Anonymous Source Claims Feds Demand Private SSL Keys From Web Services

Lauren Weinstein writes "With further confirmation of the longstanding rumor that the U.S. government (and, we can safely assume, other governments around the world) have been pressuring major Internet firms to provide their 'master' SSL keys for government surveillance purposes, we are rapidly approaching a critical technological crossroad. It is now abundantly clear — as many of us have suspected all along — that governments and surveillance agencies of all stripes — Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications." If this is true it means that SSL/TLS to any Internet service could be useless — the authorities could simply man-in-the-middle anyone. Without knowing who has given keys over, or if anyone has given keys over... The NSA does claim encryption poses a problem for them, but honesty isn't their best attribute. The source claims that major providers at least have resisted (assuming it is happening), but that smaller companies may have folded to the pressure.

"Main-in-the-middle"?

[Lieutenant_Dan]

Well, at least it's not "man-in-the-middle" because that would be bad.

Re:"Main-in-the-middle"?

[TWiTfan]

It's not a "man in the middle" attack. It's the "government on top" attack.

Re:"Main-in-the-middle"?

[lgw]

The larger issue IMO is

governments and surveillance agencies of all stripes â" Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications.

We haven't had a constitutional amendment in the US for some time now. We need one here. Forget specific technologies and the bizarre precedents that have twisted the 4th to allow this - we need a major reset.

Something like "The government shall not collect or store any information, even publically available information, about the activities of a citizen except upon issuance of a warrant; said warrant shall only issue upon evidence that a specific individual has committed a specific crime."

I casn accept a lower bar for "collecting and storing information" than for "searching" but there must be some bar to clear.

Re:"Main-in-the-middle"?

I fully agree, however, that is far too vague. The government does need access to some information such as census data, social security and related information, or even voter registration. That, and much more, is all controlled by the government and some of it may be public information that no ordinary person would care about them having access to.

The problem is that it is hard to write up a set of rules for what is allowed and what isn't. Too specific and it gets worked around, too vague and it is meaningless or counter-productive.

Re:"Main-in-the-middle"?

I fully agree, however, that is far too vague. The government does need access to some information such as census data, social security and related information, or even voter registration. That, and much more, is all controlled by the government and some of it may be public information that no ordinary person would care about them having access to.

The problem is that it is hard to write up a set of rules for what is allowed and what isn't. Too specific and it gets worked around, too vague and it is meaningless or counter-productive.

I'd rather they didn't collect census data about me. I'd also rather they skipped the social security bullshit as well, considering it's unlikely that I will ever see any benefits from the system. I'm sure they'll find a way to let me keep the privilege of paying into it, though.

Re:"Main-in-the-middle"?

Is "on top" suppose to make me feel better since it's not the "backdoor"?

Re:"Main-in-the-middle"?

[ProzacPatient]

Shouldn't it be called "the-man-in-the-middle" since it's being done by The Man, man?

Re:"Main-in-the-middle"?

[pixelpusher220]

Probably has to be agency specific, as others have noted, some agencies legitimately do need your information to properly provide services.

Not a bad first start though.

Maybe something like 'information collected may not be used for prosecution except when collected under issuance of a warrant.'

Constitution writing is hard :)

Re:"Main-in-the-middle"?

[lgw]

I chose "the activities of a citizen" as a way to say "what we do, not who we are". Keeping "who we are" records: birth certificates, permits licensing of various kinds, etc, is different in kind from monitoring daily activities. But I'm no lawyer and don't know how to say this better.

Also, why does the government need "census data" beyond a simple headcount? Heck, I'd like to move to an income tax system that's purely a payroll tax (so the government doesn't learn how much any given individual makes, but can still tax our income).

The government collects every bit of information it possibly can, but it's time to start saying "NO! Find a way to do that without spying on us!" It's time for the pendulum to swing the other way.

Re:"Main-in-the-middle"?

[sl4shd0rk]

It's the "government on top" attack.

Don't you mean "government from behind"?

Re:"Main-in-the-middle"?

[datavirtue]

The government does need access to some information such as census data

Why? Taxation? Our antiquated income taxation system that stifles economic activity? Change over to a VAT-type or sales-tax type system and you wouldn't have to mess with a census.

Re:"Main-in-the-middle"?

It's not a "man in the middle" attack. It's the "government on top" attack.

It is the standard fuck-you-all type of attack.

Re:"Main-in-the-middle"?

[NatasRevol]

Don't see why it can't be both.

Re:"Main-in-the-middle"?

Being how we're getting ass-raped anyways, sure.

Re:"Main-in-the-middle"?

Thank you for drawing a hard line and ensuring that no thinking person is ever going to agree with you. Please, stop making us who can actually be reasonable look stupid.

Re:"Main-in-the-middle"?

[jythie]

Even if we had a constitutional amendment along those lines, they would simply pull the 'except when related to national security' like they have for so many other things that you would think would be protected.

Re:"Main-in-the-middle"?

[jythie]

Census data is also used for things like determining how many representatives you get in congress. It is also used for all sorts of long term planning.

Re:"Main-in-the-middle"?

[SuricouRaven]

Both taxation and representation - population matters for deciding who the various elected officials are elected by and who they represent. That's why the constitution requires a census every ten years. The writers actually specified their reasoning in the text itsself: "Representatives and direct Taxes shall be apportioned among the several States ... according to their respective Numbers ... . The actual Enumeration shall be made within three Years after the first Meeting of the Congress of the United States, and within every subsequent Term of ten Years".

Re:"Main-in-the-middle"?

[evilRhino]

There isn't anything wrong with the 4th Amendment. The problem is that Congress has authorized and re-authorized the PATRIOT act that allows this type of surveillance. If we have an amendment, it should be for Congress to start representing Americans instead of donors, who pick up these fat contracts to spy on us.

Re:"Main-in-the-middle"?

[SuricouRaven]

Huge loophole: What is meant by 'prosecution?' That might stop the government from openly jailing someone for upsetting a senator, but it doesn't stop classic abuses like poking at the victim's life to find another crime they can be prosecuted for (Everyone has broken a law somewhere), or subjecting them to intensive audits and investigations that could leave their reputation ruined. It's quite possible to persecute without prosecuting.

Re:"Main-in-the-middle"?

[Em+Adespoton]

I fully agree, however, that is far too vague. The government does need access to some information such as census data, social security and related information, or even voter registration. That, and much more, is all controlled by the government and some of it may be public information that no ordinary person would care about them having access to.

The problem is that it is hard to write up a set of rules for what is allowed and what isn't. Too specific and it gets worked around, too vague and it is meaningless or counter-productive.

Easy to fix: just take a page from the insurance broker's playbook and have some "named damages" laws. Any purpose not named is not allowed without a warrant or an amendment. NOT subject to change without notice, and any changes must be submitted as stand-alone bills (that last bit, I'd like to see added to many pieces of legislation).

Re:"Main-in-the-middle"?

[lgw]

Right, so why does the government need "census data" beyond a simple headcount? The constitution calls for a headcount, but the government naturally uses it as an excuse to collect all the additional data it can get away with. Will they ask "list every online alias you've ever used" in the next census? Would it really surprise anyone here if they did?

Re:"Main-in-the-middle"?

[lgw]

The government will eventually work around every possible bar to gaining power. But not instantly. Constitutional amendments are the strongest way to push back the boundary for a while. Each generation needs to push it back again. We missed a generation, and look where it got us!

Re:"Main-in-the-middle"?

[ejasons]

What would the purpose of this be? They would just violate that amendment also.

That is the biggest problem with the Constitution -- if the branches of the government are allied, there is no way to punish anyone for violating its tenets.

Re:"Main-in-the-middle"?

[jythie]

Constitutional amendments do not help as much as you might think. Looking at the history of the Bill of Rights for instance, enforcement of the various rights generally increased over time, not decreased. In the original debates there was quite a bit of 'well of course we didn't mean THAT type of case'. Our modern recognition of many of the provisions is much broader then how they were treated even 100 years ago.

Re:"Main-in-the-middle"?

[evilRhino]

Don't they teach kids civics anymore? The number of representatives in the house per state is determined by the census results. It's required by the constitution. You're wrong about the tax system, also.

Re:"Main-in-the-middle"?

[lgw]

Maybe not, but it's the strongest non-violent method we have, and we haven't tried it yet. Maybe we should. I really really don't like the alternatives.

Re:"Main-in-the-middle"?

[pixelpusher220]

Agreed. hence why it's hard :)

Re:"Main-in-the-middle"?

Oh that's easy to solve - just make the CEO of the largest corporation/special interest in the State your representative. It's essentially what we've got now, only it takes hundreds of thousands of extra people to make it not work.

Re:"Main-in-the-middle"?

[CrimsonAvenger]

Will they ask "list every online alias you've ever used" in the next census

Probably not...

Would it really surprise anyone here if they did?

Yes.

Now, the census after that? Wouldn't be at all surprised...

Oh, and thanks for giving them the idea....;-)

Re:"Main-in-the-middle"?

[grantspassalan]

From the way the government has been ignoring the Constitution already, what makes you think that any additional amendments of any kind will change that?

Re:"Main-in-the-middle"?

Well, at least it's not "man-in-the-middle" because that would be bad.

On the other hand, "Maid-in-the-middle" was a pretty good pr0n movie.

Re:"Main-in-the-middle"?

[slick7]

Probably has to be agency specific, as others have noted, some agencies legitimately do need your information to properly provide services. Not a bad first start though. Maybe something like 'information collected may not be used for prosecution except when collected under issuance of a warrant.' Constitution writing is hard :)

Nothing bad will happen until someone loses an eye or breaks a finger, then, we'll see the corruption inherent in the system. The road to ruin is paved with good intentions.

Re:"Main-in-the-middle"?

Throw in something about passport revocation while in transit ( or in flight ), that's a worse crime.

Being 'reasonable' is just inviting them in further.

These inquiries/behaviors are SUPPOSED to be hard for a government to do, that is the point.

They just got tired of paying off the judges.

You're Goldstein now, bitch.

jr

Re:"Main-in-the-middle"?

Probably has to be agency specific, as others have noted, some agencies legitimately do need your information to properly provide services.
Not a bad first start though.
Maybe something like 'information collected may not be used for prosecution except when collected under issuance of a warrant.'
Constitution writing is hard :)

The current program would still be legal in that case. The argument they're using is that data is collected, but they need a warrant to look at specific data.

Re:"Main-in-the-middle"?

[sjames]

At this point, we need an amendment that simply reads "No means NO!"

Then we need one that says the other amendments mean what they say. No 'special' interpretations or weird definitions of words. Especially no secret interpretations.

Re:"Main-in-the-middle"?

[pixelpusher220]

The argument they're using is that data is collected, but they need a warrant to look at specific data.

So question: what if they were in possession of data clearly laying out 9/11 but they hadn't searched it yet? Do you really think they aren't looking at ALL that data with keywords from the get go?

Automated systems are going to be crawling and indexing this data, hence they *are* looking at it.

Re:"Main-in-the-middle"?

[davester666]

Or rather...

It feels like both right now.

Re:"Main-in-the-middle"?

[davester666]

Even if they didn't, the NSA has a long history of blatantly violating the law without any consequences.

Re:"Main-in-the-middle"?

[Roachie]

I like to put main toward the end, you know, for scope.

Re:"Main-in-the-middle"?

[cheekyjohnson]

and ensuring that no thinking person is ever going to agree with you.

The general public isn't made up of thinking people anyway.

Re:"Main-in-the-middle"?

Something like "The government shall not collect or store any information, even publically available information, about the activities of a citizen except upon issuance of a warrant; said warrant shall only issue upon evidence that a specific individual has committed a specific crime."

They could just get some corporation to do that, and then claim they are giving you the small government you all wanted ;)

Re:"Main-in-the-middle"?

[msc.buff]

How about we stop creating a list of things they CAN'T do and instead enforce the list of things we 'supposedly' told them they CAN do? This is my fundamental problem with the Constitution...you do NOT create a document which says you can do this and can't do that but yes to this and no to that. That just creates a system for loopholes and misinterpretation.

