Slashdot Mirror
Government Could Forge SSL Certificates
FutureDomain writes "Is SSL becoming pointless? Researchers are poking holes in the chain of trust for SSL certificates which protect sensitive data. According to these hypothesized attacks, governments could compel certificate authorities to give them phony certificates that are signed by the CA, which are then used to perform man in the middle attacks. They point out that Verisign already makes large sums of money by facilitating the disclosure of US consumers' private data to US government law enforcement. The researchers are developing a Firefox plugin (PDF) that checks past certificates and warns of anomalies in the issuing country, but not much can help if government starts spying on the secure connections of its own citizens."
SSL is, and always has been, and ugly hack. End-to-end encryption should be done at the IP layer, not the TCP layer. Now that we have IPSEC, we have a standard way of doing it properly. The only remaining part of the problem is key distribution, but with DNSSec we can put IPSEC public keys in DNS entries and get end-to-end encryption.
A government able to insert something into the chain of trust is still able to fake a connection, but distributing the chain of trust makes this a bit harder. The US government won't be able to insert something into a .cn domain, for example, although the Chinese government can. For the ultra-paranoid, you can publish the same IPSec public key on both and make clients compare the two. Unlike an SSL certificate, the IPSec key is visible to anyone, even people who don't try to make a connection, so it's much easier to spot if someone has tampered with the connection, and will be cached in ISP's DNS caches, making an unnoticed attack much harder.
I am TheRaven on Soylent News
If you really want to be secure and you are using certificates you should be self signing and exchanging the self signed certs with your partners out of band.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
And it took you how long to figure this out? Anyone with real security in mind would create their own certificates and sign them. What's always been missing is a convenient way to verify the identify of the person you're communicating with. CAs only help in certain situations. SSL has always been more about encrypted content than identification no matter what people try to tell you.
and distribute them by mail or something. That doesn't help taking to your bank,
but then again if the government wants your bank balance they'll just ask the bank.
One more nail in the coffin... (See http://nearlyperfectsoftware.com/secureajax.html for other hacks). Good thing I'm working on a protocol and libraries / utilities that can be used to replace it for all of my work, and my clients... Starting with a secure ajax framework, then on to things like POP, IMAP, SMTP, FTP, Telnet, etc. Should be cool once I get them all done.
Logic is the beginning of reason, not the end of it.
with DNSSec we can put IPSEC public keys in DNS entries
Unless the government compels domain name registrars to sign phony DNS public keys.
For the ultra-paranoid, you can publish the same IPSec public key on both and make clients compare the two.
Which is little different from hosting something at two different domains with TLS certs from different registrars in different countries.
SSL certificates only provide the ability to encrypt communication between a browser and a server. That's all it's for. Alas, many people have have tried to build in some level of 'trust' to SSL as well, and the money racket that has grown up around issuing SSL certificates on an ad-hoc basis just so someone's browser doesn't complain needs to go the journey. Those root certificates in your browser are just money for old rope. We definitely need something better.
Many European countries (Germany, Belgium) now have electronic identity cards, which double as PKI signing tokens, with which you can authenticate yourself to web services, such as your bank.
When Luxembourg introduced a similar system they didn't piggy back it on an id card, but issued "signing stick" and smart cards just for the purpose of PKI.
You may wonder why, especially since an electronic id card is already in planning in Luxembourg as well.
The answer is obvious: many customers of Luxembourgish banks are foreigners, couldn't thus get a Luxembourgish id card, but wouldn't trust their own government's id cards, so an ad-hoc system was needed: Luxtrust.
Unfortunately, Luxembourg doesn't have any native smartcard industry, so they had to buy the chips from the French... who just shipped units with a predictable random number generator, dramatically reducing the number of possible private keys. FAIL.
And the BSI institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL.
Nobody would ever seriously say that x.509's single point of failure for trusted introducers is a good idea; it just happened to be easy to deploy and got some encouragement along the way because some people could make money on it. But as soon as you look at it in terms of security, it doesn't fare very well.
OpenPGP encourages multiple certifiers for an identity: so they're all required to conspire to sell you out. Conspiracies are hard. Build your next network app on top of Gnu TLS and make sure you test with OpenPGP, so that some day we can switch to modern (and by modern, I mean about 1990-level tech) crypto.
