Internet privacy has been a major topic of conversation for a while now.  And for good reason. You wouldn’t let anybody spy on your every move in the physical world. Why would you want people watching what you do online, either?

People really started talking about internet privacy in the mainstream back in 2013, after Edward Snowden leaked documents detailed the NSA’s surveillance of Americans’ online activity. Since then, people have continued to talk about Internet privacy and taken actions to increase their security online. 

Recently, Internet privacy found itself at the forefront of public discourse in the U.S. after Congress voted to remove privacy rules that were put in place to protect citizens’ internet history from being sold.  People have written a lot about this issue.  But there’s something that you probably don’t know about Internet privacy.

Internet privacy is based on the idea that 6th-grade math concepts are difficult to understand.

In this post, you’ll learn about why that’s the case and what problems have arisen because of it. But first, let’s talk about what the Internet actually is.

What makes up the Internet?

At its core, the Internet is a series of tubes. No, but seriously it’s actually a collection of fiber-optic wires that transmit data using flashes of light that are decoded at the endpoints.

People with direct access to a fiber connection have blazing fast Internet. But it’s more common for the last leg of the trip to depend on older technologies, like cable tv connections. The Internet process involves converting the Internet data into small packets that can be serialized through these pathways.

For example, take the fact that you clicked a link to this blog post. When you clicked the link, your computer sent a request through the wire and received hundreds of small packets. These small packets were small portions of the full message. When all of the small portions arrive, you see the final visual blog post.

This means that the data is apparent, visible, and accessible by any entity that is involved in the delivery of the small packets. So if you’re in Boston and you’re accessing a site that’s in San Francisco (this happens all of the time), the message is sent across dozens of states. It gets “switched,” or transmitted, through a ton of different stations controlled by different companies.

At its core, your Internet data is about as secure as yelling loudly enough to be heard across the country.

HTTPS and public key cryptography help make this process safer.  Let’s get into what these things actually are.

HTTPS and public key cryptography

HTTPS and public key cryptography are the basis for how messages can be securely delivered over the Internet.

Public key cryptography is based around the idea that numbers are difficult to factor.

Remember factoring? You probably learned how to do it back in 6th grade.

Take this simple case:

20 = (2) * (5) * (2).  

This is relatively easy.

But factoring can get difficult when you deal with very large semi-prime numbers.

Take the number 270,577,760,933,153,369,932,754,159.

This number has exactly two prime number factors.

How do I know this?

I generated two different prime numbers and multiplied them together.

Given that, I know that it’s equal to 9,241,115,469,109 * 292,79,772,754,451.

If I hadn’t told you that, though, you’d probably have a hard time determining the answer.

Computer Scientists theorize that semi-prime factorization is an “NP problem.

Algorithms that are in the class of “polynomial-time algorithms” can be efficiently solved by computers.

But “NP” problems are different. They are non-polynomial-time algorithms, which means that they take so long to run that it would take computers many years to solve them.

Public key cryptography involves these 2 steps:

  • Broadcasting the public key, aka the large semi-prime number
  • Encoding a message in a way that is trivially easy to decode if you know the factors, but impossible to solve without it.

HTTPS has what’s known as a handshake, in which 3 things happen:

  • Separate requests go over the Internet
  • Public keys are exchanged
  • Messages can be sent between the two entities with nobody in the middle able to understand them.

Let’s return to our “yelling across the country” analogy.

By using public key cryptography and HTTPS, your yelling would sound like gibberish to anyone in between you and the person that you’re trying to talk to. It would only make sense to you two.

For another example, think about Gmail. Gmail forces users to interact with their site over HTTPS. This means that it’s not difficult for an intermediate party to determine that I’m visiting Gmail, but it should be impossible for the intermediate party to determine the actual content of the messages that I’m sending.

From an academic standpoint, public key cryptography is bullet-proof. The algorithms and processes have proofs about effectiveness.

However, there are some weaknesses in modern public key cryptography that have been uncovered and needed to be fixed. It’s also not clear if there are other tricks out there that can be used to undermine the safety of these algorithms.

Here’s a look at the ways public key cryptography can be cracked.

1. Random number generator bugs.

In 2008, Ubuntu Linux, an open source operating system, reported problems with their random number generator.

Semi-prime factoring is difficult because the algorithm needs to manually check the divisibility of every single prime number. But if you know in advance a list of “common prime factors,” the problem becomes a lot easier to track.

While bugs like this can happen from developer mistakes, they can also be deliberately done to give the illusion of security.

As recently as December of 2015, it was reported that the NSA potentially leveraged a vulnerability in the number generator of Juniper networks.

With Open Source projects, like Ubuntu, where the code is open for the world to see, security concerns can be discovered by anyone. The good news about that is that it makes it easier to detect foul play.

But for proprietary systems, like Mac operating systems, Windows, iPhones, etc…where we can’t see the code, it becomes notoriously difficult to detect foul play.

2. The Heartbleed bug.

Rather than coding security algorithms by hand, most developers use popular libraries to do the work for them. It’s less error-prone than having hundreds of different implementations of the same security algorithm out there. But when something is off in one of these popular libraries, things can get scary.

The popular library OpenSSL, which powers two-thirds of the Internet and performs the cryptographic behavior, found a bug back in 2014 called Heartbleed. The bug was a buffer-overrun bug, a type of bug common when working in the C or C++ programming language.

Allegedly, the NSA had been aware of and exploiting this bug for two years to decrypt messages.

3. Quantum Computers make prime factorization fast and easy.

The Shor algorithm, an algorithm that can run on quantum computers, can factor prime numbers in polynomial time…meaning it can do it really fast.

Quantum computers do currently exist. However, the technology is still in the early stages.  Scott Pakin, a developer of the D-Wave modern Canadian quantum computer, says that systems might not yet offer performance improvements except in very narrow cases, according to a wired article published early this year.

Three years ago, the NSA started a research project to build a type of computer that could crack these types of encryption algorithms.

Has the government rolled out a system to do this?

We really don’t know the answer to that question.

Here’s what we do know about Internet Security

We live in an age where there is a massive amount of information that can be collected and stored.  We recently discovered that the CIA has the ability to hack into some Smart TVs.  This could be just the tip of the iceberg.  Our increased reliance on technology and the increasing power of technology to send data faster and to more people is really exciting. But it’s also pretty scary.

If you use the Internet, look out for yourself and for other people. Privacy is important. So read about how you can maintain it in the digital age.  Talk about it with other people. And do everything within your power to protect yourself.

AuthorKen Mazaika

Ken Mazaika is the CTO and co-founder at Firehose. Previously, he was a tech lead at WHERE.com (acquired by PayPal) and a member of the PayPal/eBay development team in Boston.

4 replies on “The Disturbing Reason Why Your Internet History Is Being Spied On

  1. Great overview of HTTPS security and its known threats.
    From the title, I was expecting to read more about usage and exploits related to your browsing history.

Leave a Reply to Kevin Cancel reply

Your email address will not be published. Required fields are marked *