Slashdot Mirror
Government Could Forge SSL Certificates
FutureDomain writes "Is SSL becoming pointless? Researchers are poking holes in the chain of trust for SSL certificates which protect sensitive data. According to these hypothesized attacks, governments could compel certificate authorities to give them phony certificates that are signed by the CA, which are then used to perform man in the middle attacks. They point out that Verisign already makes large sums of money by facilitating the disclosure of US consumers' private data to US government law enforcement. The researchers are developing a Firefox plugin (PDF) that checks past certificates and warns of anomalies in the issuing country, but not much can help if government starts spying on the secure connections of its own citizens."
For the return to tin can and string?
This reminds me of a bumper sticker many of us have seen..."Don't steal, the government hates competition!"
I'm going to have to go back to using dead drops for communication.
SSL is, and always has been, and ugly hack. End-to-end encryption should be done at the IP layer, not the TCP layer. Now that we have IPSEC, we have a standard way of doing it properly. The only remaining part of the problem is key distribution, but with DNSSec we can put IPSEC public keys in DNS entries and get end-to-end encryption.
A government able to insert something into the chain of trust is still able to fake a connection, but distributing the chain of trust makes this a bit harder. The US government won't be able to insert something into a .cn domain, for example, although the Chinese government can. For the ultra-paranoid, you can publish the same IPSec public key on both and make clients compare the two. Unlike an SSL certificate, the IPSec key is visible to anyone, even people who don't try to make a connection, so it's much easier to spot if someone has tampered with the connection, and will be cached in ISP's DNS caches, making an unnoticed attack much harder.
I am TheRaven on Soylent News
If you really want to be secure and you are using certificates you should be self signing and exchanging the self signed certs with your partners out of band.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
And it took you how long to figure this out? Anyone with real security in mind would create their own certificates and sign them. What's always been missing is a convenient way to verify the identify of the person you're communicating with. CAs only help in certain situations. SSL has always been more about encrypted content than identification no matter what people try to tell you.
and distribute them by mail or something. That doesn't help taking to your bank,
but then again if the government wants your bank balance they'll just ask the bank.
...all this is for your own good...government by the people for the people type of thing...smile...
Yam, yam, uga booga, yam, yam, yade, yade, uga booga, yam, yam, yade, yade
One more nail in the coffin... (See http://nearlyperfectsoftware.com/secureajax.html for other hacks). Good thing I'm working on a protocol and libraries / utilities that can be used to replace it for all of my work, and my clients... Starting with a secure ajax framework, then on to things like POP, IMAP, SMTP, FTP, Telnet, etc. Should be cool once I get them all done.
Logic is the beginning of reason, not the end of it.
Well, at least it would be Obama watching our every move instead of Bush, so it's not that bad. //head-smack
Does that mean that self-signed certificates are now more secure ? :)
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
with DNSSec we can put IPSEC public keys in DNS entries
Unless the government compels domain name registrars to sign phony DNS public keys.
For the ultra-paranoid, you can publish the same IPSec public key on both and make clients compare the two.
Which is little different from hosting something at two different domains with TLS certs from different registrars in different countries.
SSL certificates only provide the ability to encrypt communication between a browser and a server. That's all it's for. Alas, many people have have tried to build in some level of 'trust' to SSL as well, and the money racket that has grown up around issuing SSL certificates on an ad-hoc basis just so someone's browser doesn't complain needs to go the journey. Those root certificates in your browser are just money for old rope. We definitely need something better.
This isn't any news.. The Dutch government got it's root certificate imported in all popular browsers (named Staat der Nederlanden CA). So they can issue a certificate for a site and no browser would warn you about a invalid certificate or something..
Many European countries (Germany, Belgium) now have electronic identity cards, which double as PKI signing tokens, with which you can authenticate yourself to web services, such as your bank.
When Luxembourg introduced a similar system they didn't piggy back it on an id card, but issued "signing stick" and smart cards just for the purpose of PKI.
You may wonder why, especially since an electronic id card is already in planning in Luxembourg as well.
The answer is obvious: many customers of Luxembourgish banks are foreigners, couldn't thus get a Luxembourgish id card, but wouldn't trust their own government's id cards, so an ad-hoc system was needed: Luxtrust.