Imagine if you had to create a list of the things you did NOT want your mechanic to do when you dropped off your car for an oil change...

Also, I say 'supposedly' because nobody has granted any authority to the US Constitution since the original signers. How much is an unsigned contract worth again? Can you be born into a contract?

Its time to start over...

Re:"Main-in-the-middle"?

[tepples]

Right, so why does the government need "census data" beyond a simple headcount?

They need date of birth because some individuals are by law ineligible to vote.

Re:"Main-in-the-middle"?

[balbus000]

No, top works just fine.

Re:"Main-in-the-middle"?

[tacokill]

Right....so a head count

Re:"Main-in-the-middle"?

Yea, and with a carrier group sized one to really make a point.

Self signed?

[Ubi_NL]

Does this mean a self-signed certificate is more secure than a commercial one?

Re:Self signed?

[i+kan+reed]

That's actually been my opinion a while. When Firefox tells me "This connection may not be trusted" I'm less inclined to worry, because the CA is just one extra link in the chain to be broken.

Re:Self signed?

as long as you trust the source... which could have already been hijacked ;)
so maybe self signed preshared certs?

Re:Self signed?

[Darkinspiration]

Kind of ironic then that every modern browser treat self sign like a pestilence. Frankly i've always tought that forcing warning on self signed were more about creating a legitimate certificate racket. I mean when buying a wild card certificate cost you more then 5000$....

Re:Self signed?

[GameboyRMH]

In some situations yes, but in those same situations I don't think this news really changes anything (where you set up the cert yourself on one of your own servers for use by yourself, for instance). Otherwise this just means that these certs are slightly less secure because governments have a copy. If you're connecting to a strange server, it may be better to have a signed cert because they're still not quite as easy to come by as a self-signed one.

In any case this doesn't change the old fact that a self-signed cert is at least as good as an unsecured connection and browsers should stop throwing a shit-fit when they run into one.

Re:Self signed?

[MightyMartian]

Yes, providing you can guarantee the security of the private keys, if you're concerned about government(s) spying on your communications, that is definitely the way to go.

For our organization, due to the highly confidential nature of some of our data and communications, I am about to build a machine that will have no network connection whatsoever that will hold the CA and private keys, and will use it to produce public keys for our VPN, mail server, web services and the like. The server will be behind lock and key and locked down with LUKS, and the keys for that will be held in a separate location. Obviously nothing is 100%, but it's going to physical access to the server and to the private keys to compromise the system.

Re:Self signed?

[Todd+Knarr]

No. The Feds are requesting the private keys from the server operators themselves, not from the CA. A self-signed certificate's no guarantee the site operator hasn't coughed up the private half to the surveillance people. I'm not any more worried about this, though, since as demonstrated with XMission the government doesn't need to eavesdrop on communications when they can get access directly at the server end of things. As long as the Feds can threaten the site operator with unspecified nasty things if they don't cooperate or if they even say a word about what's going on, I have to assume any site I don't control myself is potentially compromised and any data sent to it's potentially visible to the various agencies involved or to the private contractors those agencies are using to do the grunt work. In many cases that doesn't matter much since the nature of the site's such that I won't put anything sensitive or compromising on it in the first place.

Re:Self signed?

[h4rr4r]

A wild card cert is a lot cheaper than that.
$600 is closer to what they actually cost.

Re:Self signed?

[alostpacket]

Not more, but not necessarily less. With a self signed cert, you cant verify the identity of the signer/cert. With the possibility of a compromised CA, you have (essentially) the same problem. (As far as understand it anyways).

What I would like to know is what (if anything) can be done to verify keys without a CA? I don't know that much about crypto, so am genuinely curious. Are there techniques to do this? (Diffie-Hellman-Merkle?)

Re:Self signed?

Shit. Yes it does.
If the master certs for the major signing authorities are compromised then rolling your own CA (Or self signing) is indeed more secure.

Re:Self signed?

You don't give a private key to the Certificate Authority to be signed; only the public key. The same public key that you give out to each SSL/TLS connection. Getting your key signed by a commercial CA does not make it more or less secure, it only changes who trusts your key by default.

Re:Self signed?

[Daimanta]

I really dislike the way certificates are treated right now. Certs incorporate two different things, namely authentication and encryption. Ofcourse I understand that it is more secure to have an encrypted channel while communicating with a host that needs to be authenticated but the reverse isn't always the case.

Sometimes I am not interested in authentication with a machine because I know that the machine in question is the right one. What I AM interested in is the fact that I should be able to communicate with that machine knowing that an outsider won't snoop on my line. The most common application I can think of where there is only authentication is an SSH-connection. The fact that the link is encrypted is essential given that userdata and other sensitive data passes a lot of(NSA-enabled) routers on the internet. Given the simple authentication(this is the key, are you sure?), you can quickly set up an encrypted connection without the hassle.

The www is more annoying in this respect. You have to buy(this implies paying and spending time) a certificate from a signing authority and only then you can safely browse the web the way it SHOULD be. What complicates matters is that (some/all?) browsers are absolutely allergic to self-signed certs. This is purely placebo since it is just as easy to build your own signing authority and signing your own cert with that authority. Apparantly, some browsers(firefox I'm looking at you) don't have the reserve while the security level is exactly the same since evildoers are probably willing to go the extra mile and create their own signing authority.
There is only one option, allow self-signing as an encryption measure but not as an authentication measure. Naturally you have to take care while doing this since it could implicate that any encrypted connection is secure. On the other hand, I'm not sure that people even look at the cert-status of lets say a bank while they are connecting. The people who do that are smart enough to do the right thing anyway.

Re:Self signed?

[Sarten-X]

No. When a CA signs a certificate, they don't get the private key used for decryption. They just assert that a particular public key really does belong to who it says.

If the NSA has Verisign's key, for example, they'd be able to do two things:

1. decrypt traffic sent to Versign, which isn't very useful in itself
2. Create and sign their own certificates as though they were Verisign.

The latter is where the man-in-the-middle attack comes in. The NSA can claim to be whoever you're trying to reach, and the certificate will look valid and be trusted by default on any system that trusts Verisign. On the other hand, a self-signed certificate isn't signed by anybody else. The NSA doesn't need anyone else's private keys to make their own and claim to be anyone. The client will see the certificate, ask you if you trust it, and unless you're in the habit of memorizing certificate fingerprints, you won't notice a difference. Once any certificate is trusted (either by default or by your acceptance), your traffic will be sent to (and decrypted by) the certificate holder.

This is actually already a problem. CAs have been compromised, and their stolen credentials have been used to sign certificates claiming to be governments, Microsoft, and other generally-trusted sites. The apparently-trusted certificates are then used to make scams look more legitimate.

Re:Self signed?

[TWiTfan]

The Feds are requesting the private keys from the server operators themselves, not from the CA.

Something tells me that before this is over, we'll find out they've been requesting them (and getting them) from the CA's too.

Re:Self signed?

Why isn't anyone putting HTTPS certs into DNSSEC-enabled zones and making it a standard?

Oh right, all CAs would be useless and massive profits^W^Wjobs would be lost.

Re:Self signed?

If browsers didn't give these warnings then the NSA could just straight-up issue their own self-signed certs for any website they please and man-in-the-middle anyone at their leisure.

On another note, wild card certs cost a lot less than $5k. You can get one for 1/10th that price (per year) if you look around.

Re:Self signed?

[Sarten-X]

With a self signed cert, you cant verify the identity of the signer/cert.

Correct, and that's really all you're paying for when you buy a certificate from a CA: You pay enough money and provide enough documentation that they're confident you are who you say you are.

With the possibility of a compromised CA, you have (essentially) the same problem.

Almost correct. You can't really verify the identity, but your computer won't really even try because it trusts the compromised CA. The solution is to check revocation lists, but there are problems with that.

What I would like to know is what (if anything) can be done to verify keys without a CA?

Let each person be a CA. If I know you, I can sign your certificate myself. Anybody who knows me and trusts me would then trust you. Again, compromises are fixed by revocation and expiration, but the impact is somewhat less severe.

Re:Self signed?

My site has always used a self-signed certificate. It's not a problem because it's a small site used by 100 people. I had been considering buying a certificate from a commercial certificate authority until I heard about the NSA spying. On that day one of my first thoughts was that the commercial certificate authorities had probably been compromised, and I was glad that I hadn't spent my money.

I'm surprised that this story took so long to come out.

Re:Self signed?

[Unordained]

Self-signed is only fine if the client and server are in a trusted environment, exactly the environment where pre-shared keys are a possibility, so you should have loaded that cert into your client before attempting the connection.

Barring that, and in the 99% of cases where clients are talking to servers out on the wide-open internet, CA's and the warning against self-signed certs serve a very good purpose -- preventing man in the middle attacks during handshake.

If anyone (your ISP and the NSA included) hijacks your initial connection, proxies it, and substitutes their own cert, you need a way to know whether that cert is really from the destination site, or a phony. That's exactly the problem CAs solve. (Other solutions include "web of trust", pre-sharing all important keys, concensus methods, etc.)

At worst, this news means that it's possible NSA (but probably nobody else) has been able to decrypt legitimately encrypted traffic (no MitM attack with substituted keys, just a tap using the real ones) for some services, or if they have CA keys, might have been able to issue their own legit-looking certs, which with some additional work, could have enabled them to perform MitM attacks on arbitrary sites and all of their users.

But this does not mean that self-signed certs are just as good as CA-backed ones in a general sense; if you rely on those, without pre-sharing keys with all clients, then all clients are vulnerable to MitM attacks from anyone with access to modify the communication channel, not just the NSA. And considering the known issues with insecure DNS, that's a much wider field of potential attacks.

Re:Self signed?

[EvanED]

Actual question: do the CAs even ever have access to the private keys?

I'm pretty sure there's no technical reason they need them -- the CAs just need to attest to the public key, which they could do just by signing the public key. But that doesn't mean that's how the system is set up in practice, of course.

Re:Self signed?

But you can set up your own CA and use it to sign your own certificates, setting up a private chain of trust. Send the CA certificate to your users and have them trust it, then any certificate you signed with that CA is also trusted.

Re:Self signed?

By using a self-signed certificate, it is even easier for big brother to perform a man-in-the-middle attack. If you, as a user, are expecting a site to use a self-signed certificate, then how would you know if the server suddenly switched and started using a "different" self-signed certificate.

The idea behind the private key is that a 3rd party proxy couldn't be inserted into your data stream and mimic your target website because it doesn't have access to the private key (and thusly can't decrypt the communication channel data in a time-effecient manner). If your cert is self-signed, then the proxy can use any self-signed cert that it wants and the end user won't get any more alerts than if they went to the website directly.

Of course, this brings up the obvious conclusion that if there were enough computing resources brought to bear on the problem, then the communication channel data COULD be decrypted in a time-effecient manner (yes, even without the original private key). The next obvious question here is "how much computing power is that?" I honestly don't know the answer to that, but I am sure that it is a measurable amount.

Re:Self signed?

[Znork]

There's always the Convergence project (based on the previous Perspectives CMU work).

Basically, instead of CA's you have notary servers that track changes to certificates and that you (your browser) contacts to verify that they and you are seeing the same certificates.

That way, if a MITM attack is ongoing it will, if targetting you specifically, probably show a discrepancy between the certificate presented to you and the one presented to them. If targetting the specific website and MITM'ing all connections to it the only demonstration of a problem might be that the site suddenly appears to have a new certificate, but that would still most likely alert site operators who may be surprised to note a change they didn't do.

Re:Self signed?

[Speare]

Please see Schneier's paper on the "compelled certificate creation attack." Rather than asking a CA for the keys from Alice to Bob, they could compel a CA to vouch for an Alice to Eve, Eve to Bob connection as if it were Alice to Bob directly.

Re:Self signed?

