Can the NSA snoop ssl?
Browsers tell internet users when they are using https, and internet users are told to watch for this when making financial transactions, so that they know their communication isn’t exposed between their client and their financial institution’s web server. Of course, SSL is used for much other secure communication than web traffic, including many VPNs.
SSL in turn depends on key exchange, relying on the Diffie-Hellman protocol. Which begins with the two parties choosing a large prime number. Alex Halderman and Nadia Heninger explain how safe this is: “For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.”
So, your traffic is safe, right? Maybe not. Programmers are lazy. It turns out that most implementations use one of a handful of primes. As those authors explain:
Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.
They present some indirect evidence that the NSA may have done this.