It's a bit hard for me to put the current problem with Internet Security in simple terms.
The traditional way to think of this would be to say something like "Well, you've got a lock on your door…", but that's not 100% correct because the analogy breaks down really fast. Locksmiths can make very short work of the lock, and burglars wouldn't bother trying, but would go straight for the window looking for whatever they can grab in less time than it would take for the cops to show up.
A safe is a bit better, since those are far harder to break into without you knowing (unless there's a secret code to get in you're unaware of or something), but that doesn't really hold up for how things work on the internet.
So, i'm not going to bother with an analogy, instead i'm going to try and be as clear as i can. Security means that you're confident that you're talking with who you think you're talking to, and that nobody else is listening in. It means that you know who has access to what and when. It's true that anything out of that sort of end-to-end channel could be suspect. (e.g. if you store something on Google Drive or Dropbox, you're trusting that the remote side isn't looking at your stuff. They can, of course, but they don't go out of their way to say how they can't or don't.) There are things you can do to prevent this, of course, like encrypt files locally before storing them on services like that, or simply keep highly sensitive data off of services like that entirely, but there's a level of trust in there.
The problem is that we've discovered that the trust has been broken. Now, in truth, there's a level of distrust that's always been present. If a court issues a suitable warrant based on proper suspicion, your possessions can be searched by authorities. Likewise, your communications could be tapped and conversations recorded.
Again, that's where traditional thinking breaks down when it comes to the internet. Unlike banks with a closely guarded safe deposit box, or a centralized phone system, the internet doesn't have any of that. Damn near anyone can listen into your conversation (even if it's only for a little while) or see what you've exchanged. The way things are supposed to work, however, is that even if the bad guys were to get some of that data, it would be exceptionally difficult for them to figure out what's being said or transmitted.
The disturbing detail that's come out, however, is that the folks that are supposed to have been helping us create a secure system, have actually been secretly making it easier for them to break. The problem there is that it's impossible for them to be the only people that can ever use that method to break it, so they've essentially made the system easy to sabotage. What's worse is that it's also equally impossible for them to know if anyone else has already figured out how to unlock things like they can.
Fortunately, it looks like the damage was mostly to older, but very popular methods of securing things. These are methods used by a lot of commercial security products and one of the ways that you can add security is by switching to Open Source models that have been properly reviewed and audited. i would suspect that most financial and medical institutions probably aren't using those. That's because those institutions have their own auditing programs and tend to go for commercial options because "they're more stable and backed by a company and require less of our own resources."
So, how do we take back the internet from the folks that have sought to break it? Well, it involves a fair bit of effort, and a lot of thinking on your part.
- Trust in transparency. If someone isn't willing to put what they're doing up for public scrutiny, they're not fully trustworthy. Every line of firefox and chromium is up for you, or anyone else, to look at. That's not the case for Chrome, IE, Safari or lots of others.
- Easy is the Enemy. Security, by design, is hard. If it's easy for you, it's easy for the bad guy. Yes, setting up PGP is a royal pain in the ass, and there are a few things that could be done to make the process simpler, but other aspects like the secure key exchange and lack of HTML mail support are there for a damn good reason.
- The stewards need to steward. One of the most depressing things for me was reading this. Basically, he's arguing that "Meh, bad guys can get around the secure channels, and politics suck, so it's not really worth doing anything." No, that's not the answer. The answer is that there needs to be concerted effort on the part of the stewards to identify suspect algorithms, aid in identification of systems that use them and remove them from use. They will have to work with application and library developers in order to do this. This regains the trust of their users and that the system works the way that it's expected to regardless of what other factors exist. Otherwise, you're effectively abdicating your position as steward.
Now, if you don't mind, i think i'm going to go spend an hour or so being even more depressed.