[TubeSteak]

For our organization, due to the highly confidential nature of some of our data and communications, I am about to build a machine that will have no network connection whatsoever that will hold the CA and private keys, and will use it to produce public keys for our VPN, mail server, web services and the like. The server will be behind lock and key and locked down with LUKS, and the keys for that will be held in a separate location. Obviously nothing is 100%, but it's going to physical access to the server and to the private keys to compromise the system.

Counterpoint:
http://www.foreignpolicy.com/articles/2013/07/16/the_cias_new_black_bag_is_digital_nsa_cooperation?page=full

During a coffee break at an intelligence conference held in The Netherlands a few years back, a senior Scandinavian counterterrorism official regaled me with a story. One of his service's surveillance teams was conducting routine monitoring of a senior militant leader when they suddenly noticed through their high-powered surveillance cameras two men breaking into the militant's apartment. The target was at Friday evening prayers at the local mosque. But rather than ransack the apartment and steal the computer equipment and other valuables while he was away -- as any right-minded burglar would normally have done -- one of the men pulled out a disk and loaded some programs onto the resident's laptop computer while the other man kept watch at the window. The whole operation took less than two minutes, then the two trespassers fled the way they came, leaving no trace that they had ever been there.

Over the past decade specially-trained CIA clandestine operators have mounted over one hundred extremely sensitive black bag jobs designed to penetrate foreign government and military communications and computer systems, as well as the computer systems of some of the world's largest foreign multinational corporations. Spyware software has been secretly planted in computer servers; secure telephone lines have been bugged; fiber optic cables, data switching centers and telephone exchanges have been tapped; and computer backup tapes and disks have been stolen or surreptitiously copied in these operations.

Re:Self signed?

[tlhIngan]

What I would like to know is what (if anything) can be done to verify keys without a CA? I don't know that much about crypto, so am genuinely curious. Are there techniques to do this? (Diffie-Hellman-Merkle?)

Well, you can always fingerprint a key and verify with the owner of the site that the fingerprint is correct.

The CA model is called a "web of trust" model - it relies on you trusting someone and then seeing if a key you've been given was signed by someone you trust. In the CA model, the CA signs public keys with their private key. Your browser looks at the certificate and sees if it can verify it against the pre-stored CA public key (you presumably trust the browser vendor to give you good keys - though you're able to import the CA cert yourself if you don't trust them). If so, it's considered "trusted".

It's called a web of trust because it starts with someone. A more personal example would be your friend gives you his public key - you trust it because he physically handed it to you and for the most part, he appears to be himself. Now, your friend sends you some public keys online. You verify those keys against your trusted key you got earlier. If they match, you trust your friend has given you good keys. (This is the weakest link - which is why CAs get compromised).

Of course, you can always verify the keys yourself - you can choose to meet with those people and compare the public keys you got (or a subset, i.e., the fingerprint).

Basically, for public key encryption, the weakest link has always been trusting that the key you have is legit.

Re:Self signed?

How hard is it to set up a CA?
At least that would mean that both the server and the CA would need to be hacked. Am I right?
I understand that the CA needs to be added to the client as well. Maybe not that practical for browsers and web client/server applications but maybe for M2M?

Re:Self signed?

[Adnonify]

You are better off this way (which I use by the way) Get some PKI compliant smartcard, compile everything on an offline machine (drivers, pcsc / opensc) and then make the smartcard's crypto engine generate a private key and protect it with a pin. Use the smartcard to hold the keys. Keep the card on you at all times. Cloak it with printing a banklogo on top! You can make 2 cards, one holding the CA and you can vault that one (it has 3 pin attempts after which the cards data is LOST) and use that card to sign some other certs for your SSH keys and others ;) Its secure and if you modify the DF(filesystem) of the smartcard any non-targetted attack against you, even when you connect it to non-secure machine will fail! Your private key will always stay safe. Y

Re:Self signed?

[skids]

That would only be useful to forge certificates, and using such forged certificates would allow tracking of surveilance activities -- the provider would not see them in their own keyring so if they were seen in the wild and came to a privider's attention, their natural reaction would be to accuse the CA of having been compromised... because you have no way of knowing it's the NSA that's doing it.

Unless it totally sucks or is also hosting your SSL service, a CA neither needs nor asks for your private key, it just signs your public key.

I wonder what the NSA would do were they to make such a request and the company were to reply that the private key has been ensconsed in secure crypto hardware from which it cannot be downloaded and without which the web service would not function (or would have to change its keys.)

Re:Self signed?

[leonardluen]

Let each person be a CA [wikipedia.org]. If I know you, I can sign your certificate myself. Anybody who knows me and trusts me would then trust you. Again, compromises are fixed by revocation and expiration, but the impact is somewhat less severe.

then you get something like the ebay problem where every review is AAAAAAA++++++++++++!!!!!!1!!!!one!!eleven!!
and are useless

just because i trust my friend doesn't mean i always trust him to show good judgement...how do i know he was of sound mind when he signed the cert for that tattoo parlor and came back with the pink bunny tattoo on his forehead?

Re:Self signed?

[Abalamahalamatandra]

Actual answer: no.

The CSR (Certificate Signing Request) contains only the public half of the key, to be signed by the CA's key which results in the CA attesting that the information is verified.

The entity whose key was signed always maintains control of the private key. Which, to me, is the reason that public-key encryption is not "over". The NSA would have to strong-arm every single holder of an SSL key, not just the Certificate Authorities.

Granted, though, those private keys are not often held terribly securely - they're most often just files on a server that aren't even password-protected, because that requires an admin to type in passwords whenever the Web server is restarted. They COULD be held in an HSM, a hardware security module much like a TPM on steroids, but that's very expensive and difficult to set up.

However, none of this means that public-key crypto is broken. It's possible that individual sites could be compromised via this route (Facebook, Google, etc) but as a whole, no.

Re:Self signed?

[spottedkangaroo]

http://convergence.io/ is the real solution

Re:Self signed?

[EvanED]

because the CA is just one extra link in the chain to be broken.

No, no it isn't. Not really.

According to this post, this post, and my own intuition, CAs never see your private keys. A CA cannot reveal more information than is known publicly anyway, even if they are thoroughly malicious. The most you could argue about the standard set up is that CAs give a false sense of security.

I can only think of one attack that could occur with CA-signed certificates but not with self-signed certs. If you remove all default CAs from being accepted and just store the fingerprint of the public key (e.g. what happens with SSH), then it becomes impossible for the real amazon.com public key to be silently substituted with an imposter (but malicious-CA-cleared) amazon.com public key. But if you don't clear out your list of CAs, there is no hard benefit to be gained here.

Re:Self signed?

[X.25]

Does this mean a self-signed certificate is more secure than a commercial one?

I have spent almost 10 years of my life trying to explain people why self-signed certs are much more secure.

People don't care.

Re:Self signed?

[citizenr]

They already have access to commercial ones and can decrypt those :)

Re:Self signed?

[Unordained]

In any case this doesn't change the old fact that a self-signed cert is at least as good as an unsecured connection and browsers should stop throwing a shit-fit when they run into one.

If you think browsers should instead always notify you when using a trusted CA-signed cert ("Congratulations! This site appears to actually be legit!"), with the default for self-signed and unencrypted communications being silence, yeah, I can kinda see your point. You should default to paranoia, right?

Otherwise, no; the warning issued on self-signed certs is useful because the browser doesn't know ahead of time whether a given site ought to have a CA-signed cert or not; assuming that most will, this is your first clue that your connection to amazon.com may have been compromised by a MitM attack, and what they thought was a secure channel for payment information is not only potentially vulnerable to snooping or modification, but probably being specifically hijacked for some nefarious purpose. That's some important stuff right there.

Re:Self signed?

[Abalamahalamatandra]

If the data is that confidential, you should probably look into an actual FIPS-certified network-connected HSM instead of rolling your own.

I did a project a few years back using nCipher NetHSMs (they've since been bought up, I believe) and they were quite cool technology. Even then, I think one of these devices was in the $25K range at most.

The great thing is, if you generate a key pair with one of these, you literally cannot get access to the private key to hand over to the government, even if you wanted to.

Re:Self signed?

Does no one know what a self-signed certificate is any longer?

Running your own CA is not the same as using a self-signed cert.

Re:Self signed?

[Damouze]

I would not be surprised to see that the NSA - or any other nation's intelligence service - can devise ways to make you think (and take it for a fact) they are whoever they tell you they are.

As for certificates and CAs: certificates, keys and CAs are about building trust. Between the service provider on one end for example, and its customers on the other. The Certificate Authority asserts that the service provider is who it claims to be, and another Certificate Authority (or maybe even the same - the root CA is in many cases one of a very select few) asserts that about the customer(s). There is a bond of trust between the two parties that enables them to communicate freely, but in a (more or less) private manner.

If you want, you can be your own root CA, as long as you are your only service provider or can convince others you are trustworthy enough that they believe you are who you say you are. They, as the consumers of your public key, have to be trustworthy enough to you that you believe they are who they say they are and that you entrust them with your public key. By the way, while in theory that should provide an excellent basis for secure communications, in practice it turns out to be a rather awkward weakness. People are gullible. But more about that later.

Self-signed certificates are just that. Nothing more, nothing less. You are your own Certificate Authority. If it's just communications between the email server you host at your end of the internet and your smartphone, the connection between those two endpoints is pretty much secure and unless your suffering from severe paranoia, you obviously trust yourself. But then again, with email, you would worry less about other people accessing your emails in their central data store or intercepting them during your (secured) IMAP session than you would about the fact that SMTP is still, pretty much, plain text. Provided your own SMTP host is entrusted similarly to your IMAP host, with a self-signed key and secured through, e.g. SSL and some sort of authentication barrier, the emails you sent are secure until they reach your SMTP host. Everything beyond that is up to the next SMTP host in the chain.

No IP connection - even encrypted ones - is ever one hundred percent secure. It is a safe bet that someone with enough computing power (e.g. the NSA in any case) will always be able to crack whatever (published) encryption scheme you apply to your communications. Moreover, the weakest link in any so-called secure connection is always the user. He or she can be sloppy with regard to the choice of his or her passwords, or have noted them onto a post-it glued to his or her TFT screen, etc. He or she could also be the victim of a phishing event or of social engineering ("Hello? Am I speaking to this-and-this-person? Yes? My name is so-and-so and I've recently joined your company. Would you please be so kind as to reset my password? I seem to have forgotten it. Ah yes, thank you! Have a nice day!"). Did I mention that people are gullible?

To sum up: the concept of certificates and certificate authorities as a basis to build up trusts is in theory a very strong one. However, its strength is also its weakness. It can be subverted to its own antithesis: anyone convincing enough can abuse his position within the chain of trust to his own ends if he, she or it is clever enough.

Re:Self signed?

[Sarten-X]

How do your users know that the certificate you sent them is really from you?

Re:Self signed?

[GameboyRMH]

If you think browsers should instead always notify you when using a trusted CA-signed cert ("Congratulations! This site appears to actually be legit!"), with the default for self-signed and unencrypted communications being silence, yeah, I can kinda see your point. You should default to paranoia, right?

That's what I was thinking, and modern browsers are already halfway there with the address bar lighting up in a bright color on signed HTTPS connections.

Re:Self signed?

Let each person be a CA.

Yep, that's secure. Right. You want me to trust people my friends and family tell me I should trust? Like it's their job to make sure I'm not screwed by a random fraudster? Why, sign me up!

For most people, their bank should be their (only) CA. People are already giving banks all their money and personal info anyway, so certs look like a small extension of trust. Now just persuade the banks...

Re:Self signed?

[omnichad]

If you have the CA's own key, you can generate a fake certificate that looks real in every way to the browser. You would be encrypting with a different private key when communicating with the visitor's browser. The user just wouldn't know since they're decrypting with their own key.

Re:Self signed?

[EvanED]

If you have the CA's own key, you can generate a fake certificate that looks real in every way to the browser.

And if you want to attack a site using a self-signed cert, you can generate a fake certificate that looks equally-fake in every way to the browser. Same deal.

