Mark Zuckerberg was apparently peeved enough to phone the president when he read recent reports that the NSA was using fake Facebook websites to intercept the social network’s traffic and infect private computers with surveillance software. But Joe Sullivan—the ex-federal prosecutor who now serves as Facebook’s chief security officer—said the company has now steeled its online services so that such a ploy is no longer possible.
“That particular attack is not viable,” the 45-year-old Sullivan told a room full of reporters yesterday at Facebook headquarters in Menlo Park, Calif. It hasn’t been viable, he explained, since the company rolled out what’s called SSL data encryption for all its web traffic, a process it completed in the summer of last year.
Facebook Chief Security Officer Joe Sullivan. (Photo: Ariel Zambelich/WIRED)
According to outside security researchers, there are still ways of working around Facebook’s encryption. But these methods are much harder to pull off, and Sullivan’s message was clear: The situation around the NSA’s surveillance campaigns isn’t quite as dire as many have painted it. Unlike his counterparts at places like Google and Microsoft, Sullivan said the revelations from NSA whistleblower Edward Snowden aren’t really that surprising, and he indicated that the leaked information has changed little about how his company approaches security.
Sullivan’s message stands in contrast to the one Zuckerberg unloaded on his Facebook page after phoning the president. The Facebook founder expressed extreme frustration over the NSA’s practices, calling for sweeping changes to government policies. But the contrast isn’t that surprising. It very clearly shows the awkward situation that has engulfed companies like Facebook in the wake of Snowden’s revelations, which started tumbling out last summer. The giants of the web are certainly concerned over NSA surveillance—despite indications that they may have been complicit in some ways—and they’re actively fighting against it. But they must also reassure customers that the situation is well in hand—that it’s safe to use their services today. This can be a difficult line to walk.
Certainly, the web’s largest operations—including Google, Yahoo, and Microsoft, as well as Facebook—have now taken at least the basic steps needed to guard their online traffic against interlopers. Facebook not only uses SSL, or Secure Sockets Layer, encryption to protect all data moving between its computer servers and virtually all of the more than 1.2 billion people who use the social networking service, but it has also installed technology that uses similarly hefty encryption techniques to protect information that flows between the massive data centers that underpin its online empire. This is just the sort of thing Snowden himself called for last week while appearing via video feed at a conference in Texas.
In using SSL to encode all data sent and received by its millions of members, Facebook can indeed thwart the sort of fake-Facebook-server attack discussed in the press last week. As described, these attacks redirected people to NSA websites that looked exactly like Facebook by surreptitiously slipping certain Internet addresses into their browsers. SSL encryption provides what is probably “solid” protection against such methods, said Nicholas Weaver, a staff researcher who specializes in network security at the International Computer Science Institute.
Weaver does acknowledge that attackers could compromise Facebook SSL encryption by somehow obtaining or creating fake encryption certificates, but he believes that such attacks are now unlikely. “That is very risky these days,” he said, pointing out that many companies are now on the lookout for such fake certificates.
It’s equally important that Facebook is now encrypting information as it moves between data centers. Documents released by Snowden have shown that the NSA has ways of tapping lines that connect the massive computing centers operated by the likes of Google and Facebook. Sullivan declined to say when Facebook had secured these lines, but he’s now confident that this makes it much more difficult for agencies like the NSA to eavesdrop on Facebook data as it travels through network service providers outside of the company’s control. And Weaver agrees. Assuming that the company’s encryption devices aren’t sabotaged, he said, the data is secure as it travels across the wire. “You’d need to break into the data center computers or the encryption devices themselves to access that data,” he said.
But Sullivan’s rather sunny view of Facebook security doesn’t tell the whole story. Much of the rest of the web has yet to adopt similar encryption techniques, and there’s still so much we don’t know about what the NSA is capable of. It’s also worth noting that Facebook’s chief security officer sidestepped questions about future threats to the company’s operation, including the possibility of a quantum computer that could break current encryption techniques. In the post-Snowden age, the giants of the web have certainly increased their security efforts. But there is always more to do.
More from Wired:
Here’s How to Fix Your iPhone’s Goofy Autocorrect
How Science Can Help You Win Your March Madness Pool
How a Math Genius Hacked OkCupid to Find True Love
How the NSA Almost Killed the Internet
How to Use Your Google Maps — Offline
11 Must-Watch Netflix Movies to Stream in 2014