BTW, governments are a great example, but always remember that they are not the only entities with capability or motivation to point a gun at someone. And even if you don't believe that, you've got to admit there are multiple governments, and only one of them at most, is accountable to you. Anyone who says that the cert system should be left vulnerable because the public has an interest in making sure that communications aren't "too secure," definitely isn't thinking about all the angles. The inherent weaknesses of X.509 should never have been used as an argument for building the web on it.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
There a "fix" that should help a lot: have browsers cache all certificates that they've accepted. Then, whenever a site *changes* its certificate, give a bit fat warning and optionally send the new certificate to some repository of questionable certificates.
If that repository starts to see bogus certificates signed by a CA, revoke that CA's root certificate.
To really make it work, HTTPS should have a mechanism to indicate that a certificate may not be changed until such-and-such a time, and there should be a way to (later, when using a different internet connection) tell a website what certificates you've seen that claim to identify it. That way the web site operator can go after bad CAs itself.
The fact that governments can use or abuse technology to spy on its citizens is not news. That's as newsworthy as saying that if I had possession of your computer long enough I could find out all your secrets. If you want protection from your government, you have to do something about your government. In democracies you have some options and generally have laws and the rule of law (mostly). In such countries being vigilant and vocal can make the government behave if enough citizens participate. In autocratic countries you have to expect the worst I suppose and try to work around it. Which ever is the situation, you can't trust technology, especially one relying on a shared infrastructure (e.g. internet, ca's, etc.) to safeguard your secrets from everyone, especially anyone who has physical access to it.
Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
Self-signed certs are more secure; but only if you have some way of distinguishing them. "Self signed certs" as a generic class, are man-in-the-middle city because anybody can produce one. The feds don't even have to coerce the CA, they can just sign their own.
A specific self-signed cert, that you have some out-of-band reason for trusting, is extremely secure because only by compromising the computer storing the signing key could an adversary produce a fake one of those.
The problem is, outside of fairly trivial scenarios(corporate intranet with self-signed certs, worker drones' browsers trust that cert by group policy; small group of paranoics who know each other IRL exchange keys under the bridge at midnight), establishing that out of band reason for trusting a cert is a pain in the ass, and not amenable to any particularly clear solution.
CAs are basically the ugly-not-really-all-that-good solution that has the virtue of working in practice. You trust the cert because the big corporation whose business is attesting to the trustworthiness of certs says you should trust it. Easy, simple, and actually works ok from a strictly financial perspective(ie. the amount of money that Verisign can make by selling overpriced sequences of bits that make the magic green bar appear in consumer browsers is greater than the amount that they could make by MiTM attacking a whole bunch of banking sessions and then fleeing to Namibia with their reputation in tatters).
Where it breaks down is non-strictly-financial situations. It is highly unlikely that clandestine cooperation, for surveillance purposes, with state agencies is all that costly to Verisign, or their ilk(and may in fact be lucrative, as doing various sorts of wiretaps is for the telcomms). If your threat space is just occupied by script-kiddies and Ukranian cyber criminals, commercial CAs work pretty well. If it is occupied by state entities who want information rather than money, there is no particular reason to expect them to work.
Essentially if you really want secure end to end communication with someone that is more or less fool proof and not subject to outside interference you have to manually exchange keys. It's always been this way. Any time you do less you are trusting *someone* other than yourself and person at the remote end. The simple point is that we *have* to trust someone to exist in society. We trust that the government will not suddenly decide to print "Braquats" and declare Dollars (or Pounds, or Euros, or whatever) useless. We trust that the bank won't wander off with all our money. We trust that our ISP isn't just putting up servers that pretend to be the Internet and are slowly stealing everything we type into our browsers. We trust that the grocery store hasn't poisoned all the produce. Virtually every social action we take involves some modicum of trust that the "other guy" is acting in reasonably good faith.
Thus far the certificate authorities have been trustworthy. Could they be compromised? Of course. Could the clerk at the grocery store be bribed to poison all the produce? Of course. Do we have any reason to think the CAs *have* been compromised? Not that I'm aware of. It's pretty straightforward. Are you doing something that needs to be *completely* secret? Exchange keys with the remote end manually. Are you doing something that needs to be as secret as one can reasonably expect while still dealing public entities? Use the CAs. They have an extremely good track record and seem to be about as trustworthy as anyone can reasonably expect.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
The problem is they don't need to get the cooperation of the CA that is actually in use, only that of one of the long list that your browser trusts.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register