The only place where self-signed certificates are more secure is if you have an out-of-band method for transferring your public keys (or transferring a fingerprint or other assurance that public keys sent over an insecure medium are correct) to every place they are needed.

If you run a reasonably small organization, this is feasible. If you want to run, say, a web business, it is not, and CA certificates are more secure.

Re:Self signed?

[omnichad]

As long as you have the CA's key, you can sign your own private key to execute a MITM attack. You don't need to have the real private key to do this. In the middle, you decrypt and re-encrypt before sending packets along. The site visitor doesn't know if they're connecting to the "correct" private key. There's no way to know that. They just know they're connecting to a site that's using a public key that has also been used to sign a certificate.

And since your certificate is unknown to the CA, it won't be in any certificate revocation lists, either.

Re:Self signed?

The NSA can do absolutely nothing with a CA's signing authority that they can't do without. All the CA does is promise that the server is really who it says it it is, if the NSA could forge their signature, they could do MITM attacks, which is exactly what they can do with a self-signed certificate.

Re:Self signed?

Yep, that's secure. Right. You want me to trust people my friends and family tell me I should trust? Like it's their job to make sure I'm not screwed by a random fraudster? Why, sign me up!

i just met this Nigerian Prince online, he says he will send me lots of money if i help him.

i think you should trust him!

Re:Self signed?

[omnichad]

Because you can add the self-signing CA to your browser and not get security warnings unless the server suddenly switched.

A third party proxy doesn't need the private key to decrypt the data. They are the end-user from the server's perspective and so they can use their own key to decrypt it. Then they would re-encrypt it using their own private key. But since they presented their own certificate to the victim, that's irrelevant. If it went from a known self-signed cert to something else, a user would know if they stored the original cert to their trusted list.

Re:Self signed?

internet and your smartphone, the connection between those two endpoints is pretty much secure and unless your suffering from severe paranoia

Worst Example Possible. There's already script-kiddie proxies designed to capture traffic on coffee shop wi-fis, these could easily be extended to MtM your self-signed cert.

Re:Self signed?

[Sarten-X]

I work in finance. Until recently, my company had several million dollars being controlled through a bank whose website required exactly 6-character passwords, which they'd happily send to you in plaintext via email if you forgot it.

No, I do not want to trust banks with information security.

Re:Self signed?

[omnichad]

It doesn't necessarily have to be out-of-band. If it's a consistent group of users there from the beginning, they would all trust the original certificate once and still be notified by the browser if they're presented with a self-signed cert they don't already trust.

I never said that self-signed was more secure. I was responding to you claiming that CA's weren't another link in the chain to be broken. It is. Why else would you now say that CA certificates were more secure if they weren't another link in the chain of security?

If you have fingerprints that are stored, then Amazon suddenly has to look untrusted if they change their private key for any reason whatsoever. And they'd have to have an out-of-band method of notifying users that their private key changed for a legitimate reason.

Re:Self signed?

[EvanED]

As long as you have the CA's key, you can sign your own private key to execute a MITM attack. You don't need to have the real private key to do this. In the middle, you decrypt and re-encrypt before sending packets along. The site visitor doesn't know if they're connecting to the "correct" private key. There's no way to know that. They just know they're connecting to a site that's using a public key that has also been used to sign a certificate.

That much I knew, but that's still a much smaller attack surface than what you could do if you had the private key, because you need to be able to carry out a MitM.

From a general perspective, eavesdropping is a lot easier than actually taking an active role. For example, when you're connected to some public wi-fi network it's easy to sniff packets but much more difficult or maybe impossible to carry out a MitM if you're just some third party without network access. (Hopefully, anyway? actually I wouldn't be surprised if that's not true -- seems to ring a bell.) From the perspective of something like the NSA, it means you can't just get a giant pipe of lots of data and go back and decrypt it later if 2 years down the road you say "huh, this guy is suspicious; i wonder what he was doing 2 years ago"; if you want to be able to do that, you have to MitM them now. Slurping down tons of existing traffic for storage and later analysis is something I wouldn't be surprised if the NSA does -- but the capabilities of doing MitM on the same scale are almost certainly not present.

Re:Self signed?

[SuricouRaven]

It'd be easy enough to sign a false certificate though. If done on a large scale it'd be noticed eventually, but as a targeted intercept just on a few individuals it'd work.

Re:Self signed?

[Sarten-X]

Not to sound dismissive, but that's an implementation detail. PGP uses a system of partial trust, though its particular implementation I don't know.

I do recall some (long-outdated) research into this particular problem, where a trust network didn't simply have "trust" or "do not trust". Rather, it maintained a percentage of trust - Each hop in a chain decreased the total trust in the chain, but each separate path increased it. At the end of the chain, the client could compute exactly how much a particular server should be trusted, based on the whole network.

Re:Self signed?

The biggest problem for the is CA that it will immediately go out of business when it is discovered that their key has signed a fake key.
At least that is how it should be, good example is the dutch CA.

Re:Self signed?

[mattpalmer1086]

Good question. The short answer is that they don't know it's really from you. A root CA certificate is the root of trust - it is self signed by the CA. It cannot by itself prove it is genuine.

In a corporate environment where you control the infrastructure you could automatically distribute the root certificate to your users with group policy or some other trusted distribution mechanism. If you don't control the infrastructure, then you would need some other out-of-band method to assert that cert is genuine. Maybe you could publish a hash of the certificate on a web site you control or in some other place they already trust.

It's not turtles all the way down...

Re:Self signed?

[omnichad]

Well of course it requires a MITM attack. Same scale as non-SSL or not, they can still pick a large number of targets. To do MITM on a wifi network, you can probably still intercept the encrypted data for MITM by spoofing ARP data faster than the router/AP/switches can provide it.

Re:Self signed?

[Roogna]

Well at least with the majority of my e-mail, that would mean they'd have to ask -me- for that key. Since I operate the server.

Which is fine, I'd be happy to send it to them... of course, I'd generate new keys before doing it. But they can have the old one if they like.

Re:Self signed?

[matthewv789]

Why wouldn't it be trivial for NSA to create their own self-signed key for your domain and use it in a man-in-the-middle attack?

When it comes to them getting the certificate through legal means, it sounds from this as if they are doing it by going directly to each company, which could mean you'd be required to cough up your self-signed key if they had the legal force to compel it.

Now in the case where they might go to a certificate signing authority and ask for your keys so they can silently snoop on your traffic (even stored traffic after the fact) without your knowledge, that might be where there's a vulnerability in a key signed by a CA, because someone outside your business has knowledge of it. However, using Perfect Forward Security features of SSL/TLS could prevent this from being a problem except in an actual man-in-the-middle attack.

Re:Self signed?

[the+eric+conspiracy]

How do you know the CA's don't get their keys from the NSA in the first place?

Re:Self signed?

[EvanED]

It doesn't necessarily have to be out-of-band. If it's a consistent group of users there from the beginning, they would all trust the original certificate once...

...and how are they going to get it in a trustworthy way that first time?

I was responding to you claiming that CA's weren't another link in the chain to be broken. It is.

Maybe my phrasing wasn't the greatest before. I'll try again:

CAs are a link in the security chain. However, if you break that link, what you're left with is exactly what you would have in the first place if you use self-signed certs.

Your final point (the example with Amazon) is somewhat reasonable, but that's considering a different world where no one is using CAs. (If you use a self-signed cert and the NSA replaced it with a CA-signed cert, I suspect the browser would just let that go and not notify you.) Which leads to the point of my replies: if you want to set up a website for arbitrary users to connect to and want to use SSL, CA-signed certs are strictly more secure than self-signed certs.

Re:Self signed?

[EvanED]

And BTW, my interpretations on the italics point and my final "in this world" were formed by i kan reed's original post;

That's actually been my opinion a while. When Firefox tells me "This connection may not be trusted" I'm less inclined to worry, because the CA is just one extra link in the chain to be broken.

That opinion is not based in reality.

Re:Self signed?

[SuricouRaven]

Diffie-Hellman lets you securely communicate over a monitored channel, but it can't protect against an attacker actively altering traffic.

Re:Self signed?

[omnichad]

You're right about that. But the CA is still just one link in the chain, of course. Just a very / the most important one.

Re:Self signed?

[EvanED]

I'm not claiming that MitMs aren't possible, even on a large scale. What I'm claiming, and I stand by it, is that the number of connections that can be successfully MitM'd is almost certainly far smaller than the number of connections that can be eavesdropped upon.

That'd be an interesting paper actually, comparing the resource requirements. I'm not a networking guy so I don't know though.

Re:Self signed?

what's the first rule of Fight Club?

Re:Self signed?

[jimicus]

As long as you have the CA's key, you can sign your own private key to execute a MITM attack. You don't need to have the real private key to do this. In the middle, you decrypt and re-encrypt before sending packets along.

A thought that occurs.

You don't need the CA's key. You need a CA's key. Any that is widely accepted would do.

How many systems do you know publicly announce through a channel separate to SSL what the chain of trust should look like and the checksum of the certificate they use? And even if it was commonplace, checking it certainly isn't - and wouldn't be unless it could be automated.

Re:Self signed?

[alostpacket]

Ah ok, thanks :)

Re:Self signed?

[omnichad]

That's VERY true.

Re:Self signed?

[chihowa]

If the private SSL keys are really handed over, convergence won't detect a thing. The man-in-the-middle will be using the exact same keys and the certificates will look identical. Or, the entire session can simply be observed and decrypted on-the-fly. There's no simple and reliable way to detect interception like this.

Re:Self signed?

[Lehk228]

a self signed cert, imported into the browser, plus disabling all built-in CA's is the only way to be safe.

Re:Self signed?

[ruir]

Exactly what i was thinking. However, the major browsers have probably remote holes too.

Re:Self signed?

The only place where self-signed certificates are more secure is if you have an out-of-band method for transferring your public keys (or transferring a fingerprint or other assurance that public keys sent over an insecure medium are correct) to every place they are needed.

If you run a reasonably small organization, this is feasible. If you want to run, say, a web business, it is not, and CA certificates are more secure.

You could publish your public key in a newspaper such as the NYT or the UK's Guardian, or just the hash of the key, and let it be known on your website that the key can be found there.

Re:Self signed?

[chihowa]

PKI isn't over, but the deeply flawed system of everybody trusting a massive list of opaque CAs is (hopefully) over.

The CA system requires that we trust an ever increasing number of governments and companies, and if any one of them is untrustworthy, an attacker can present a legitimate certificate to any end user who isn't keeping track of fingerprints. Some companies, like Google, switch certificates so often, it's impossible to keep track of fingerprints anyway. Every other connection I make to Google uses a different certificate, and my browser doesn't even hesitate to trust them all.

A web of trust is a technically better solution, though I don't think my grandmother would like it, but it's been clear for a long time that the CA system is a joke.

Re:Self signed?

[nullchar]

TFA is talking about the private keys to the Certificate Authorities, not the private keys of each individual SSL certificate.

Convergence.IO totally helps here -- assuming you can trust the end service provider to not give up their SSL cert keys. All the big providers have allowed internal taps into their data, so it doesn't matter if they shared their keys or not. But small providers and peers could be trusted with Convergence.

Re:Self signed?

[nullchar]

Except the DNSSEC root keys (and common gTLD keys like .com) have been compromised along with the CA keys. Now you just MITM the DNS request and forge the cert.

Re:Self signed?

[nullchar]

Derp, the TFA was talking about end service provider's private keys to their SSL certs. But with internal taps behind the SSL gateway, I don't see how it matters....

Re:Self signed?

[Burz]

CAs including Verisign actually advertise the fact that they provide "lawful intercept" services. IOW, they cooperate with the spies and I assume they don't have to give up their master keys to the NSA in order to assist with MITM attacks. CAs are in the business of intercepting our communications.

All they have to do is keep a database of bogus certs for the addresses they verify, and perform a verification against a bogus cert for particular user IPs on a surveillance list supplied by the spies. Then all the NSA has to do is get in the middle between the user and the server he is accessing.

