Slashdot Mirror

Moxie Marlinspike - 'A Crypto Challenge For The Telegram Developers':
http://thoughtcrime.org/blog/t...

Pete Boyd

When activists like Moxie Marlinspike are calling for the end of PGP, it's probably time to look into alternatives.

PGP's problems are endemic to its design. It cannot be fixed, and increased adoption won't help.

I think John Oliver did an excellent job of educating Snowden on how to speak.

Right. Snowden, for all his bravery and balls of steel, has a speaking style that doesn't connect with the man on the street. Asked simple questions he gives long, complex answers that are full of nuance, appeals to the Constitution and attempts to be reasonable. If I knew every word I uttered could one day play a part in deciding my freedom I'd speak pretty damn carefully too, so maybe he's like that in "real life" and maybe he's not. But Oliver forced him to give short answers in laymans terms. I hope ES remembers.

It's a specific case of a more general problem though. The civil rights movement has really struggled to give clear explanations for why people should care. The best explanation is We should all have something to hide by Moxie Marlinspike. He sums up arguments I was developing myself before I found that blog post. Sure, the man on the street feels he is boring and the world of political intrigue is far away from his life. So talk about how this stuff affects issues like gays going to jail (lots of people have gay friends), or how marijuana could never be legalised if there was perfect enforcement of anti-drug laws (which is enabled by this type of surveillance). Heck, for conservative parents who might find both issues irrelevant, point out that their darling teenagers are very likely to be guilty of producing and distributing child pornography. All it takes is for them to send a nude selfie to their new boyfriend/girlfriend between the years of 16-18 and they're guilty of sex crimes. Lots and lots of people either have had teenage children or will have.

Be sure to check out Moxie Marlinspike's blog post about the topic.
http://www.thoughtcrime.org/bl...

Had to go somewhere. http://www.thoughtcrime.org/bl...

Always turn off SSL validation, because it's totally worthless.

Yeah, because if a sufficiently motivated person can always pick a lock, we should just remove all locks?

With certificate validation, someone will have to compromise a CA (admittedly, any trusted CA will do) and do a MITM to get your data. Without certificate validation, anyone who can do a MITM can get your data.

And you seem to think that the difficulty of pulling a MITM attack is about the same as compromising a CA. It is not: Just set up a rogue Wi-Fi hotspot in a cafe or other public place and wait for people to connect. Then, there are off-the-shelf software for sniffing SSL data using rogue certificates generated on the fly (which would now be accepted since your turned off validation) See: Are MITM attacks extremely rare?

I agree that the chances of you getting actually MITM-ed on your typical connection are pretty slim, but then the chances of getting eavesdropped are pretty slim too, so why are you still advocating to use SSL then? (I assume you are because otherwise it doesn't make sense to say "turn off validation") And I would argue that if you can do passive eavesdropping and you are not actually one of the endpoints, you probably already control a node in the middle, and already well-positioned to do an MITM.

But yes, the CA system definitely has its flaws and can't keep up with some new attacks. There are several projects trying to fix this part of SSL. But I find it interesting that instead of proposing a solution, you are effectively proposing that we turn off all security.

If you think "Root CA BAAAAD!" then you're not looking deeply enough into ssl or the security concepts behind the certificates to understand their ramifications. Stay in school and dig deeper.

Ok, then you certainly wouldn't mind if you installed a root CA that I just hand out to you,right? No security implications of a root CA since it's only a problem if the school uses a proxy server. I'm sure I could find a root CA for you to install if you really believe this.

But then, what you're saying isn't true. Having a copy of sslsniff http://www.thoughtcrime.org/so... would allow the school to intercept all the traffic WITHOUT using a proxy server. In fact anyone with access to the private root CA could do this as well. How secure do you really think the school keeps this private key? If they're like anyone else.... not terribly secure.

(If you'd still like me to russle up a root CA for you to install on all your machines, let me know and I'll prepare one for you. I'll be sure to distribute the private key widely.)

