Slashdot Mirror

← Back to Stories (view on slashdot.org)

Government Could Forge SSL Certificates

Posted by Soulskill on from the bureaucrat-in-the-middle dept.

FutureDomain writes "Is SSL becoming pointless? Researchers are poking holes in the chain of trust for SSL certificates which protect sensitive data. According to these hypothesized attacks, governments could compel certificate authorities to give them phony certificates that are signed by the CA, which are then used to perform man in the middle attacks. They point out that Verisign already makes large sums of money by facilitating the disclosure of US consumers' private data to US government law enforcement. The researchers are developing a Firefox plugin (PDF) that checks past certificates and warns of anomalies in the issuing country, but not much can help if government starts spying on the secure connections of its own citizens."

2 of 168 comments (clear)

  1. Banking secrecy laws by ArsenneLupin · · Score: 4, Interesting
    Not a theoretical concern, but a very real one.

    Many European countries (Germany, Belgium) now have electronic identity cards, which double as PKI signing tokens, with which you can authenticate yourself to web services, such as your bank.

    When Luxembourg introduced a similar system they didn't piggy back it on an id card, but issued "signing stick" and smart cards just for the purpose of PKI.

    You may wonder why, especially since an electronic id card is already in planning in Luxembourg as well.

    The answer is obvious: many customers of Luxembourgish banks are foreigners, couldn't thus get a Luxembourgish id card, but wouldn't trust their own government's id cards, so an ad-hoc system was needed: Luxtrust.

    Unfortunately, Luxembourg doesn't have any native smartcard industry, so they had to buy the chips from the French... who just shipped units with a predictable random number generator, dramatically reducing the number of possible private keys. FAIL.

    And the BSI institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL.

  2. Re:Is it time yet? by petermgreen · · Score: 3, Interesting

    The problem is they don't need to get the cooperation of the CA that is actually in use, only that of one of the long list that your browser trusts.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register