Unfortunately, Luxembourg doesn't have any native smartcard industry, so they had to buy the chips from the French... who just shipped units with a predictable random number generator, dramatically reducing the number of possible private keys. FAIL.
And the BSI institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL.
I think we've had this debate on /. before, no?
Who do you trust to issue certs? Certainly not Verisign...the UN, then?
Nobody would ever seriously say that x.509's single point of failure for trusted introducers is a good idea; it just happened to be easy to deploy and got some encouragement along the way because some people could make money on it. But as soon as you look at it in terms of security, it doesn't fare very well.
OpenPGP encourages multiple certifiers for an identity: so they're all required to conspire to sell you out. Conspiracies are hard. Build your next network app on top of Gnu TLS and make sure you test with OpenPGP, so that some day we can switch to modern (and by modern, I mean about 1990-level tech) crypto.
BTW, governments are a great example, but always remember that they are not the only entities with capability or motivation to point a gun at someone. And even if you don't believe that, you've got to admit there are multiple governments, and only one of them at most, is accountable to you. Anyone who says that the cert system should be left vulnerable because the public has an interest in making sure that communications aren't "too secure," definitely isn't thinking about all the angles. The inherent weaknesses of X.509 should never have been used as an argument for building the web on it.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
There a "fix" that should help a lot: have browsers cache all certificates that they've accepted. Then, whenever a site *changes* its certificate, give a bit fat warning and optionally send the new certificate to some repository of questionable certificates.
If that repository starts to see bogus certificates signed by a CA, revoke that CA's root certificate.
To really make it work, HTTPS should have a mechanism to indicate that a certificate may not be changed until such-and-such a time, and there should be a way to (later, when using a different internet connection) tell a website what certificates you've seen that claim to identify it. That way the web site operator can go after bad CAs itself.
Distribution of encryption keys and code is performed with a Patent Pending process that is immune to man-in-the-middle attacks
Does NOT use SSL or third party certificates.
Can't do authentication without some trusted authority or web-of-trust. I'd like to see this 'Patent Pending process' examined by experts...
The fact that governments can use or abuse technology to spy on its citizens is not news. That's as newsworthy as saying that if I had possession of your computer long enough I could find out all your secrets. If you want protection from your government, you have to do something about your government. In democracies you have some options and generally have laws and the rule of law (mostly). In such countries being vigilant and vocal can make the government behave if enough citizens participate. In autocratic countries you have to expect the worst I suppose and try to work around it. Which ever is the situation, you can't trust technology, especially one relying on a shared infrastructure (e.g. internet, ca's, etc.) to safeguard your secrets from everyone, especially anyone who has physical access to it.
Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
Essentially if you really want secure end to end communication with someone that is more or less fool proof and not subject to outside interference you have to manually exchange keys. It's always been this way. Any time you do less you are trusting *someone* other than yourself and person at the remote end. The simple point is that we *have* to trust someone to exist in society. We trust that the government will not suddenly decide to print "Braquats" and declare Dollars (or Pounds, or Euros, or whatever) useless. We trust that the bank won't wander off with all our money. We trust that our ISP isn't just putting up servers that pretend to be the Internet and are slowly stealing everything we type into our browsers. We trust that the grocery store hasn't poisoned all the produce. Virtually every social action we take involves some modicum of trust that the "other guy" is acting in reasonably good faith.
Thus far the certificate authorities have been trustworthy. Could they be compromised? Of course. Could the clerk at the grocery store be bribed to poison all the produce? Of course. Do we have any reason to think the CAs *have* been compromised? Not that I'm aware of. It's pretty straightforward. Are you doing something that needs to be *completely* secret? Exchange keys with the remote end manually. Are you doing something that needs to be as secret as one can reasonably expect while still dealing public entities? Use the CAs. They have an extremely good track record and seem to be about as trustworthy as anyone can reasonably expect.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
"A CA will protect you from anyone from whom they won't take money."
-- Paul Vixie - on the NANOG mailing list
(Going from memory here, so the quote may not be exact.)
"In the real world, you prove your identity with documents provided by a government.