People may think that PKI is the strong link because CAs cannot access the website's private keys. But I believe it is the weak link, because all the spies have to do is share a list of bogus 'doppleganger' private keys with CAs who then sign the certs generated them. Undermining PKI is the easy part if you have cooperation from CAs. It the physical part of MITM that is more challenging, IMHO, which may be why the NSA finds it simpler to get the private keys from high volume sites allowing them to simply record packets instead of doing the work of singling people out for MITM sessions ahead of time.

Re:Self signed?

[ron_ivi]

That's exactly the problem CAs solve.

That's exactly the problem the commercial CA's *cause* when they co-operate with oppressive governments. http://arstechnica.com/security/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users/

Govâ(TM)t, certificate authorities conspire to spy on SSL users ... which meant that CAs must be handing over certificates so that they could be used with the device.

Re:Self signed?

no

Re:Self signed?

[Marillion]

No. The weakness isn't the certificate. Certificate authorities never need the private keys of the certificates they generate. In an RSA based SSL handshake, the client creates a one-time random number to be used as the key in a conventional cipher used to protect the SSL session. The weakness is this, the client uses the public key of the certificate to encrypt the session key. The server private is then used to decrypt the session key. If someone is able to capture and store an SSL session, AND had the server private key, they could use the server private key to deduce the session encryption key and decode the session. SSL and TLS use better key exchange methods that depend on the server private key. The server private key is only used to validate the identity of the server. Diffie–Hellman key exchange doesn't use the server private key and therefore can't be used to deduce the session key. This is called Perfect forward secrecy. Use it.

Re:Self signed?

[Marillion]

Once the computationally expensive public/private key exchange is done, the rest of the SSL session uses fast conventional encryption. Fast conventional encryption requires that both ends know the same secret conventional key. The real weakness in SSL / TLS is in RSA key exchange. The certificate public key is used to securely share the conventional key. Anyone with the private key can derive the conventional cipher key and decode the data either in real time or a stored wiretap years after it was collected. TLSv1.1 and TLSv1.2 support forms of key exchange than don't use the server private key and aren't vulnerable to this.

Re:Self signed?

[Damouze]

That's a whole different story. See the remark later in my post.

Note that I said 'pretty much secure', not '100% secure'. Also, it seems logical to me that when you are so conscious about security, you would not necessarily trust a wifi network that is not secured with at least some sort of key.

Again, every encryption scheme can ultimately be broken. It is just a matter of computing power and patience.

Re:Self signed?

[gnasher719]

As long as you have the CA's key, you can sign your own private key to execute a MITM attack. You don't need to have the real private key to do this. In the middle, you decrypt and re-encrypt before sending packets along. The site visitor doesn't know if they're connecting to the "correct" private key. There's no way to know that. They just know they're connecting to a site that's using a public key that has also been used to sign a certificate.

So as a practical example, if the NSA had the private keys used by the CA that Amazon is using, they wouldn't be able to get Amazon's private keys, and they wouldn't be able to decode any traffic between you and Amazon that happened before. However, they could create a fake Amazon certificate that looks absolutely genuine to your browser, pretend to you to be Amazon, pretend to Amazon to be you, and listen in.

A partial solution would be if big sites like Google, Amazon, Facebook etc. published their certificate, your browser stored that certificate, and if your browser wouldn't accept real-looking certificates for these sites but only the exact same certificate (don't know how exactly that would be done technically, but it should be possible). Of course if they can pressure a CA into handing over their private keys, they can pressure these big sites as well.

Re:Self signed?

[spottedkangaroo]

False. The various endpoints will and won't have man in the middle in place and won't match. That is the point of convergence. It works with CA signed keys, regular, and with trusted and untrusted convergence nodes. It's the solution to everything except the case where the bad guys own your entire internet connection.

Re:Self signed?

PGP is web-of-trust. CA infrastructure is chain-of-trust.

One of these reacts better when one node is found to be untrustworthy.
The other has hierarchical power so the closer to the root you are, the more harm you can do.

Re:Self signed?

Lurid, alarming browser warnings about the untrustworthiness of an SSL website will trump even existing trust in a known legitimate site in the typical clueless luser's mind. This is by monopolist design. I mean, GASP!, somebody could be trying to impersonate the site!!!! What should I do? What SHOULD I do!? "Get me out of here!" is the expected response.

CA's and certificates are a bigger racket even than telecom itself, and CA's are following the telecom industry's practice of nickel-and-dimeing (more like, dollaring) everything that can be bracketed out as an identifiable service, feature, or certificate field, "that would be free if it weren't run by a bunch of profiteering gluttons."

Oh, don't worry, most major ISPs and other service operators, will never give up their private keys without wads of cash and waivers of liability, just like they would never let customer metadata or content be collected by third parties without due process. Why, don't be silly. And, of course, do not use Joe's Internet Onramp or other such shady, small-time, mom-and-pop, lo-budget(!) operators.

Why do you think OpenCA has never made it, last time I checked, to any of the major browsers? As always, though,some browsers are free software, and you are free to include the CA's you wish, and even programaticallly deal with them on a case by case basis, as you or some community wishes, and then provide the customised software to your customers. So, like they say, "Use the source, Luke."

Re:Self signed?

That's all very sensible and correct. In a general sense, like you say. What I object to is that your and my $$$ are to be used to spy on communications you or I might have to pay 100's of $$$ and up, per website or service, to secure for our customers. More if we want to provide assurance of legitimate commercial identity for our users. And so on. This is a fucking criminal extortion racket, with fraud on top! We have to pay to secure, and then pay to have the security compromised or broken.

Tim May was right.

Re:Self signed?

[fulldecent]

This is the attack most people are afraid of. But just one commission of this act by anyone anywhere will produce irrevocable evidence of foul play.

Re:Self signed?

Not to mention the NSA has been compromised. And I don't mean Snowden. I'm sure that's a concern for the clueless, though. Or the disengenous.

Re:Self signed?

[chihowa]

You guys all seem to have missed what the article was actually talking about. It's not saying that the CA signing keys are being turned over. It's saying that the private keys from individual web services are being handed over.

Convergence tests for changes in the certificate presented by the web service, which fixes the gaping hole in the CA system whereby any CA can vouch for any server and the browser will implicitly trust the certificate (even if the certificate changes or different people get different certificates).

In the case that this article is discussing, the certificate presented will be identical to the previous certificate, so there is no telltale certificate change to catch. A MitM attack will thus be nearly invisible to the end user (the apparent hostname, IP, and certificate will match what the user expects to see, only latency to the host will change and that's hard to pinpoint). Convergence will not catch a MitM attack that is using the web service's private keys.

Re:Self signed?

A wild card cert is a lot cheaper than that.
$600 is closer to what they actually cost.

Per year.

Because certificates naturally decay and after a year are useless, don't you know.

Re:Self signed?

[multi+io]

Does this mean a self-signed certificate is more secure than a commercial one?

If you run a server for your own organization, e.g. a VPN service -- sure. If you're setting up a webserver for the general public -- probably not. You'd just scare away 99% of your users because browsers throw glaring red warnings at them. And this FBI/NSA demand doesn't have much to do with signatures anyway -- they want you to hand them your server's private key directly. At which point the signature wouldn't matter much anymore.

Re:Self signed?

...and will use it to produce public keys for our VPN, mail server, web services and the like. The server will be behind lock and key and locked down with LUKS, and the keys for that will be held in a separate location.

Normally end entities generate their own private/public key pairs. The public key is wrapped in a Certificate Signing Request, along with identifying information, and the CA then uses its private key to sign it, resulting in a certificate, which is simply the end entity's public key plus ID info plus a signature. It's common to keep the root CA offline and air-gapped, but you'd still need an intermediate/subordinate/issuing CA to handle the day to day signing of certs and CRLs.

Re:Self signed?

[OdinOdin_]

No. Even with a commercial one you always keep the private key part and never disclose it to the CA.

The point in the summary is that the "authorities" contact you (under threat of violence) to obtain the private key part from you, so they can setup their own SSL endpoint to pretend to be you without the other end knowing.

So even with a self-signed the same process applies in this case.

The problem with commercial ones is that the NSA can approach the CA directly and have them reissue a cert made out to you for which they already have and provide to the CA the new private key. Now there are 2 certs out there that clients accept with your name inside them.

I believe google has a mechanism now to actually check against a know valid list of certs it will accept when their own name is listed as the subject of the certificate.

Time To Learn Klingon

Time to learn Klingon, or invest in carrier pigeons and a Little Orphan Annie decoder pin.

I wonder if our government will be responsible for single handedly killing our consumer tech industry.

Re:Time To Learn Klingon

[Sparticus789]

We're talking about the NSA. Half of the probably play Klingon Boggle at lunch.

Re:Time To Learn Klingon

Time to learn how to go Klingon on these government asshats.

Re:Time To Learn Klingon

Klingon Boggle works like regular Boggle, but when you shake the container it pronounces the words contained within

A "problem," you say?

[meta-monkey]

Of course encryption is a problem for them. It's the same problem Allied intelligence had acting on information that could only be attained because Enigma was broken.

Re:A "problem," you say?

[meta-monkey]

To be honest, I have no idea why I got modded as "Troll."

The "problem" with encryption could very well be that the NSA has, in fact, made breakthroughs in easily cracking most regular encryption systems, and are decrypting your SSL communications easy as pie. However, if they were to act on something that could ONLY have been learned by decrypting your SSL communications, that would give away their advantage, and make people consider other systems. Just like how in WWII, the Allies had to be careful about acting on information they only got via Ultra, so, for instance, they might know where a German sub was because they cracked Enigma transmissions, but they would have to have a scout plane "conveniently" spot it, and the Germans be aware the plane saw them before the Allies could send a destroyer after them, or else they'd know Enigma was made.

Quantum Cracking

If they don't already have it, then they'll probably soon have the ability to crack traditional encryption methods using quantum cracking algorithms. Our only hope then is post-quantum cryptography.

Distinct from quantum cryptography--which is the practice of using quantum computing algorithms for encryption--post-quantum cryptography refers to encryption methods whose algorithms can be run on traditional computer processors, but that have been specifically designed to be resistant to quantum cracking algorithms.

Forget the dollar, start saving gold.

[MobSwatter]

Nice, now all the carders need to do is hack the NSA to get the keys to the palace on credit card fraud. By the aspect that NSA systems are 'antiquated' and incapable of even searching for an email, just how hard could that be?

Being cheap wins again

For all our offiste (well and onsite too) certs we have typically used self signed, and simply installed the certs in the client machines.

this was done because we're cheap and lazy but yay

Re:Being cheap wins again

[Skapare]

Actually, being cheap loses. You are trivially vulnerable to a man in the middle attack by anyone who can intercept your traffic. They only need to create their own self-signed key (or a CA-signed one) with your site name in it.

Re:Being cheap wins again

[omnichad]

No. If it's not signed by the same self-signing CA the clients have trusted already, it won't be trusted by the client machines. It would pop up the same standard untrusted site warning.

Cisco

[zlives]

I wish I was back in my last cisco vpn class and see what my instructor (who according to his self was installing security for major industry) has to say now about my question about transparent proxies and ssl and cisco road map. he was recommending ssl as a better replacement to ikev2. Granted my tin foil hat was fully deployed about NSA snooping but...

i wish i was wrong.

Re:Cisco

[skids]

They were doing this not for NSA reasons it's just what the tech industry does: find a protocol that is a bit inconvenient to set up, and instead of making it more convenient to set up, figure out an alternate scheme that's a little easier to set up, but for which they can charge a license fee for the feature, because it's new and shiny, and the sales force has been told to make sure all the PHBs know it is new and shiny.

Of course then the rimshot comes and they realize in their haste they've done something stupid, like subject multiple streams of lan-like traffic to the ravages of a single TCP flow control session during a period of time when the Internet is designed (badly) around per-connection fairness.

Re:Cisco

This is the principle concern I have had with Anyconnect. Legacy IPSEC is much more secure.

