Fwd: Concerns with NSA-created Software

[Se7en]

On Sun, 02 Oct 2016 19:39:29 +0000, Se7en <se...@firemail.cc>
(news:pan$c9953$5dc2e9bc$c709d254$7a1b...@eternal-september.org) wrote:

> I was reading up on NSA-created cryptology software. This was prompted
> when I discovered that my Distro's OpenSSL was out of date. Going to the
> OpenSSL site I discovered the unclassified patent agreement with the NSA
> in the development of the OpenSSL codebase. I did not realize, hitherto,
> that /modern/ cryptology software was made by the NSA.
>
> I understand that during the period of time known as the CryptoWars, the
> NSA did make encryption software for use by themselves (at a time when
> it was under the same laws as guns...). Now, I have discovered that they
> still hold patent for common forms of Encryption.
>
> They own most of the SHA512 codebase.
>
> Now, with the ability to audit code (it is FLOSS), and how long the
> cypher-suite has existed, there is no chance for backdoors (duh). None
> have been found (though they probably implement some into the non-free
> versions for use on systems such as Windows.) The concern I have is that
> if the NSA still holds patent on the software codebase, there is a
> possibility that they have already come up with a secretive manner of
> decryption for SSL and TLS.
>
> I know that in 2014 it was revealed that some forms of SSL and TLS were
> easily broken by them. I have since removed the ability to use these
> key-
> types from my machine.
>
> I have also switched from pure OpenSSL to the LibreSSL package (which
> still partially utilizes the pre-existing OpenSSL toolset).
>
> Should I be concerned that the NSA has partially developed FLOSS code
> that is primarily used in *all* modern computer encryption?

Didn't crosspost to the relevant groups, thought I should



--
Se7en | ,= ,-_-. =. GNU 4 Life
se...@firemail.cc | ((_/)o o(\_)) gnu.org/philosophy
http://se7en.ml | `-'(. .)`-' ``Screw the penguin.
0x257FD9D0DCB6B59 | \_/ The goat is sexier!''