we should have known all along, is that privacy really doesn't exist on today's Internet.

The moral of the story, for anyone, who runs datacenters in more than one country, is that it's well past time to start using as secure connections as you can find for your datacenter-to-datacenter communications. Simply having a "private" line doesn't mean that you're not actually on a party line with the NSA.

Related Stories:

• Meet 'Muscular': NSA accused of tapping links between Yahoo, Google datacenters
• Has the NSA broken our encryption?
• Has the NSA broken SSL? TLS? AES?
• Google accelerates encryption project
• How the NSA, and your boss, can intercept and break SSL