Slashdot Mirror
Rogue SSL Certs Issued For CIA, MI6, Mossad
Orome1 writes with this excerpt from Help Net Security: "The number of rogue SSL certificates issued by Dutch CA DigiNotar has ballooned from one to a couple dozen to over 250 to 531 in just a few days. As Jacob Appelbaum of the Tor project shared the full list of the rogue certificates, it became clear that fraudulent certificates for domains of a number of intelligence agencies from around the world were also issued during the CA's compromise — including the CIA, MI6 and Mossad. Additional targeted domains include Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, Wordpress and many others."
We've now had proof positive that no centralized trust system is workable against a sustained attack. Can we start to get some distributed trust systems in place, instead? The idea of a single proof of identity has failed. It's time to move on to a system that allows multiple checks and balances.
Monocultures are great for creating massive failures, which is why nature wipes them out over time.
At least you know how many and which certs were issued from an authority that you run yourself.
The chain of trust is only as strong as the weakest link in the chain.
http://lkml.org/lkml/2005/8/20/95
It may not be complete, but, F-secure has a list of the ones created, including *.*.com, *.*.org, www.cia.gov, addons.mozilla.org, *.torproject.org, etc...
Test your net with Netalyzr
The root of the problem (pun intended) is NOT that the SSL/TLS certificate hierarchy is a centralized trust, but that there are hundreds of roots of trust, any one of which may be compromised, and all of which are considered equally valid by the browser.
Who outside of the Netherlands even heard about DigiNotar before this happened?
This is why some people like the idea of using DNSSEC for distributing key material: there exists only a single valid path of trust to a single root for a key associated with any given name: its actually more centralized than SSL/TLS, which is what is desired.
Test your net with Netalyzr
You can't trust the root CAs. The whole infrastructure is broken and needs to be replaced with something else.
For a start, webbrowsers should notify users if a certificate was replaced, even if the replacement is signed. And browsers shouldn't go into full panic mode over self-signed certs. They're still safer than using an unencrypted connection.
Extended validation certificates were definitely a step in the right direction, with a pretty green favicon background.
But that wasn't enough. So we went to Ultra-yotta-analprobed-extented-validated-certificates with a plaid favicon background, thus fixing the problem forever.
Uh, it pretty much already happened.
(That is, Microsoft, Google, Mozilla, etc., have dropped them, the various logistics are shaking out as we speak.)
Nerd rage is the funniest rage.
According to this article:
"Actually I think the secret service domains are the least alarming part. It's sexy, and will probably lead to a lot of questions and interest from government agencies. Of course, nobody wants to get caught with their pants down, but there's really no classified information on these domains. Those are on separate, secured internal networks. So the practical security impact of the Iranian government getting a certificate for the CIA is nill. It's really just very embarrassing, that's all," said Soghoian in an interview with Webwereld.
Related: Forget Rogue, Microsoft handed ability to intercept SSL on windows (Another Wikileaks revelation, translated) to Tunisian dictator Ben Ali, apparently in return for contracts, stifling open source competition etc etc in Tunisia and allowing them to intercept Facebook, Google,... before the Arab spring revolution took place.
Yeah it does. Go look at your account settings again. I've been using SSL on facebook for several months now.
And according to TrendMicro 'someone' make rather heavy use of the diginotar certificates on ~40 different networks in Iran: http://blog.trendmicro.com/diginotar-iranians-the-real-target
This is capitalism. Digitnotar screws up so they won't be able to charge money anymore.
What you've described is exactly what we have right now except for the pubkeys in DNS part.
A domain owner does establish their own keys, you generate a key pair and send it to the registrar to be signed.
The problem right now isn't lack of capitalism. It isn't that you can't establish your own key.
The problem is that there 150 registrars you might trust to certify a site. One of them is valid and the other 149 are just opportunities to get fooled by bogus certs. And the system doesn't even try to make it easier to figure out which is which.
http://lkml.org/lkml/2005/8/20/95
Unfortunately (or fortunately, depending on your point of view), most browsers do not support nested-wildcard certificates.
(I have tried it).
The CA I usually use catches it and warns you, but some other CAs take your money and leave you with a mostly-useless certificate.
I've just checked my certs in Chrome and DigiNotar isn't there. I've got the "check for server certificate revocation" option ticked, which I guess must be on by default.
Nick
See this statement:
http://www.4-traders.com/VASCO-DATA-SEC-USD-11275/news/VASCO-DATA-SEC-USD-VASCO-DigiNotar-Statement-13782237/
Self-signed certs are an improvement because they're harder to forge or steal. In case you haven't been paying attention over the last few years, we have this thing called Distributed Verification AKA an SSL Notary system to prevent MITM attacks.
The centrally controlled system of CAs relies on perfect security at the CA (which as we've seen, they don't have) and a constant game of whack-a-mole to revoke certs. Long story short we have to stop using certs for authentication, it was a stupid idea but we all crossed our fingers and hoped it could work, but as we can see now, it can't. It's better to just use a self-signed cert that can't be stolen or forged at your choice of a few convenient locations and use distributed verification to prevent MITM attacks. That way you know you have an encrypted connection between your PC and the web host using the same cert other people around the world are seeing, and that's the most you can hope for without sending out-of-channel information (which isn't the worst idea in the world, BTW) or relying on some idiotic system of "trust dealers" like CAs which are just a disaster waiting to happen.
