Is the elliptic curve secp256r1 without a backdoor?
As of October 2021, NIST P-256 (secp256r1) is considered to be more than secure enough for use in TLS in any environment. Complaints about NSA backdoors relating to elliptic curves are mostly due to Dual_EC_DRBG, which is a technically separate matter, although from a security policy perspective it remains relevant.
This is sort of correct. The secp256r1 curve in TLS 1.2 is being used for the Elliptic Curve Diffie-Hellman (ECDH) exchange. There is no strong evidence that the NIST P-256 and P-521 curves were backdoored.
The reason that people are somewhat suspicious of the NIST curves is because the NSA used NIST to promote Dual_EC_DRBG. Since the NIST curves were derived from random numbers, there’s no way to tell if those numbers were picked in order to insert a backdoor. Most cryptographers prefer the use of nothing-up-my-sleeve numbers to alleviate this problem.
secp256k1 is a somewhat popular alternative to secp256r1 precisely because its selection process was fairly transparent. Another curve that some people prefer is Curve25519, which is called X25519 when used in Diffie-Hellman, although it’s worth being aware that the most referenced resource for evaluating curve security was written by DJB, who developed Curve25519, so it’s hardly surprising that he gives it a glowing review. Still, it’s well-trusted, and support for this curve is mandatory in TLS 1.3.
If your threat model doesn’t include the NSA, then it doesn’t make any material difference whether you use secp256r1, secp256k1, or X25519 for your ECDH key exchange in TLS. Time spent worrying about which EC curve to use is time you could be spending on security controls to mitigate far more likely and impactful security issues.
TL;DR: NIST P-256 (secp256r1) is considered secure enough for TLS. While concerns about NSA backdoors exist, they primarily relate to Dual_EC_DRBG. secp256k1 and Curve25519 are alternative curves to consider.