Sorry, but modern browsers don't really address that. The problem with the browser warnings is their definition of insecure. You only get warnings if there is something wrong with an encrypted https site like an invalid certificate. Using an unencrypted site is NOT seen as insecure as it would annoy users during most of their normal browsing sessions. The Blackhat presentation about sslstrip from Moxie explains very clearly what the problems are. You can view it at http://www.thoughtcrime.org/so...

I have nothing to hide, and if this helps catch bad guys, it's still a tremendous invasion of privacy and morally wrong under just about any definition of "moral" you want to use (aside from the "moral = whatever the hell I say it is" definition that seems to be increasingly more prevalent).

If I spend my spare time doing the most boring, non-threatening things imaginable, that is nobody's business but my own. If I spend my spare time doing unusual or asinine things, that's still nobody's business but my own. If I spend my spare time hurting other people and committing crimes that result in damage... then hey, maybe it's time to look into what I'm doing, not before.

Moxie Marlinspike had a great article/journal entry/essay on this topic. I'm not saying he's the next hemmingway, but I'd rather let him explain why we should all have something to hide.

TL;DR - Lots of good things were illegal, once. Big things, like equality (smaller things, too).

It's SUPPOSED to be carried over https.

Unfrotunately people rarely go to websites by typing in a https url. They go to websites by typing something in a search box or by typing in a url without protocol (which for historical reasons defaults to http). This gives an attacker an opertunity to hijack things before the user switches to https and keep the client on plain http as the connection from attacker to server switches to https.

Exactly, and it is trivially easy to accomplish these attacks with man in the middle tools like SSLstrip and the Middler

DNSSEC makes exactly the same amount of sense as the current SSL CA system. "Too big to fail" entities controlling identity, authenticity and trust is never going to work. I suggest you read this article and take a look at the Monkeysphere project:

http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/
http://web.monkeysphere.info/

Furthermore see Moxie Marlinspike's criticisms of DNSSEC:

http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/

About 2/3 way down the page.

Honestly curious why this is set up this way, it seems so inefficient and insecure.

Moxie had some cool thoughts on the matter here. And tried to create an alternative Convergence.io. Video too: http://www.youtube.com/watch?v=Z7Wl2FW2TcA

It's a sailing joke.

Just use sslstrip locally as a proxy; as the name says, it'll strip the SSL from the connection (while leaving it encrypted from the ssltrip software to the server), so Firefox and Java will only see unencrypted HTTP.
Don't forget to disable the proxy (there are nice addons for 1-click toggling) before browsing the big bad web.

Now, can I have my fifty? Oh wait, Paypal. Thanks, but no thanks.

Another CA system is broken article?

Consider an alternative model based on notaries:

• Perspectives
• Convergence

Other resources of note: Moxie Marlinspike's article on "trust agility", his Black Hat Conference talk on this topic.

Marlinspike's approach, implemented in a Firefox extension presented at DefCon '11, is to do away with the notion of CAs altogether in SSL, replacing it with a distributed network that reports on the certificate they see. Basically, if the certificate you see agrees with the rest of the network, then you're not being spoofed.

He had previously explained the properties a replacement to the CA system had to demonstrate in order to be viable

This can already happen with sslstrip. A man in the middle attack can just wipe out ssl.. unless you always check to make sure you are genuinely on the https page then you are just as vulnerable to this attack.

Has anyone analyzed how many browsers already have updates invalidating DigiNotar authority or discussed if DigiNotar has a functional OSCP that is returning accurately? The system when used *as designed* does stop MITM attacks. This is the first widespread compromise of a CA that I can recall, and I expect already many users are in browsers that already distrust the compromised key. I suspect most people will have updated their CA certs without even being aware of this incident within a few months. So it does stop MITM attacks.

Second big one, but I can't find a link to the first. (Google is flooded with this one...) And it does not matter if you have a condom for every partner but that one with AIDS. http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity SSL is not secure, and has not been for a while. The fact that it is going public now is a lag behind the lack of security.

SSL And The Future Of Authenticity, Moxie Marlinspike:

Worse, far from providing increased trust agility, DNSSEC-based systems actually provide reduced trust agility. As unrealistic as it might be, I or a browser vendor do at least have the option of removing VeriSign from the trusted CA database, even if it would break authenticity with some large percentage of sites. With DNSSEC, there is no action that I or a browser vendor could take which would change the fact that VeriSign controls the .com TLD.