Oh the land of the free ...

So the next time the US wants to chastise another country for spying on their citizens, the response is going to be "go away you hypocritical assholes".

America has lost her moral compass, and is quickly turning into a police state.

Papers please comrade.

Re:Oh the land of the free ...

america has been a police state ruled by fear for some time now, your among the most oppressed people in the world but its balanced by ignorance, its taken you guys this long to notice.

How is this "confirmation"?

[xxxJonBoyxxx]

>> "The government is definitely demanding SSL keys from providers," said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

So...some guy said "yes, they're collecting keys." No written evidence, no names. We demand "citation" from people posting backstories of cartoon characters on Wikipedia, so how exactly is this "confirmation" of anything?

Re:How is this "confirmation"?

[Alok]

Do you really expect people to say this publicly, when the most likely consequence is imprisonment and a media circus that paints them as evil villains?

Re:How is this "confirmation"?

[zlives]

I am sorry we are currently on a little trip winding through Hong Kong and Russia, please try again when the constitutional rights are restored.

Re:How is this "confirmation"?

No, but then it's not actually confirmation. Who is to say the writer didn't just make up the source?

Re:How is this "confirmation"?

[Ronin+Developer]

Thank you. Glad somebody said it.

It could very well be true given the revelations being made public. But, with no proof ... it's really little more than a rumor by a conspiracy theorist ... or, that's how it will and should be viewed...with a grain of salt.

Just that commercial on TV ... It must be true...I read it on the internet.

Re:How is this "confirmation"?

[SuricouRaven]

If they can't offer proof, no imprisonment - that would only confirm what they claim. But they'll be blacklisted from ever working for the government again, and few private employers would want to take someone with a history of whistle-blowing.

Re:How is this "confirmation"?

[Princeofcups]

>> "The government is definitely demanding SSL keys from providers," said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

So...some guy said "yes, they're collecting keys." No written evidence, no names. We demand "citation" from people posting backstories of cartoon characters on Wikipedia, so how exactly is this "confirmation" of anything?

It's a little hard considering the consequences. We have been living in a fascist wonderland since 9/11. Personally, I don't see anyone giving up that kind of power without a violent overthrow. -- FBI, look here, dangerous words

Re:How is this "confirmation"?

This is exactly the problem. With the gag orders and secret court system we can't get a "citation". We've known the NSA to do things like this in the past, and since they control the secrets we must assume a conflict of interest. Once we assume that, we must assume that they do have access to private keys.

It's not a matter of having proof. We lack the ability to obtain proof because of the actions of a an involved party (conflict of interest). The worst case must be assumed. This is the very nature of a trust system, like PKE. If untrusted, you must assume hostile/compromised.

Re:How is this "confirmation"?

[IamTheRealMike]

Rumour by a conspiracy theorist? We know for a fact that there is a vast conspiracy at work here, because it was just blown open by Snowden. No "theorist" about it, call them conspiracy pragmatists instead.

Given what we know about SSL, the NSA and the FISA process, I'd say compromise of SSL keys is practically Occam's Razor by this point. The interesting rumours to me are the ones that imply they were somehow NOT able to get that data. Bear in mind, all it takes is one mole, or someone served with a "superwarrant+supergag" so they can't tell their management, and the keys are gone.

Perfect forward secrecy helps a lot here because stealing the keys doesn't let you decrypt the traffic, just do MITMs, and active MITM is a lot more detectable than standard SSL key compromise. But hardly anyone uses it (only Google).

Re:How is this "confirmation"?

[philovivero]

Mod this up. These people aren't "conspiracy theorists" anymore. When in doubt, you should assume a theory about the US gov't spying on you is true. The burden of proof is on the person suggesting the UNLIKELY event: aka the government acting above-board.

What about non-american CA's?

[Midnight_Falcon]

Many have assumed for a long time that root SSL certificates have been provided by American CA's (GoDaddy, VeriSign, Network Solutions etc), but what about foreign ones? StartSSL is Israel-based, so it can be assumed the Israeli government has the root key. What about SwissSign, based in Switzerland and run by the Swiss Post? :)

Re:What about non-american CA's?

[GameboyRMH]

Who says they don't all have a big sharing agreement? Even countries that are unfriendly to each other, it would be worth it to both sides. You can be sure the governments themselves aren't using this stuff.

Re:What about non-american CA's?

[Midnight_Falcon]

That is absolutely true -- there is no way to be sure. However, it seems as though the Swiss have a penchant for privacy, especially from the Americans, which has only been rarely and recently broken. Switzerland isn't unfriendly so much as perpetually neutral, which is why it is used for private banking services, so it seems less likely a Swiss CA is compromised than an American one. Unless anyone has any information that might point otherwise...

Re:What about non-american CA's?

Who says they don't all have a big sharing agreement? Even countries that are unfriendly to each other, it would be worth it to both sides. You can be sure the governments themselves aren't using this stuff.

You do realise that in the real world, if said unfriendly country found out that one of their CAs were divulging information outside the country to an unfriendly country, those CAs would have their doors kicked in with government men's guns pointed at sweating heads in no time.

Re:What about non-american CA's?

[GameboyRMH]

Who says a government would contact the CA directly? They could call someone in the other spy agency and say "Hey wanna trade certs? We can watch terrorists using your certs and you can watch dissenters using ours. Deal? OK great, get certs from the authorities in your own country, I'll do the same and we'll trade tomorrow."

Re:What about non-american CA's?

Well, if it's anything like China, they are probably watching every single byte from a CA anyway, they probably also have surprise raids by the government on the slightest suspicion, rogue employee perhaps? they will know.

Re:What about non-american CA's?

The concept that you should trust some "authority", declared as such by somebody else with a gigantically overblown ego, none of which you have ever met... let alone trust... is utter insanity in and of itself.

Sadly, statistically, most people don't have the intelligence to realize why "argument from authority" is such a fallacy. (And I get regularly modded down for saying it is one... showing that lack of comprehension quite nicely).

Only accept what you have observed with your own senses. And trust as a mere *assumption* that which you got told by people you can look in the eyes, punch in the face, and expel from your life if they lied to you. Just to make life a bit easier.
Everything else has to be assumed to be 100% pure weapons-grade bullshit. (Unless you or somebody you trust validated it personally.)

Re:What about non-american CA's?

[AHuxley]

Where do some of the top military in most of the "freedom" loving, rule of "law" countries get parts of their military college years? The USA.
What hats do the "foreign ones" put when not running an isp/telco?
Run an ISP all week, fill in that military service record book over the years and are always helpful to US requests...

Re:What about non-american CA's?

Switzerland is passing a law that will force citizen to help governement snooping http://lscpt.ch/ ... also they don't need anything, Swisscom, held mainly by the governement, is a trusted CA in every browser, every OS. And there's no NSA drama in Switzerland ... not a single newspaper write about it, politicians talk about anything else ... kind of black out on this.

one time pads..

[spiffmastercow]

Time to start giving your friends one time pads on physical media.. a few GB worth should provide plenty of encrypted chat time, though you will have to get the key to them in the first place.

Re:one time pads..

Or... you could just chat together somewhere. Its a lot more fun that way....

Re:one time pads..

[Skapare]

Just in time for BH/DC.

US Military shares your opinion.

[ron_ivi]

The US DoD shares your opinion. https://www.my.af.mil/afp/netstorage/login_page_files/afportal_faqs.html Looks like a self-signed cert not issued by any commercial vendor in the default browser lists.

Re:US Military shares your opinion.

DoD maintains its own CA authorities.

Re:US Military shares your opinion.

That.

It's not self-signed; it's just that the CA isn't in your trusted authority store.

Re:US Military shares your opinion.

The certificate is issued by the U.S. Government. Looks like your browser is doing the right thing by not trusting it.

Re:US Military shares your opinion.

[ron_ivi]

Right - and using those CA Authoritizes they sign their own certs.

That's the whole point.

You set up the CA Authority - and use it to self-sign your certs - and it's safer than a commercial one.

Re:US Military shares your opinion.

[EvanED]

You set up the CA Authority - and use it to self-sign your certs - and it's safer than a commercial one.

That depends what you mean by "safer".

It's safer to you. Onto your machines you can install the certificate of your CA, and you'll know everything is peachy.

But if your audience is "the general internet population", e.g. because you're trying to sell stuff to them, it's less secure. Without a trusted or semi-trusted third party (normally served by the default CAs), there is no way to convey the authenticity of your own CA and thus of your own public key to them.

Re:US Military shares your opinion.

[EvanED]

You set up the CA Authority - and use it to self-sign your certs - and it's safer than a commercial one.

Unordained already gave a great rebuttal to your argument, said much better than what I did in my reply a minute ago.

Re:US Military shares your opinion.

Sadly public CAs are not even semi trustworthy.

Re:US Military shares your opinion.

[Ronin+Developer]

You are, of course, assuming that those who want the keys can't just hack (or walk their way in) into your server, retrieve your keys and access password. Big assumption.

I wonder if we will see a resurgence in the use of PGP. What would the resources need to be to compromise the web of trust?

Re:US Military shares your opinion.

[EvanED]

Sadly public CAs are not even semi trustworthy.

They're a hell of a lot more more trustworthy than "something on the internet I'm connecting to," which is what the alternative is if you want a generally-accessible system.

Re:US Military shares your opinion.

[EvanED]

You are, of course, assuming that those who want the keys can't just hack (or walk their way in) into your server, retrieve your keys and access password. Big assumption.

The same can is equally true if you use self-signed certs or if you run your own CA.

Re:US Military shares your opinion.

[pixelpusher220]

Couldn't somebody like the EFF or ACLU create a certificate that people could trust? Yes it's a manual thing, but given that the automatic system (was likely previously) and is now utterly untrustworthy, it seems that manual type of update might become necessary until we can get Firefox and other open source OS/apps to add it in automatically?

Re:US Military shares your opinion.

[MSZ]

Against crooks, yes. Against govt spies - no.

Look around the websites of some CAs and you'll find mentions that they will provide duplicates of certificates to "law enforcement".

The best choice seems to be to use CA from country that hates the country that is most likely to spy on you or interfere with your site.

Re:US Military shares your opinion.

[pseudorand]

You realize you just slashdott'ed/DDOS's an Air Force server, right? That's hacking against the U.S. Government, tantamount to treason. You're goin' to jail, buddy!

Re:US Military shares your opinion.

[EvanED]

Against crooks, yes. Against govt spies - no.

Sure. But that's still very useful in practice, especially in terms of the real threats that people tend to face.

And it still doesn't argue against my main point in this thread, which is that if you have no relationship with your site's (or service's) visitors with which to have already set up your credentials, it is flat out wrong to say that it's safer to use your own CA or self-signed certs than to go via the usual CA system. The latter is much safer.

If you're really worried about government spies, yes, CAs won't help you. But neither will using a self-signed cert.

Re:US Military shares your opinion.

[andy_t_roo]

"You are, of course, assuming that those who want the keys can't just hack (or walk their way in) into your server, retrieve your keys and access password."

If they can do that then they can retrieve any data you're trying to protect with the key anyway -- selfsigning would change the bar to "to be able to retrieve my information, you must already be able to retrieve *my* secret" (as compared to the CA's secret).

Re:US Military shares your opinion.

[nullchar]

Sounds good, but what if they receive a Foreign Intelligence Surveillance Act (FISA) court order which prohibits them from telling anyone they had to hand over the private keys to their Certificate Authority?

Somehow the 4th and 1st amendments are violated without any public recourse.

Re:US Military shares your opinion.

[ron_ivi]

So best of both worlds would be if *TWO* certificates need to match --- both a self-signed one; and a commercial one.

Seems that would fix many of the problems.

That way if the commercial CA is trustworthy at first, you can transfer your public key; and if the commercial CA gets compromised later, your self-signed key protects you.

Re:US Military shares your opinion.

[kasperd]

Look around the websites of some CAs and you'll find mentions that they will provide duplicates of certificates to "law enforcement".

