Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anonymous Source Claims Feds Demand Private SSL Keys From Web Services

Posted by Unknown on from the world-wide-fool-proof-cage dept.

Lauren Weinstein writes "With further confirmation of the longstanding rumor that the U.S. government (and, we can safely assume, other governments around the world) have been pressuring major Internet firms to provide their 'master' SSL keys for government surveillance purposes, we are rapidly approaching a critical technological crossroad. It is now abundantly clear — as many of us have suspected all along — that governments and surveillance agencies of all stripes — Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications." If this is true it means that SSL/TLS to any Internet service could be useless — the authorities could simply man-in-the-middle anyone. Without knowing who has given keys over, or if anyone has given keys over... The NSA does claim encryption poses a problem for them, but honesty isn't their best attribute. The source claims that major providers at least have resisted (assuming it is happening), but that smaller companies may have folded to the pressure.

9 of 276 comments (clear)

  1. Self signed? by Ubi_NL · · Score: 4, Interesting

    Does this mean a self-signed certificate is more secure than a commercial one?

    --

    If an experiment works, something has gone wrong.
    1. Re:Self signed? by MightyMartian · · Score: 4, Interesting

      Yes, providing you can guarantee the security of the private keys, if you're concerned about government(s) spying on your communications, that is definitely the way to go.

      For our organization, due to the highly confidential nature of some of our data and communications, I am about to build a machine that will have no network connection whatsoever that will hold the CA and private keys, and will use it to produce public keys for our VPN, mail server, web services and the like. The server will be behind lock and key and locked down with LUKS, and the keys for that will be held in a separate location. Obviously nothing is 100%, but it's going to physical access to the server and to the private keys to compromise the system.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:Self signed? by Znork · · Score: 3, Interesting

      There's always the Convergence project (based on the previous Perspectives CMU work).

      Basically, instead of CA's you have notary servers that track changes to certificates and that you (your browser) contacts to verify that they and you are seeing the same certificates.

      That way, if a MITM attack is ongoing it will, if targetting you specifically, probably show a discrepancy between the certificate presented to you and the one presented to them. If targetting the specific website and MITM'ing all connections to it the only demonstration of a problem might be that the site suddenly appears to have a new certificate, but that would still most likely alert site operators who may be surprised to note a change they didn't do.

  2. What about non-american CA's? by Midnight_Falcon · · Score: 3, Interesting

    Many have assumed for a long time that root SSL certificates have been provided by American CA's (GoDaddy, VeriSign, Network Solutions etc), but what about foreign ones? StartSSL is Israel-based, so it can be assumed the Israeli government has the root key. What about SwissSign, based in Switzerland and run by the Swiss Post? :)

  3. Re:"Main-in-the-middle"? by lgw · · Score: 5, Interesting

    The larger issue IMO is

    governments and surveillance agencies of all stripes â" Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications.

    We haven't had a constitutional amendment in the US for some time now. We need one here. Forget specific technologies and the bizarre precedents that have twisted the 4th to allow this - we need a major reset.

    Something like "The government shall not collect or store any information, even publically available information, about the activities of a citizen except upon issuance of a warrant; said warrant shall only issue upon evidence that a specific individual has committed a specific crime."

    I casn accept a lower bar for "collecting and storing information" than for "searching" but there must be some bar to clear.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  4. US Military shares your opinion. by ron_ivi · · Score: 5, Interesting

    The US DoD shares your opinion. https://www.my.af.mil/afp/netstorage/login_page_files/afportal_faqs.html Looks like a self-signed cert not issued by any commercial vendor in the default browser lists.

    1. Re:US Military shares your opinion. by pixelpusher220 · · Score: 4, Interesting

      Couldn't somebody like the EFF or ACLU create a certificate that people could trust? Yes it's a manual thing, but given that the automatic system (was likely previously) and is now utterly untrustworthy, it seems that manual type of update might become necessary until we can get Firefox and other open source OS/apps to add it in automatically?

      --
      People in cars cause accidents....accidents in cars cause people :-D
  5. Think of cold war police states by DickBreath · · Score: 3, Interesting

    In some cold war police states half the population was employed to spy on the other half. No wonder their economies sucked.

    --

    I'll see your senator, and I'll raise you two judges.
  6. Will this do it? by Taantric · · Score: 5, Interesting

    If this does not kill off the cloud or at least seriously damage the business model, I think it would be safe to say human apathy has reached critical mass and we deserve everything that is coming in the next 20-30 years.