No doubt there’s a lot to worry about in the world of cyber-security, but what makes the Times article interesting is this contention (not really attributed to any expert):
While sensitive data such as e-mails and commercial transactions are generally encrypted before being transmitted, the Chinese government holds a copy of an encryption master key, and there was speculation that China might have used it to break the encryption on some of the misdirected Internet traffic.
That does sound scary right? China has an “encryption master key” for Internet traffic?
Except it doesn’t seem to be true. Experts tell me that there are no “master keys” associated with Internet traffic. In fact, conscientious engineers have avoided creating that sort of thing. They use public key encryption.
So why would the times suggest that there’s a “master key”?
Is it not true that the common SSL encryption scheme used online does have a passkey of some sort integrated into it’s structure for trusted providers, i.e., the top tier connection providers? I’ve heard this discussion come up several times back during the Blackberry fuss in the mideast, and it was pointed out that some of the entities entrusted with the required authentication keys were in no way trustworthy at all.
Sounds like the Times is making a hash of of this issue (just as I am- I lack the technical mojo to properly lay out the underlying issues), but I believe that there is something there- the Internet by design relies on trusted peers, but not everyone online plays by those rules
I think Trey is correct: I suspect that China is in fact a Certificate Authority, but the danger of that is not that they could somehow ‘break the encryption’ of misdirected traffic, but that they could use that certificate to make a man-in-the-middle or impersonation kind of attack work without raising any kind of ‘This site is untrusted’ flags.