In the digital world, why are we trusting certificates provided by 3rd-party business???"
-- a former coworker
Here is a link to my own reply previously: http://slashdot.org/comments.pl?sid=1534366&cid=31004066
To summarize - I don't see how the "trust system" has any meaning. I don't actually know anyone at those 160+ companies and I sure as hell don't *trust* any one of them, not as far as I can throw them.
In fact, I don't really trust anyone :) and based on that - see no reason that my SSL connection is more or less safe whether the cert for counterparty is signed by a "good" or "bad" CA. Frankly, I trust my bank or Google mail even less than a CA - so what exactly is there to protect?
Only a fool would rely on SSL based on the certificates that come with a browser to protect against government. That isn't what it is for. While I object to government snooping in principle (I object to pretty much all government activity in principle) I really have nothing to fear from the NSA learning what parts I am ordering from Jameco. Firefox, HTTPS, and Perspectives provide adequate assurance that I am communicating with the company I intend and that some clerk at some ISP can't snoop my credit card number. For more important stuff I have GPG.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Use self-signed certs. I am not talking about being more secure when doing online shopping and other silly things, but for personal/company usage.
For example, if I create my own CA and sign my own certs for my mailserver, I will import my CA cert (or accept cert once, on 1st mail retrieval, although more risky), and no matter what certificate government puts when doing mitm - I'll get a warning.
But if I buy a cert from Verisign and think that I am totally safe now, I would never get any warnings if government inserts their own certificate (generated on-fly by using Verisign issued intermediate cert with CA=TRUE constrain set, for example, if I remember the mechanics right :), when doing mitm. Can be done with sslsniff, if I remember correctly (been a while since I bothered with SSL/TLS stuff)
And government won't be able to get a cert issued by my own CA, so they won't be able to get past the checks, and I will eventually get a popup when any of their certificates show up.
I think this was a known issue since 2002 or so (look up Moxie's work).
So the problem is that two different CAs could issue certs for the same host, and some have essentially back doors?
Know what I'd like to see? How about a DNS TXT record that tells you what the real, trusted CA for a given site is? Like, let people assert "for my domain, do not trust any certs unless they come from this particular CA", using DNS as an out-of-band channel that would have to be compromised separately from the SSL negotiation.
Wouldn't that be relatively easy to implement (for those who care to), and reasonably effective against anyone who can't compromise the root DNS servers?
Enforcing the Law — using, among other things, eavesdropping on communications — and prosecuting wars, are practically the only things, a government of a free country is supposed to do. Because no one else can be allowed to do these things...
Everything else — and I do mean everything: elementary and higher education, personal retirement, health care, communications, transportation — should be left to the competing enterprises. If only because they are much easier to switch from one to another, than it is to change the government...
In Soviet Washington the swamp drains you.
Disable trust in the root certificates so that your browser always prompts you to verify an SSL certificate until you mark it as trusted. The first time you visit a site, hit it from a few different IP addresses and make sure the SSL cert matches on all the different connections to rule out a MITM attack, then verify the chain of trust up to the now-untrusted root CAs. If you think you can still trust whichever root CA signed the cert, mark the site's cert as fully trusted and the browser won't bug you until the cert changes (either due to legitimate replacement or a MITM attack).
Of course this is mostly a moot point because just about any company will happily comply with law enforcement requests to intercept your connections through a legitimate SSL session.
While not a perfect solution, this https://addons.mozilla.org/en-US/firefox/addon/6415" for firefox helps a little bit: it stores the certificates to a sqlite database in your profile and warns if the certificate changes.
If you get mitm on the first connection, you still have a problem, but the extension can at least detect if someone is trying to do it in future...
*hile*
A single false, signed certificate from anywhere provides undeniable cause to revoke a CA from all browsers.
-- I was raised on the command line, bitch
I've been crying foul about this for years, and get flame-modded every time. But even here, the researcher missed the issue. If I'm going to wiretap somebody, I'm not going to freaking request a fake key for the domain. I'm going to request the CA's signing key, and *issue* a fake certificate for *EVERY* domain my target goes to. Maybe their first connection times out at times for some reason...whatever...DNS hickup.
