Report: NSA Mimics Google to Monitor “Target” Web Users

“Man in the middle” attacks would let the spy agency gather data without breaking encryption.

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


Buried in a Brazilian television report on Sunday was the disclosure that the NSA has impersonated Google and possibly other major internet sites in order to intercept, store, and read supposedly secure online communications. The spy agency accomplishes this using what’s known as a “man-in-the-middle (MITM) attack,” a fairly well-known exploit used by elite hackers. This revelation adds to the growing list of ways that the NSA is believed to snoop on ostensibly private online conversations.

In what appears to be a slide taken from an NSA presentation that also contains some GCHQ slides, the agency describes “how the attack was done” on “target” Google users. According to the document, NSA employees log into an internet router—most likely one used by an internet service provider or a backbone network. (It’s not clear whether this was done with the permission or knowledge of the router’s owner.) Once logged in, the NSA redirects the “target traffic” to an “MITM,” a site that acts as a stealthy intermediary, harvesting communications before forwarding them to their intended destination.

The brilliance of an MITM attack is that it defeats encryption without actually needing to crack any code. If you visit an impostor version of your bank’s website, for example, the NSA could harvest your login and password, use that information to establish a secure connection with your real bank, and feed you the resulting account information—all without you knowing.

Browsers are supposed to automatically foil MITM attacks, John Hopkins University cryptography expert Matthew Green told me. They rely on data from of certificate authorities, which verify the legitimacy of websites and issue them certificates, or digital stamps of approval. Browsers automatically ask for these certificates and alert you if they don’t exist—you may have encountered such pop-up warnings.

“This is actually relatively easy to do,” but it’s also risky, says cryptography expert Matthew Green.

But here’s where that system breaks down: Not all certificate authorities are completely trustworthy. “If you are big enough and spend enough money,” Green says, “you can actually get them to give you your own signing key”—the signature that they use to certify websites. With that, the NSA could create a fake certificate for any site on the internet, which is probably what it did when it impersonated Google, Green says. “This is actually relatively easy to do,” he adds, “because there are so many certificate authorities”—between 100 and 200.

Major MITM attacks are rare, as far as anyone knows, but they’ve happened before. In 2011, hackers breached the Dutch certificate authority DigiNotar and used stolen certificates to spy on internet users in Iran for weeks, an investigation later found. The Dutch government eventually seized DigiNotar—and Google, Microsoft, and Mozilla blocked all of its certificates.

MITM attacks also have downsides for attackers. For instance, Google Chrome maintains its own list of the public keys for Google webpages; the browser sends an alarm to Google headquarters if it detects any attempts to forge those sites. It has detected at least two MITM attacks this way, Green told me. “MITM is a really risky attack,” he says. “You have to know that nobody is looking at those services in order to make it work.”

The use of MITM attacks by the NSA was discovered by journalist Glenn Greenwald among the thousands of documents given to him by Edward Snowden in June. The story aired this past weekend on the Brazilian news station TV Globo, and was cowritten by local reporter Sonia Bridi. It detailed NSA’s use of MITM attacks against Brazil’s state-owned oil company, Petrobras, but also mentioned that they’d been used to intercept information from Google servers.

Google has been redoubling its efforts to thwart NSA snooping, though its not clear whether those efforts include new ways to thwart MITM attacks. The company responded to detailed questions from Mother Jones with a short statement: “As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring,” said spokesman Jay Nancarrow. “We provide our user data to governments only in accordance with the law.”

Correction: An earlier version of this story incorrectly identified “Flying Pig,” a surveillance program run by the UK Government Communications Headquarters (GCHQ), as being run by the NSA. The story also incorrectly described the way that certificate authorities authenticate websites.

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with The Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with The Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate