Dear OpenSSL users, so as most of us probably have, I've read both the Guardian article [1] as well as Bruce Schneier's comments [2] on the newest revelations. So I was wondering given what little information is available what can be done to improve the situation. Here is my take on what we know:
- It's clear SSL and thus OpenSSL as one of it's most important implementation are very likely to be the prime target of whatever Bullrun does. - It looks like the NSA has actively sabotaged any and all NIST standardization processes. - A quick check reveals that both Facebook and Google - People have to ask themselves whether it's a coincidence RC4 is still used even by Google - Schneier who has read hundreds of the Top Secret NSA files in his article claims he wouldn't trust Elliptic Curves anymore because there are doubts about some of the constants used. So what do you guys and girls think? What can be done and is there any chance for a bigger audit to find NSA influences? [1] http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security [2] https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