If we sign up to trust these people, we're expecting them to willfully behave forever, without any incentives at all to keep them from misbehaving. The closer you look at this process, the more reminiscent it becomes. Sites create certificates, those certificates are signed by some marginal third party, and then clients have to accept those signatures without ever having the option to choose or revise who we trust. Sound familiar?

The browser CA model is screwed up. DNSSEC is screwed up. What's the answer?

I think Marlinspike was smart to start with defining the problem. And now, with Convergence, he's also trying to address it. Check it out. (And check out Perspectives. Perspectives is the project he based Convergence on.)

Each ccTLD operator is not necessarily limited to just the domains under that ccTLD. If China maintains a root server, and they have the private keys for the root, they can then sign their own .com keys, and then sign domains under .com. (And even if they only have the .cn private keys, and SSL trust was solely implemented in DNSSEC, now you can't trust your SSL connection to any .cn domain!)

Using DNSSEC for publishing certs and extra identity information is a cool idea, but it's not a good idea to replace all other trust mechanisms. Granted, the current CA model is broken, but there are good ideas out there for distributed models where we don't have to trust governments.

Marlinspike makes some good points here.

Moxie Marlinspike, the author of Convergence mentioned in TFA, addressed that very problem in a post. Long story short: a DNSSEC system would worsen the rigidity and centralization of the current CA system.

No, you're thinking of SSLstrip which methodically strips HTTPS references. This is a different attack, where the client accepts certificates signed by any certificate that has a valid chain

No, you're thinking of SSLstrip which methodically strips HTTPS references. This is a different attack, where the client accepts certificates signed by any certificate that has a valid chain

Unfortunately, OCSP has been defeated with the character 3.

Unfortunately, OCSP has been defeated by the character 3.

Anyone know if they've fixed that?

{sarcasm}
Given that the well-known CIA/FBI mole and General Proponent of Big Government known as Moxie Marlinspike has stated "Shane and Sarah are easily two of my favorite people in the world." in reference to two of the three hikers, I bet you are exactly right with those assumptions you're making there...
{/sarcasm}

;)

Agreed, but this part of the article had me intrigued:

It wasn't a totally perfect solution. Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.

I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?

It's called SSL Stripping... It's an old issue, but a recent tool has made it a bit more mainstream. There's a presentation here: http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf. And a tool here: http://www.thoughtcrime.org/software/sslstrip/

The slides are worth looking through. At the root it's a very simple concept: people do not type https into the browser, they usually get to https through a redirect from http. A MiTM can tamper with that and continue talking http with the client... or he can talk https with both client and server (two different connections), but then he needs to play some tricks to get a signed certificate for a domain that looks to the user like facebook.com.

but Sullivan said that Facebook had not seen that happen.

How would they know? the MiTM could easily talk https with facebook.

Out of curiosity, could someone actually provide a concrete example of a MITM attack ever being successfully carried out? Bonus points for anyone who can further provide reasons for why this means Firefox no longer likes self signed certs.

Well, there's SSLSniff that was used to demonstrate faking Paypal certificates (via NULL attacks in browsers). There's also the neat SSLStrip that transforms a HTTPS transaction down to an HTTP one.

They work by ARP spoofing right now, and if you combine with the IE WPAD (web proxy auto-discovery) mechanism, you could put together a pretty nice MITM attack unit.

And wasn't there reports of a box sold to governments that was designed to do this MITM stuff? Like this appliance? This one's better than SSLSniff as it uses subverted CAs.

More info - http://arstechnica.com/security/news/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users.ars

Out of curiosity, could someone actually provide a concrete example of a MITM attack ever being successfully carried out? Bonus points for anyone who can further provide reasons for why this means Firefox no longer likes self signed certs.

Well, there's SSLSniff that was used to demonstrate faking Paypal certificates (via NULL attacks in browsers). There's also the neat SSLStrip that transforms a HTTPS transaction down to an HTTP one.

They work by ARP spoofing right now, and if you combine with the IE WPAD (web proxy auto-discovery) mechanism, you could put together a pretty nice MITM attack unit.