So what? The certificate is worth nothing without the private key, which you should never send to the CA in the first place.

Re:US Military shares your opinion.

I guess it would be a better idea to set up such a CA in a country with better civil rights standards than the USA. Maybe Switzerland or Iceland?

Re:US Military shares your opinion.

[FriendlyLurker]

The organization would have to be multi-national with preference for countries with strong privacy and anti-foreign-spying stances - Iceland is one that springs to mind. The FISA secret rubber stamp court (please refer to it by its proper name) would be worthless then if the organization had the balls to stand up to any additional threats that the NSA is known to level against those that do not roll over to their demands.

Re:US Military shares your opinion.

[gnasher719]

Couldn't somebody like the EFF or ACLU create a certificate that people could trust?

Hypothetically, if the right people in the EFF were given a choice of handing over private keys or disappearing, what would they do? And after these people disappeared, what would their replacements do?

Re:US Military shares your opinion.

Um that's not self-signed. It's issued by DOD CA-21. The DoD maintains its own root CAs that's not included in the Windows Root CA program for example. The intended audience is DoD users, so DoD has complete control over their trust stores and can make them trust any CA it says.

Re:US Military shares your opinion.

Which means it *is* self signed - in that the DoD signed it themselves.

It's not unsigned - but is selfsigned.

Think of cold war police states

[DickBreath]

In some cold war police states half the population was employed to spy on the other half. No wonder their economies sucked.

Re:Think of cold war police states

[Kjella]

Yeah today between machines and self-service spying (meaning, people post it on Facebook themselves) it's like shooting fish in a barrel.

Re:Think of cold war police states

Think of all the jobs the NSA destroyed by using computers to spy on us instead of our fellow flesh-and-blood citizens! THE HORROR!

Will this do it?

[Taantric]

If this does not kill off the cloud or at least seriously damage the business model, I think it would be safe to say human apathy has reached critical mass and we deserve everything that is coming in the next 20-30 years.

Re:Will this do it?

[amiga3D]

Oh come on. I don't think it's right but I have to say the government pretty much knows everything about me now anyway. What difference if they have access to my private info. I know they are watching so I'm certainly not going to provide them with anything damaging to me. There are ways around this if you know it's compromised and even without this article I was pretty sure it was compromised anyway. Any security that you don't have 100 percent control of isn't totally secure by definition. I know they monitor e-mail and phone traffic. Only a fool would trust the internet with any seriously sensitive info.

Re:Will this do it?

Your profile when detailed can reveal enough, not any real crimes, but enough to make you interesting in some way.

It's not about you, it's about them and how someone can abuse or "lose" this wealth of information.

Re:Will this do it?

Perhaps it will just move it. Mega is the first step in the "fuck your shit" US move of the cloud. Perhaps we'll see the tech economy end up utterly wrecked and we'll finally see them getting rightfully lynched for fucking up the economy in name of paranoia.

Re:Will this do it?

[FriendlyLurker]

You are missing the point amiga3D. When "the government pretty much knows everything about [everyone] now anyway" - then there is no more ability to effectively and democratically reform society for the better, right injustices, fight to change the status quo etc. For example try and organize a rally, information drive, any form of community organization against or for [insert cause]. If it upsets those in power you will be picked up/harassed/fired/detained before any of your emails/chats/phone calls to organize democratically allowed protest even hit anyones inbox. This is not speculation, all these police state things have already happened. One recent example: if you care to look into the details of one particular movement called "Occupy ..." that threatened the heart of power and money by asking for those in wall street that broke laws to actually be punished for their crimes.

Allowing the surveillance state means any slippery sloped we are now on with just continue to get worse, no leaders in our community can take charge to organize others to resist/complain/pushback against [insert cause]. What Taantric said is correct, history has given us enough examples now to know that if we do not reject the surveillance state we now find ourselves living in, then we really do deserve everything that is coming...

all certs? Not just ca?

[KDN]

To decrypt, don't they just need the private key for the CA? From there I believe its all down hill to eventually get the session keys.

fuck that

Never heard about "main-in-the-middle" before reading this Article?

Well you don't have to be ashame of yourself, this is a secret technique only available for government agencies, you see they can tap into the "main" routes, AKA THE MOTHERFUCKING INTERNET BACKBONE, CORE ROUTERS, T1 AND YOUR FUCKING ISP!

Its time to move towards self-signed certificate AKA DO NOT FUCKING TRUST ANYONE!

Re:fuck that

[Skapare]

Can tap in? They already have, years ago.

If true not so bad!

If true this could be bad as presently SSL uses the public / private RSA key pair for encryption as well as authentication.

BUT under the latest SSL / TLS standard (only presently client side supported by Chrome) the encryption half of the secure connection can be performed by Diffie-Hellman key exchange and that would offer perfect forward security. Meaning that all a government with the private key can do is a MITM attack, and it is possible to spot that by using multiple IP path checking and other tests.

Unfortunately, for now this scenario seems unlikely as many providers excluding google are not providing access to this key exchange scheme.

ALSO, under existing SSL you are not protected presently if a provider hands over their old expired keys to the government and these are used to crack stored session data.

SO - Put pressure on your providers to support TLS with Diffie-Hellman, like Gmail and OpenSSL!!

Re:If true not so bad!

BUT under the latest SSL / TLS standard (only presently client side supported by Chrome) the encryption half of the secure connection can be performed by Diffie-Hellman key exchange and that would offer perfect forward security.

Not only Chrome supports perfect forward security, almost all browsers do, some examples:
Firefox 21 - TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Internet Explorer 10 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Safari iOS 6.0.1 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Safari 5.1.9 - TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)

Re:If true not so bad!

[WaffleMonster]

BUT under the latest SSL / TLS standard (only presently client side supported by Chrome) the encryption half of the secure connection can be performed by Diffie-Hellman key exchange and that would offer perfect forward security.

ECDH works on all current major browsers using only SSL3/TLSv1. It is web servers not setting temporary DH keys or failing to insist on their own cipher order rather than the browsers expressed preference which are the weak links.

Meaning that all a government with the private key can do is a MITM attack, and it is possible to spot that by using multiple IP path checking and other tests.

While the bar is certainly raised when PFS is used WRT wholesale easedropping activities...the above is not something one should count on being the case.

SO - Put pressure on your providers to support TLS with Diffie-Hellman, like Gmail and OpenSSL!!

Ahmen.

Re:If true not so bad!

[omnichad]

SSL uses the server's private key and public key as well as the same from the visitor. The CA's private key is used to sign the certificate. The certificate itself only proves that the server you are talking to was verified by the CA. The CA's private key can only sign new certs - it can't decrypt web traffic.

So whether it's standard SSL or D-H, we're still talking about MITM attacks.

Re:If true not so bad!

[SuricouRaven]

Using DH would certainly solve some problems. The government would still be able to MITM specific targets (either end), but they couldn't retroactively go through their logs and find conversations you had months or years ago.

Re:all certs? Not just ca?

No, the private key for the CA just enables someone else to sign certs as if they were the CA themselves. It does not permit an entity holding that private key to decrypt all data encrypted by certs issued by the CA. Each cert signed by the CA contains a public key; the corresponding private key is typically not in the possession of the CA but is in the possession of the person/organization who's identity the CA is certifying in the cert signed by the CA.

Re:all certs? Not just ca?

[Skapare]

If they have the CA key, they can create a new private key for the service you are going to, reroute your traffic intended to go to that service sending it to their own server, provide the public half of the "master" key they created which is signed by the CA key, and your client (browser) will believe it is reaching that service when it is not. This is the man in the middle attack, styled slightly different by having the CA key instead of the target private key.

Browsers could help with that by saving the public keys its gets from every site you visit, and warn/block your access later when the key is changed. Even this is not perfect since it is vulnerable to the attack on the first visit, or when the key change is believed to be when the old one expired.

Not just man in the middle

It is worse than that. Much worse.

SSL is typically deployed on the web without Diffe-Hellman, the RSA public key is used directly to encrypt the symmetric cipher.

If you acquire the RSA private key then you don't need to man in the middle. A packet capture is sufficient to recover the symmetric cipher and decrypt the entire session.

Re:Not just man in the middle

[EvanED]

If you acquire the RSA private key then you don't need to man in the middle.

Except that even if the claims in the article are true, no one is getting the RSA private keys.

CAs aren't given your private keys when you register for a certificate. You just give them your public key. Which means that the CA knows absolutely no more about you than anyone who goes to your website does.

Re:Not just man in the middle

[omnichad]

The CA's private key is not the private key used to encrypt the traffic. The server's private key is used for that. The server's public key is signed by the CA's private key for proof of identity. You can only get access to the session by being MITM.

Don't entirely buy this

[Enderandrew]

I've seen this claim a few times in the past. Someone a few months ago told me they were confident that the government already have private keys for every major US site.

If that were the case, why would they need to request data from Google, Microsoft, Facebook, Yahoo, AOL, etc. All of these companies have discussed how the government requests data from them, and how they have to provide it. If the government simply had the private keys and could just sniff all traffic, they wouldn't need to.

I wouldn't be shocked if someone asked for private keys at some point, but no company is obligated to hand them over. The government wouldn't have any legal recourse to do anything about it, and it would hurt the program if it went public and went to court. The government has zero leverage in this case.

The only reason the NSA has been able to get data currently is because of the NSL program. That program needs to stop and go out the window. There is zero reason why the previous system (obtain warrants, or prove in court good reason why you had probable cause and literally didn't have time for the warrant in each case) can't work.

http://en.wikipedia.org/wiki/National_security_letter

Re:Don't entirely buy this

[Skapare]

Having the CA keys, or the site private keys, does not automatically hand data over to them. They still have to intercept the data, being sure none of it reaches the intended destination except through their MitM attack. They have the taps and the means to do this. They do NOT have the resources to do this for 100% of the population ... yet. They still need to get certain subsets of other data from these providers to do what they are doing. Don't assume that because they are asking for certain data that they do not already have a lot of other data.

Re:Don't entirely buy this

[Enderandrew]

They could just sniff traffic at all the tier 1 ISPs and filter for who they're looking for. They'd have info immediately. If they had keys and they weren't doing this, then they'd be idiots.

Re:Don't entirely buy this

[dave562]

"If that were the case, why would they need to request data from Google, Microsoft, Facebook, Yahoo, AOL, etc. All of these companies have discussed how the government requests data from them, and how they have to provide it. If the government simply had the private keys and could just sniff all traffic, they wouldn't need to."

It comes down to legality. If the government intends to eventually prosecute someone, they have to follow the legal process.

On the other hand, if all they want to do is snoop and "prevent terrorism", they can bypass the legal channels.

Re:Don't entirely buy this

[Enderandrew]

That's precisely the point. The system that has been exposed (and many people have known about for years) is that the government uses NSLs to get data from companies. Requesting SSL keys doesn't make sense because they can't use the data.

Re:Don't entirely buy this

[omnichad]

Unless the NSL is just a cover used to mask what's really going on. If it were, it would be a fairly effective misdirection. If everyone's eyes are on the requests, and the NSL originally had a gag order attached - then nobody would think this wasn't the real official program.

Re:Don't entirely buy this

[Enderandrew]

I don't believe it is the case at least. Companies like Google are pretty unhappy about the affair, and have tried to talk about it as much as they're legally allowed to with their transparency reports, though they can't list NSL requests in said report. But they do mention that they're not allowed to talk about NSL letters, which is legally as much as they can say.

Google has even outlined their process for handing over data to the government (via FTP) because they refuse the government direct access to their servers.

I just don't believe Google would have handed over their private keys when there is zero reason they'd have to, when they've demonstrated they are willing to fight governments on such requests (US, China, Brazil and more).

Re:Don't entirely buy this

[SuricouRaven]

I imagine it'd be a lot easier and faster to pull information from the company database than to try to reconstruct it from intercepted web sessions.

Which is easier: SELECT * FROM messages WHERE sender=[suspect], or a having someone spend a week going through a year's worth of intercepted HTTPS trying to piece pages back together, with every minor change in page layout breaking their parser script?