Most of the math can be precomputed anyway--the average user would never notice.
My only question is given that somebody "reputable" finally "published" this vulnerability, will firefox finally take self signed keys seriously? Because their attitude in recent releases is freaking disgusting. Just give me a tool to know when the key changes already--and give me some extra cautions if it changes outside a specific window of its expiration date.
A lot of these "attacks" can be prevented by properly implementing your PKI. For example, some of the articles (and several commenters) make mention of "using a Root CA to generate sub-CA's which then generate rogue certs". Sure, the system allows this to happen, but it also provides constraints to prevent it. One of usual "basic constraints" (which is an X.509 attribute) of a certificate is: "Max path length" which means: "how deep can a signature chain extend from me, if I am trusted" For most people, there should never be a trusted CA in their keystore which has a max path length greater than 1. (Meaning it can vouch for others, but those others cannot vouch for a second level of trust).
Additionally, all X.509 certificates contain a "Key Usage" field, which specifies what the key can be used to validly sign. For most people, they should never have a certificate in their root store which has the "CA signing" bit set. This is another way to prevent a "trusted" CA from creating a rogue CA which can then issue bad certs.
Finally, there are multiple methods for checking if a certificate is still trusted as part of a regular, ongoing, and sometimes even per-use basis. (OCSP, CRL, etc...) In the past, when I worked on PKI's, these often weren't implemented, but increasingly they are today most browsers support them. (Which is not to say browsers are the only users of X.509 certs.)
What this should mean is that as soon as evidence emerges that a formally "trusted" CA has done something shady, it can quickly be disabled in the field.
In a perfect world, a CA should be sufficiently incented by the threat of being "revoked" via OCSP or whatever that it would never entertain the idea of creating a rogue cert. Imagine the pressure on a large CA like Verisign if they got a root cert yanked. Suddenly ALL of their customers get labeled as compromised.
The NSA has lots of CPU power. What makes us think they need the CA's cooperation to spoof a cert? That's so 1990's thinking.
Most of these people just don't get it. The other obvious clue is that the entire PKI infrastructure was created and put into motion by the NSA. I mean, duh.
This whole CA thing is based on a hierarchical chain of trust, you can't keep it invisible for long. All certs are not equally trustable. We shouldn't get used to assimilate the "secure" icon to a completely trusted user, but just as a second grade security that our (incompetent) banks rely on. When they are not simply using http...
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Let's face it, the primary application of a trusted CA is to protect credit card numbers in ecommerce transactions. This is a great technique for that, and is in fact, well designed for that application. BTW, the government wouldn't even have to forge an SSL certificate. The basic premise of SSL assumes the secrecy of certain things. If the government could compel the CA to provide the certificates and keys, they wouldn't even theoretically have to do a man-in-the-middle attack but could circumvent the anti-eavesdropping elements of SSL entirely.
However, if you are trying to protect data which is different, and may be considered sensitive in this context, this constitutes a larger issue. At that point you basically have a few options, but they all involve running your own infrastructure.
LedgerSMB: Open source Accounting/ERP
Do I understand correctly that Verisign has been corrupted ?
If it is true, it means that Verisign authentifed certificate aren't worth zlicht.
It's a good thing removing a CA from the CA root is a simple enough thing to do.
I'm particulary glad my "secured" sites are using a CA I generated (on a non-networked computer) and that I distributed to the users.
Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
Firefox and webkit and apache are extremely popular. Why not introduce a new security model, just for that combination at first, in which the browser holds the private key, encrypts the submission with it, and sends the public key to the server with which to encrypt the response, on top of using a server-side key at the same time? And augment that with a chain-of-trust model in which you can see how many of your friends (people you know personally and trust) have accepted that particular server-side cert as valid. Or any other such techniques which I don't understand because I'm not a security wonk. :-) Anyone with some clout in the community (Mozilla and/or Apache forefathers) could easily make something like this happen, since free software projects are in control of both ends. In that light I don't see why this wasn't fixed long ago.
"Just use SSH" could also be an answer for the web as well, but maybe it's better not to put all our eggs in one basket.
a self-signed cert becomes more trustworthy than a CA-verified one.