"When information is power, privacy is freedom" - Jah-Wren Ryel
And how is this web of trust better than a distributed verification system like Perspectives / Convergence? I think asking Average Joe users to attend key signing parties is a bit much
"When information is power, privacy is freedom" - Jah-Wren Ryel
Hot chicks? Oh yeah you bet!...most likely...probably...
Anyways, here's a pic of some of the hot action you might get to be a part of!
http://en.wikipedia.org/wiki/File:FOSDEM_2008_Key_signing_party.jpg
"When information is power, privacy is freedom" - Jah-Wren Ryel
The Three Letter Agencies generate their own cert chains themselves (except those outsourced by the Shiva program), and employees used to manually confirm the fingerprints and tell their browsers to trust those custom certs plus those of their Sri Lankan support agency; Chinese contractors and another 5375 certificates from old contracts that nobody can remember which ones matter any more? In other words, their internal sensitive data shouldn't be at greater than commercially acceptable risk of exposure due to the DigiNotar problems, because they'd have been be crazy to depend on a cert root that they didn't generate in the days when they could afford to spend time defending the USA and not just chasing down evil anti-globalisation and other protesters anyway whilst having to spend hours a day listening to whining from prisoners they're torturing. I can see how this whole fiasco might make a difference for some non-employee accessing a CIA (or whichever) web site, but other than that, it shouldn't be significant for the TLAs senior management... right?
-Karl Fogel
FTFY. Sorry about the loss of conciseness.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Not really. Any government can get their state CA included in the windows root CA list just for the asking. OSX and Firefox are slightly more restrictive, but not in a useful way, they allow lots of state CAs as well.
This is a broad problem with the HTTPS system, too many unrestricted root CAs with no concern for realistic security scenarios.
This is not a good system, but it has nothing to do with Tunisia. The wikileaks cable you posted doesn't even talk about SSL, just about how using supported Microsoft software in the government will make the government more effective at everything, including domestic espionage.
There has been a lot of push at the recent DEFCON conferences, and associated conversation since, to look at alternatives to the current CA system. Moxie Marlinspike has been pushing a remote-view notary system called which is currently a Firefox plug, and Dan Kaminsky has been pushing for DNSSEC.
There has been an awful lot of discussion about the technical details of SSL certificates on the Security StackExchange (Stack Overflow cousin) website, including the related blog post I penned: A Risk-Based Look at Fixing the Certificate Authority Problem.
SIG: HUP
Why, oh why, do "FOSSies" constantly suggest unworkable solutions that simply would not work for the vast majority of people on the internet? "Web of trust"? Really? Unless you plug that into some kind of by extension untrusted system (like Facebook, MSN, or something of the like) then noone except the "nerds" will bother to set up that web - resulting in the same security we have now. "Verify fingerprints at the branch"? Noone (not even most nerds) will bother with that - the very thought of expecting normal, average people to go "verify" a 64-character (or longer) SHA-1 thumbprint in the flesh is laughable. They'll just click "accept" like they do now, and wonder why someone in Zimbabwe stole all their money.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Uh, it pretty much already happened.
(That is, Microsoft, Google, Mozilla, etc., have dropped them, the various logistics are shaking out as we speak.)
Except... in the Netherlands, where DigiNotar is operating from. The government has demanded Microsoft in the Netherlands to delay the rollout of this patch, because it would cause too many problems for users, and because they need more time themselves to get all certificates replaced.
Dutch article about this, including a link to the preliminary report about DigiNotar, here: http://tweakers.net/nieuws/76587/overheid-dwingt-bij-microsoft-vertraagde-windows.html
In the end it was both disturbing how easy it was for someone to use my credit card, and impressive how a couple of minor charges were so quickly and accurately detected as fraud...
On the other hand, the fraud detection systems on credit cards can often be a pain to customers because they get a large number of false positives. My cards have been disabled numerous times because the bank thought that I was making a fraudulent transaction, usually either when I made a card-not-present purchase over the phone, or when I was away from home and therefore not within my normal pattern of transactions and locations.
The bank's automated systems do phone me to tell me that they have detected fraud, but this isn't helpful if I'm away on holiday somewhere where I can't get a mobile phone signal - I could be left without access to any money for a week until I can get somewhere where there is a phone signal. Also, usually they require that I phone them back on an 0845 or 0870 phone number to confirm the transaction is ok, which is quite costly to me (but not to them - they get paid to receive calls on these numbers, which makes it not really in their interest to improve the system).
I'm also increasingly finding that the banks engage in security theatre, implementing systems that inconvenience their customers whilst providing no extra security. For example, to "increase security", one of my banks now requires me to remember about 15 random digits that can't be changed in order to log into the online banking system. They advise that I must not write down these digits... needless to say, I wrote down the numbers because I'm buggered if I can remember 15 random digits. Does this really increase security? If it were 4 digits then an attacker would require an average of 500 attempts to log in and I would hope the bank's login system would lock the account out long before that many attempts were made. In fact, making the login details impossible to remember actually decreases security because the user is forced to write it down.
Another example is the crazy 3Dsecure system, which involves the customer entering confidential details into a web page that is served from some random unrecognisable domain (it isn't the website they are purchasing from, it isn't their bank, it isn't visa/mastercard themselves, it is some random third party domain).
One thing I have found good is Santander's recent introduction of SMS OTP - if I make a money transfer via their web banking system, it will SMS me a one time passcode which I then enter before the transaction goes ahead. This works well for me because I pretty much always have my phone with me, and is much better than the other banks I deal with who have bulky "card reader" devices to generate keys, which are almost as big as my phone and I'm not going to carry them around with me so web banking suddenly becomes a lot less useful.
http://blog.nexusuk.org