(Sorry if that's bad SQL, I'm not a database raven. I do networks.)

Re:Don't entirely buy this

[AHuxley]

Re: demonstrated they are willing to fight governments: after been exposed by brand.
Legal dept, boss, admins at the big telcos and computer firms just did their jobs once shown 'paper' to make it all legal.
A few http://au.businessinsider.com/the-story-of-joseph-nacchio-and-the-nsa-2013-6
http://en.wikipedia.org/wiki/Room_641A

Re:Don't entirely buy this

[Enderandrew]

That is the NSL program. If you are served a NSL, you have to hand over data and you're not allowed to even talk about the fact you were served a NSL. It is really fucked up and the law needs to change.

You are not however required to put in a backdoor or give direct access for all data all the time.

That is why Google is able to keep the NSA out of their servers and just FTP over data for specific requests when they are served a NSL.

SSL Certs

We haven't used "legit" certs from companies like VeriSign for almost 6 years. Unless someone wants to break into our company and rip the keys from the HSM's inside the companies secured vault then I doubt there will be any compromise of our keys by ANYONE at a federal agency.

Time to put the keys into the hands of the users

[Eccentric-Dude]

Well it is time to put the keys into the hands of the users.

If the feds want your keys they would have to come to you!

This will raise the bar a little: http://eccentric-authentication.org/eccentric-authentication/five-minute-overview.html

(With current operating systems, that's still too easy, hence I can only raise the bar. not solve it...)

Gag orders, duress

[Skapare]

Update, 11:40 a.m. PT: Adds additional comments from a Facebook representative saying the company has not received such requests.

So how do we know this statement is not as it is due to a FISA or other type of gag order with accompanied threat? The truth is we simply do not if this statement is as it is due to the duress of a gag order. We have not have a pre-established a duress code word, nor the trust the needs to accompany it.

Re:Gag orders, duress

[blueg3]

About the same way that we don't know the reporter or their source simply made up the statement.

The SSL "problem"

[dave562]

Does the NSA really have a problem decrypting SSL/TLS? I find it hard to believe that they do not have dedicated hardware with specialized processors that have been custom built to crack SSL/TLS.

Re:The SSL "problem"

[WaffleMonster]

Does the NSA really have a problem decrypting SSL/TLS? I find it hard to believe that they do not have dedicated hardware with specialized processors that have been custom built to crack SSL/TLS.

SSL/TLS is not a single thing. There are literally hundreds of cipher suites defined that can be negotiated under the umbrella of "SSL/TLS".

Some are quite insecure by design, have known weaknesses while others have no known weaknesses and are cleared for use by NSA to protect US Secret and TS material.

Re:The SSL "problem"

[AHuxley]

http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html
More the options to get logs in real time or over time.
~"all previous searches would be revealed where logged traffic is available"
So the US has the big firms covered and has set up a "standard" to get into any other server/telco/network if needed.

Snowden Assange WikiLeaks CA

[anwyn]

They should set up their own CA in some country immune to US pressure. They would not have to do the actual signing. (Probably difficult due the current fishbowl they live in.) They could hire the people set policies put their logo on it. They could set it up so actual signing occurs anonymously in some unknown country.

Probably the only CA I would trust.

Re:Snowden Assange WikiLeaks CA

[Alain+Williams]

Setting up a CA is easy, anyone can do it.. The hard part is getting the CA's keys into the various browsers. If you don't get your keys into browsers then users don't have any confidence in the certificates that you hand out and the browser cannot detect a Man In The Middle attack. Users will (righly) see nasty warnings from the browsers.

If the NSA says ''no'' then the major browser vendors will not distribute your keys with their browsers. Unfortunately: but probably so.

Something needs to change else it is game over for web security; I am afraid that the majority of the sheeple will just not care and go back to watching TV. We cannot let this lie, quite how to keep it alive I am not sure.

the same person said Obama is a space alien

[raymorris]

"Anonymous source claims" ...

That anonymous source guy is a nutcase. Imonths nonymous source the same guy who says Obama is a space alien?

On the other hand, in 2008 Mr. Source said "you think 2% growth for six monthd is a bad economy? Just wait and see how Obama trashes the economy for six years", so I guess he's right sometimes.

Re:the same person said Obama is a space alien

[the+eric+conspiracy]

The GDP in 2008 was negative for 3 out of the 4 quarters, and for the year. It was a CRUSHING -6.3 percent for Q4 2008. 2% growth would have been a giant improvement.

Mr Source needs to update his talk.

Re:the same person said Obama is a space alien

...the same guy who says Obama is a space alien?

If the NSA denies it we'll know it's true! :D

P.S. E.T. was "black" too, in fact Obama looks like a slightly less pedo version!

Driver signing is more interesting

[nicoleb_x]

I would think that SSL certificates are much less interesting than the certificates used to sign drivers and programs.

USA == Ubiquitous Surveillance Activities

[VitaminB52]

'nuff said

Some UK intel

I met a guy who met a guy who met a retired Brit a year or so ago while on holiday who claimed to have worked on IT for the UK surveillance effort directed at illegal migrants and related persons of interest ie terrorists.

While this was a few years before, he said they could do nothing to see VPN traffic content. It was completely opaque to them and a source of frustration.

Support in-browser TLS-SRP

[WaffleMonster]

There have been patches for TLS-SRP in chrome and firefox for years and they continue to sit for BS/political reasons.

Any site you can login may use TLS-SRP to establish a secure channel leveraging access credentials to establish trust rather than or in addition to PKI.

It does not solve everything but it does help to protect users not only from CA infrastructure compromise but also phishing attacks against users credentials. TLS-SRP derived session encryption keys provide PFS out of the box.

Self-signed Certs

[DaMattster]

This makes the argument for use of a private certificate authority with self-signed certificates.

Death of Public-Key Encryption?

It's interesting how the linked blog post points to the death of public-key encryption. The efficacy of any form of encryption depends on the trustworthiness of all parties sharing information. If any party shares encryption keys or cleartext with third parties, any encryption method is compromised. The issue here has nothing to do with public-key encryption and everything to do with the trustworthiness of the entity operating the SSL-secured server. If you can't trust the operator not to hand out its private key, you can't expect your communications with that party to be 100% secure.

verisign or godaddy

[Twillerror]

Have they been asked? Do they keep a copy?

Ridiculously broad wording?

Something like "The government shall not collect or store any information, even publically available information, about the activities of a citizen except upon issuance of a warrant; said warrant shall only issue upon evidence that a specific individual has committed a specific crime."

So the only kind of records the government is ever allowed to keep are records for criminal cases? WTF? How are they supposed to run the US Postal Service? That's your name plus your address right there. What about the patent office? Only inventions used for crimes can be patented?

Those are just the tip of the iceberg for much it'd fuck everything up.

Re:Ridiculously broad wording?

[dgatwood]

The USPS is an independent agency. It's just half a step away from being a government-owned corporation. Take that half step. Problem solved.

Re:Ridiculously broad wording?

[neonKow]

So your idea for solving the problem of government entities needing to store personal information is to turn those entities into private corporations and have THOSE store personal data instead? In what universe is this an improvement??

Re:Ridiculously broad wording?

[dgatwood]

Because if the government wants that information, it must obtain a court order. Sure, it's a small improvement, but it's an improvement nonetheless.

Mmm delicious commercialism

This is what happens when you commercialise trust.

Time to start up our own CA's and get them into Firefox.

Ya know what if this was really true

[Stan92057]

Ya know what if this was really true then why do we still get spam? why are people still getting viruses? why are people getting scamed out of thousands of dollars from CC fraud???? If they were truly spying on us as all the experts say they are then why are they allowing criminals to get away scott free?. Im not saying there not spying but they cant be spying on us that hard.

Honeypot Hosting

[PPH]

Set up a web hosting company with fake IDs in the name of nonexistent individuals. Host a few 'interesting' web sites and wait for the NSA/CIA/FBI to come knocking asking for the keys. Report everything (including the infamous National Secutity Letter contents) to the press. Burn the fake IDs, wigs and phoney beards and disappear into the woodwork.

Re:all certs? Not just ca?

Browsers could help with that by saving the public keys its gets from every site you visit, and warn/block your access later when the key is changed. Even this is not perfect since it is vulnerable to the attack on the first visit, or when the key change is believed to be when the old one expired.

There is a Firefox extension that does this, I think it's called certificate patrol.

Wow.... now self-signed certs are more secure....

[ogdenk]

This is disgusting. BTW, you can bet your ass Slashdot has been or will be approached. Funny.... now I trust sites with self-signed certificates more than ones who paid all the dough for EXTENDED-VALIDATION SUPER-GREEN ADDRESS BAR SSL 65,535-bit MEGA-AES certificates from Verisign.

'Evil Maid' attacks are preventable

[Burz]

http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html

Re:'Evil Maid' attacks are preventable

[Burz]

http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html

Spying 101: Don't give away your sources

[bussdriver]

It doesn't just happen during wartime - sacrifices must be made in order to assure your sources remain secret. The NSA only works when they are separated from other departments - the FBI for example, would disclose their ability to use your own cell phone as a bug against you when it comes out in the court transcripts (as did actually happen in an organized crime case.) The NSA works best when you don't know how they are doing it or even what they are doing or their limitations. This is why it is a HUGE deal to them when you know anything about them. Most people don't even know that they are much larger in size than the FBI or CIA.

Easy!

What's the problem ? Setup a fake dummy box and give them SSH key to it =)

One of the funnier things...

[jkg2]

...about the NSA-PRISMS program (for example),is that 80 percent of its resources are spent dealing with spam.

Cheers

+1 for 1,000 Eyes!

When frequent flyers become trust bottlenecks

[tepples]

A web of trust is fine for communicating with people who live within walking or public transit distance. But to extend the web beyond that, someone has to get his key signed in more than one city. This involves getting groped at the security gate and then getting on a plane owned by an airline who probably already shares your info with the government. So the web of trust between cities and especially between countries will end up having bottlenecks where trust must flow through people who routinely travel internationally.

If you're MITM'd from day one

[tepples]

Sometimes I am not interested in authentication with a machine because I know that the machine in question is the right one.

How do you know that the machine is the right one if it's not in the same room? Your Internet connection might be behind a transparent proxy feeding all connections to a given IP address through a third party called a "man in the middle". SSH and unknown-CA SSL provide what is called "key continuity management", alerting the user to changes in a machine's public key since the last visit, but that doesn't help if a connection to a server has been MITM'd from day one. This is especially likely in the case of a national firewall. One mitigation to being MITM'd from day one is route diversity, checking the public key as seen by several notaries spread throughout the Internet that you already trust.

There is only one option, allow self-signing as an encryption measure but not as an authentication measure. Naturally you have to take care while doing this since it could implicate that any encrypted connection is secure.

And this implication is exactly why popular browsers are allergic to unknown-CA SSL certificates unless a route-diversity extension like Perspectives has been installed.

Man in the middle on first visit

[tepples]

A visitor to a web site using a self-signed certificate or other certificate from an unknown CA may be behind a man in the middle. A key continuity management tool could compare the key fingerprint from this visit to the fingerprint from past visits to make sure a man in the middle has not been introduced since the last visit. But if it's the user's first visit and there's a man in the middle, game over.

Re: "Main-in-the-middle"

In passing, at least once they did the census and did not reapportion because of the gored oxen and the world did not immediately end. If you look at reapportionment history then you will learn that it and and most of our sacred cows around voting are mathematically silly. So I have a math degree and do not much care but let us not base big arguments on a constitutional provision that in both theory and practice is such a fail. It does have the saving grace that we only have to pull our hair out every decade.

More info

[NewYork]

http://www.faroo.com/hp/p2p/faq.html#privatesearch

Utah Data Center

The government already spent 1.5 billion to build a 1 million square foot compound dedicated to internet surveillance and it opens next month:

http://nsa.gov1.info/utah-data-center/