One stupid question, can CIA scan and read communications which is openssl encrypted? Or can Chinese great firewall scan and read communications which is openssl encrypted?

If you use a sufficiently strong cipher, it would be prohibitively expensive (if not impossible) for them to do so by cracking the encryption. But if your private keys are stored on network connected computers, they might be able to gain access to those and not have to bother with trying to brute-force the encryption.

putting away the various flaws in the SSL implementations, I think they don't need to scan it in real time: assuming that storage is not a problem (and for some organizations actually isn't) they can record the traffic and unencrypt it taking their time.

what yesterday needed cpu power that seemed a lot at the time today isn't, and will be even more easy in the future.
so, in the long term, brute force cracking on recorded traffic is doable.

that is to say that I personally stopped trusting encryption for very delicate matters.

I know that my point is not going to be the strongest one but I don't think you have to worry about wich kind of aquarium are you selling. Government data collection is not about Chinese aquarium if Chinese don't mean cocaine and aquarium bomb. Come on.

If you look at the history of SSL/TLS, you will find that quite a few flaws have been discovered. This is due to the complexity of the mechanism. I find it quite likely that some government agencies are aware of vulnerabilities that are not publicly known yet. If you need TLS for online purchase etc. then you have no other option for now, you have to use the technology that the server/website wants you to use. But if your concern is sending secure emails/data to people, you really must use PGP/GPG style encryption with a good cipher and high key length.

Thanks a lot for everyone's opinions.

To: Selyr
You are right, aquarium business is open and I have nothing to hide. But I do sometimes break the great firewall and do some nasty things like searching via google.com or watching porn movies LOL I am just wondering whether I would be caught at home watching that kind of things.

Thanks to Slackware, at least I learned how to break that wall as a long time linux user, via ssh tunnelling or VPN.

This is a pertinent question.

The truth is that some Governments, (and this includes democratically elected ones) have been spoofing our communications without our consent. The secrecy behind this behavior is unjustified and we should be informed about their technical capability. On twitter you can follow #AskSnowden and you can see that even the authors of cryptographic software (such as @ioterror) are asking whether the NSA has the capability to trace whistle blowers and dissidents over the Internet. I am afraid that the Internet has given us a false hope of freedom of speech. Nevertheless using cryptography will make spoofing agents' work much harder. Hopefully, they are not taxing us even further to be able to decrypt it faster.

I recommend against using the elliptic curve encryption:
http://cyberwarzone.com/did-nsa-put-...ption-standard

I don't think it is part of regular openssl, but it is in the FIPS add-on.

Forget about brute-force attacks on your keys - rather worry about your knees. If they really really want your data, they will get it ... the easy way ... by making you give it to them. And you will. :-)

Fact is any encryption is breakable -- especially if you have a "basement full of Crays" to do it with. Throw enough time, horsepower and same pretty smart mathematicians at the problem and, well, it's breakable. As @H_TeXMeX_H says, elliptic curve encryption (which looks really good on paper) may not be good enough. It sort of breaks down to if a machine did it another machine can undo it (think Bletchley Park and Enigma -- if you're in the UK sometime, it's worth a trip to see, by the way).

It's worth some time to periodically read Bruce Schneier's commentaries (and helpful advice) at http://www.schneier.com/; might also scare the pants off you.

You can encrypt, you've got or can get tools to do it with, but if you're in the naughty trades somebody, somewhere, sometime is going to notice and start paying attention to you -- then all bets are off.

An interesting historical paper: Robert Morris, Ken Thompson Password Security: A Case History (Murray Hill, NJ: Bell Laboratories, 3 April 1978) http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps.

Hope this helps some.

https://xkcd.com/538/

It is very unlikely that they'll brute-force the encryption instead of say, installing remote-access malware on your computer.

Yes. But you should be a very very very huge figure as Enemy of State, i.e. something like The Funny Osama, to make them to pay the time and energy of one Cray supercomputer for reading your nice emails.

Yes. But you should be a very very very huge figure as Enemy of State, i.e. something like The Tibet Spiritual Leader, to make them to pay the time and energy of one Cray-like supercomputer for reading your nice emails.

Kite, you may also want to look into GnuTLS also.

This isn't a Slack specific question - and ties in with a good number of other similar questions. So I am sending this thread to General with a bag over its head.

And I have forwarded all your questions to the NSA where they assure me that they will read them all and respond to them in person. At 4am.