Anonymous Source Claims Feds Demand Private SSL Keys From Web Services

Lauren Weinstein writes "With further confirmation of the longstanding rumor that the U.S. government (and, we can safely assume, other governments around the world) have been pressuring major Internet firms to provide their 'master' SSL keys for government surveillance purposes, we are rapidly approaching a critical technological crossroad. It is now abundantly clear — as many of us have suspected all along — that governments and surveillance agencies of all stripes — Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications." If this is true it means that SSL/TLS to any Internet service could be useless — the authorities could simply man-in-the-middle anyone. Without knowing who has given keys over, or if anyone has given keys over... The NSA does claim encryption poses a problem for them, but honesty isn't their best attribute. The source claims that major providers at least have resisted (assuming it is happening), but that smaller companies may have folded to the pressure.

"Main-in-the-middle"?

[Lieutenant_Dan]

Well, at least it's not "man-in-the-middle" because that would be bad.

Re:"Main-in-the-middle"?

[TWiTfan]

It's not a "man in the middle" attack. It's the "government on top" attack.

Re:"Main-in-the-middle"?

[lgw]

The larger issue IMO is

governments and surveillance agencies of all stripes â" Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications.

We haven't had a constitutional amendment in the US for some time now. We need one here. Forget specific technologies and the bizarre precedents that have twisted the 4th to allow this - we need a major reset.

Something like "The government shall not collect or store any information, even publically available information, about the activities of a citizen except upon issuance of a warrant; said warrant shall only issue upon evidence that a specific individual has committed a specific crime."

I casn accept a lower bar for "collecting and storing information" than for "searching" but there must be some bar to clear.

Re:"Main-in-the-middle"?

[lgw]

I chose "the activities of a citizen" as a way to say "what we do, not who we are". Keeping "who we are" records: birth certificates, permits licensing of various kinds, etc, is different in kind from monitoring daily activities. But I'm no lawyer and don't know how to say this better.

Also, why does the government need "census data" beyond a simple headcount? Heck, I'd like to move to an income tax system that's purely a payroll tax (so the government doesn't learn how much any given individual makes, but can still tax our income).

The government collects every bit of information it possibly can, but it's time to start saying "NO! Find a way to do that without spying on us!" It's time for the pendulum to swing the other way.

Re:"Main-in-the-middle"?

[sl4shd0rk]

It's the "government on top" attack.

Don't you mean "government from behind"?

Self signed?

[Ubi_NL]

Does this mean a self-signed certificate is more secure than a commercial one?

Re:Self signed?

[MightyMartian]

Yes, providing you can guarantee the security of the private keys, if you're concerned about government(s) spying on your communications, that is definitely the way to go.

For our organization, due to the highly confidential nature of some of our data and communications, I am about to build a machine that will have no network connection whatsoever that will hold the CA and private keys, and will use it to produce public keys for our VPN, mail server, web services and the like. The server will be behind lock and key and locked down with LUKS, and the keys for that will be held in a separate location. Obviously nothing is 100%, but it's going to physical access to the server and to the private keys to compromise the system.

Re:Self signed?

[Todd+Knarr]

No. The Feds are requesting the private keys from the server operators themselves, not from the CA. A self-signed certificate's no guarantee the site operator hasn't coughed up the private half to the surveillance people. I'm not any more worried about this, though, since as demonstrated with XMission the government doesn't need to eavesdrop on communications when they can get access directly at the server end of things. As long as the Feds can threaten the site operator with unspecified nasty things if they don't cooperate or if they even say a word about what's going on, I have to assume any site I don't control myself is potentially compromised and any data sent to it's potentially visible to the various agencies involved or to the private contractors those agencies are using to do the grunt work. In many cases that doesn't matter much since the nature of the site's such that I won't put anything sensitive or compromising on it in the first place.

Re:Self signed?

[Sarten-X]

No. When a CA signs a certificate, they don't get the private key used for decryption. They just assert that a particular public key really does belong to who it says.

If the NSA has Verisign's key, for example, they'd be able to do two things:

1. decrypt traffic sent to Versign, which isn't very useful in itself
2. Create and sign their own certificates as though they were Verisign.

The latter is where the man-in-the-middle attack comes in. The NSA can claim to be whoever you're trying to reach, and the certificate will look valid and be trusted by default on any system that trusts Verisign. On the other hand, a self-signed certificate isn't signed by anybody else. The NSA doesn't need anyone else's private keys to make their own and claim to be anyone. The client will see the certificate, ask you if you trust it, and unless you're in the habit of memorizing certificate fingerprints, you won't notice a difference. Once any certificate is trusted (either by default or by your acceptance), your traffic will be sent to (and decrypted by) the certificate holder.

