Slashdot Mirror
Anonymous Source Claims Feds Demand Private SSL Keys From Web Services
Lauren Weinstein writes "With further confirmation of the longstanding rumor that the U.S. government (and, we can safely assume, other governments around the world) have been pressuring major Internet firms to provide their 'master' SSL keys for government surveillance purposes, we are rapidly approaching a critical technological crossroad. It is now abundantly clear — as many of us have suspected all along — that governments and surveillance agencies of all stripes — Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications."
If this is true it means that SSL/TLS to any Internet service could be useless — the authorities could simply man-in-the-middle anyone. Without knowing who has given keys over, or if anyone has given keys over... The NSA does claim encryption poses a problem for them, but honesty isn't their best attribute. The source claims that major providers at least have resisted (assuming it is happening), but that smaller companies may have folded to the pressure.
Of course encryption is a problem for them. It's the same problem Allied intelligence had acting on information that could only be attained because Enigma was broken.
We don't have a state-run media we have a media-run state.
In some situations yes, but in those same situations I don't think this news really changes anything (where you set up the cert yourself on one of your own servers for use by yourself, for instance). Otherwise this just means that these certs are slightly less secure because governments have a copy. If you're connecting to a strange server, it may be better to have a signed cert because they're still not quite as easy to come by as a self-signed one.
In any case this doesn't change the old fact that a self-signed cert is at least as good as an unsecured connection and browsers should stop throwing a shit-fit when they run into one.
"When information is power, privacy is freedom" - Jah-Wren Ryel
It's not a "man in the middle" attack. It's the "government on top" attack.
The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
So the next time the US wants to chastise another country for spying on their citizens, the response is going to be "go away you hypocritical assholes".
America has lost her moral compass, and is quickly turning into a police state.
Papers please comrade.
>> "The government is definitely demanding SSL keys from providers," said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.
So...some guy said "yes, they're collecting keys." No written evidence, no names. We demand "citation" from people posting backstories of cartoon characters on Wikipedia, so how exactly is this "confirmation" of anything?
No. When a CA signs a certificate, they don't get the private key used for decryption. They just assert that a particular public key really does belong to who it says.
If the NSA has Verisign's key, for example, they'd be able to do two things:
The latter is where the man-in-the-middle attack comes in. The NSA can claim to be whoever you're trying to reach, and the certificate will look valid and be trusted by default on any system that trusts Verisign. On the other hand, a self-signed certificate isn't signed by anybody else. The NSA doesn't need anyone else's private keys to make their own and claim to be anyone. The client will see the certificate, ask you if you trust it, and unless you're in the habit of memorizing certificate fingerprints, you won't notice a difference. Once any certificate is trusted (either by default or by your acceptance), your traffic will be sent to (and decrypted by) the certificate holder.
This is actually already a problem. CAs have been compromised, and their stolen credentials have been used to sign certificates claiming to be governments, Microsoft, and other generally-trusted sites. The apparently-trusted certificates are then used to make scams look more legitimate.
You do not have a moral or legal right to do absolutely anything you want.
Please see Schneier's paper on the "compelled certificate creation attack." Rather than asking a CA for the keys from Alice to Bob, they could compel a CA to vouch for an Alice to Eve, Eve to Bob connection as if it were Alice to Bob directly.
[
I chose "the activities of a citizen" as a way to say "what we do, not who we are". Keeping "who we are" records: birth certificates, permits licensing of various kinds, etc, is different in kind from monitoring daily activities. But I'm no lawyer and don't know how to say this better.
Also, why does the government need "census data" beyond a simple headcount? Heck, I'd like to move to an income tax system that's purely a payroll tax (so the government doesn't learn how much any given individual makes, but can still tax our income).
The government collects every bit of information it possibly can, but it's time to start saying "NO! Find a way to do that without spying on us!" It's time for the pendulum to swing the other way.
Socialism: a lie told by totalitarians and believed by fools.