And wasn't there reports of a box sold to governments that was designed to do this MITM stuff? Like this appliance? This one's better than SSLSniff as it uses subverted CAs.

More info - http://arstechnica.com/security/news/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users.ars

You don't need to do a man-in-the-middle attack, it just needs to look normal:

http://www.thoughtcrime.org/software/sslstrip/

MITM was made LOTS simpler by Moxie Marlinspike... http://www.thoughtcrime.org/software/sslstrip/

That, and some more of the needed tricks (secure cookie handling), can be done with SSLstrip.

I think I need to introduce you to SSLStrip and Moxie Marlinspike.. http://www.thoughtcrime.org/software/sslstrip/

Unencrypted sensitive data isn't even necessary.

One acronym and two words ... SSL Script Exploit with more information available here!

[parade] [rain] http://www.thoughtcrime.org/software/sslstrip/ [/parade] [/rain]

Nope, you won't. It was stated in his article that HTTPS is immune.

Well, unless you bring sslstrip into the equation. Robert Hansen states that all the parts are here, it's just a matter of assembling them and making them work together. Can't agree more.

sslsniff v0.5 : http://www.thoughtcrime.org/software/sslsniff/
dsniff (sshmitm) : http://www.monkey.org/~dugsong/dsniff/
ettercap : http://ettercap.sourceforge.net/

Nothing's secure.

Funny, I went to high school with this guy, and he made a small cameo appearance in a dream I had last night, for no apparent reason. I remember visiting http://room101.thoughtcrime.org/ back in the early days -- '95 or so.

Hm, the article and summary both list it as SSLStrip but the only software I can find on the site is SSLSniff, which appears to be it? Maybe it was renamed because the link as given in the summary redirects to the main page.

This is the same guy who published the infamous basic constraints IE vulnerability a few years ago. His website and the software is www.thoughtcrime.org

This is the same guy who published the infamous basic constraints IE vulnerability a few years ago. His website and the software is www.thoughtcrime.org

You could proxy all SSL through a controlled host, and keep regular SSL blocked to maintain some modicum of control over the users SSL use. Otherwise, barring unsavory techniques it's not really supposed to be possible.

Two MySQL databases for handling multiple media types... typically used for lending systems, but can also be used just to manage your catalog.

DPL (Distributed Library Project) http://www.thoughtcrime.org/software/dlp/ or http://sourceforge.net/projects/dlp - This is the software distribution page for the Distributed Library Project, a website which creates a distributed library of people's books, videos, and music. The project is an experiment in creating community and sharing information within a town or city.

OpenDB http://opendb.iamvegan.net/ - The Open Media Lending Database (OpenDb) is an extremely flexible application to catalogue all sorts of things including DVD, VCD, CD, VHS, GAMES, BOOKS & Laser Discs. Anything that you can collect and lend, you can catalogue with this system. The OpenDb allows you to add new types, by describing them in system database tables designed for the purpose.

The Distributed Library Project as discussed here might be a good option. The software itself can be found at Thoughtcrime.org

All the meeting and arrangements that would need to be made make it seem like a drug deal or something.

You're just saying that because of this link from the main page.

(Yet another post brought to you by the fine people at random posting through meta-moderation. Not just everything in Moderation, everything in Meta-Moderation.)

Slightly OT, but the same guy's site has a (slightly outdated, but still a good argument) page about why the War on Drugs is a failure. Good read, especially in light of my state's recent decision to flout the Supreme Court's ruling that "Narcotics Checkpoints" are illegal and unconstitutional invasion of people's 4th amendment rights. Even though they're patently illegal, Marion County Indiana is having them on average of once a week for the rest of the summer. The Indiana Civil Liberties Union is already suing, and you know our Drug-Warrior/Sherriff will waste millions defending his actions, (millions of tax dollars, of course) then complain when his department has to cut budget mid-year because of the money he is wasting on lawyers.

...on the parent site (first link in write-up) and was surprised to find the following: linux for anarchists.

Ha!

...on the parent site (first link in write-up) and was surprised to find the following: linux for anarchists.

Ha!

This is what makes the Microsoft certificate chain vulnerability and SSLSniff particularly dangerous.