This is actually already a problem. CAs have been compromised, and their stolen credentials have been used to sign certificates claiming to be governments, Microsoft, and other generally-trusted sites. The apparently-trusted certificates are then used to make scams look more legitimate.

Re:Self signed?

[Unordained]

Self-signed is only fine if the client and server are in a trusted environment, exactly the environment where pre-shared keys are a possibility, so you should have loaded that cert into your client before attempting the connection.

Barring that, and in the 99% of cases where clients are talking to servers out on the wide-open internet, CA's and the warning against self-signed certs serve a very good purpose -- preventing man in the middle attacks during handshake.

If anyone (your ISP and the NSA included) hijacks your initial connection, proxies it, and substitutes their own cert, you need a way to know whether that cert is really from the destination site, or a phony. That's exactly the problem CAs solve. (Other solutions include "web of trust", pre-sharing all important keys, concensus methods, etc.)

At worst, this news means that it's possible NSA (but probably nobody else) has been able to decrypt legitimately encrypted traffic (no MitM attack with substituted keys, just a tap using the real ones) for some services, or if they have CA keys, might have been able to issue their own legit-looking certs, which with some additional work, could have enabled them to perform MitM attacks on arbitrary sites and all of their users.

But this does not mean that self-signed certs are just as good as CA-backed ones in a general sense; if you rely on those, without pre-sharing keys with all clients, then all clients are vulnerable to MitM attacks from anyone with access to modify the communication channel, not just the NSA. And considering the known issues with insecure DNS, that's a much wider field of potential attacks.

Re:Self signed?

[Znork]

There's always the Convergence project (based on the previous Perspectives CMU work).

Basically, instead of CA's you have notary servers that track changes to certificates and that you (your browser) contacts to verify that they and you are seeing the same certificates.

That way, if a MITM attack is ongoing it will, if targetting you specifically, probably show a discrepancy between the certificate presented to you and the one presented to them. If targetting the specific website and MITM'ing all connections to it the only demonstration of a problem might be that the site suddenly appears to have a new certificate, but that would still most likely alert site operators who may be surprised to note a change they didn't do.

Re:Self signed?

[Speare]

Please see Schneier's paper on the "compelled certificate creation attack." Rather than asking a CA for the keys from Alice to Bob, they could compel a CA to vouch for an Alice to Eve, Eve to Bob connection as if it were Alice to Bob directly.

Re:Self signed?

[Abalamahalamatandra]

Actual answer: no.

The CSR (Certificate Signing Request) contains only the public half of the key, to be signed by the CA's key which results in the CA attesting that the information is verified.

The entity whose key was signed always maintains control of the private key. Which, to me, is the reason that public-key encryption is not "over". The NSA would have to strong-arm every single holder of an SSL key, not just the Certificate Authorities.

Granted, though, those private keys are not often held terribly securely - they're most often just files on a server that aren't even password-protected, because that requires an admin to type in passwords whenever the Web server is restarted. They COULD be held in an HSM, a hardware security module much like a TPM on steroids, but that's very expensive and difficult to set up.

However, none of this means that public-key crypto is broken. It's possible that individual sites could be compromised via this route (Facebook, Google, etc) but as a whole, no.

Re:Time To Learn Klingon

[Sparticus789]

We're talking about the NSA. Half of the probably play Klingon Boggle at lunch.

What about non-american CA's?

[Midnight_Falcon]

Many have assumed for a long time that root SSL certificates have been provided by American CA's (GoDaddy, VeriSign, Network Solutions etc), but what about foreign ones? StartSSL is Israel-based, so it can be assumed the Israeli government has the root key. What about SwissSign, based in Switzerland and run by the Swiss Post? :)

US Military shares your opinion.

[ron_ivi]

The US DoD shares your opinion. https://www.my.af.mil/afp/netstorage/login_page_files/afportal_faqs.html Looks like a self-signed cert not issued by any commercial vendor in the default browser lists.

Re:US Military shares your opinion.

[pixelpusher220]

Couldn't somebody like the EFF or ACLU create a certificate that people could trust? Yes it's a manual thing, but given that the automatic system (was likely previously) and is now utterly untrustworthy, it seems that manual type of update might become necessary until we can get Firefox and other open source OS/apps to add it in automatically?

Think of cold war police states

[DickBreath]

In some cold war police states half the population was employed to spy on the other half. No wonder their economies sucked.

Re:How is this "confirmation"?

[Alok]

Do you really expect people to say this publicly, when the most likely consequence is imprisonment and a media circus that paints them as evil villains?

Will this do it?

[Taantric]

If this does not kill off the cloud or at least seriously damage the business model, I think it would be safe to say human apathy has reached critical mass and we deserve everything that is coming in the next 20-30 years.