
New NSA Leak Shows MITM Attacks Against Major Internet Services - chopin
https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html
======
moxie
Trevor Perrin and I have been working on a dynamic certificate pinning
proposal called TACK to help mitigate these types of attacks:
[http://tack.io](http://tack.io)

In the current state of the world, we're all dependent on CA signatures for
_each_ connection we make to a website. TACK is a layer of indirection away
from CA certificates, such that we'd only be dependent on CA signatures the
very first time we contacted a website. It doesn't introduce any new
authorities or change the default UX at all.

After the Comodo breaches a few years ago, I put together a talk about these
types of attacks, where the fundamental problems lie, and why approaches like
DANE are similarly ineffective:

[http://youtu.be/8N4sb-SEpcg?t=4m47s](http://youtu.be/8N4sb-SEpcg?t=4m47s)

~~~
tptacek
A point worth making here: antisurveillance technology like TACK does more
than make it harder for NSA to MITM TLS. As we've apparently discovered, it
also makes it possible for us to detect TLS subversion. It is, right now, a
major news story if someone has obtained a malicious root certificate; we need
to know when that happens and to which CAs those certs chain (which is
discoverable from the certificate).

If you don't pay much attention to how TLS works, you should know that NSA
(presumably) does not have a magic ability to inject new certs into your root
cert repository. If you remove every CA cert from your browser and selectively
allow certs, they can't MITM that. The CAs aren't baked into TLS! They're a
software configuration detail. And when MITM certs appear on the wire, for
them to be honored, they have to somehow chain to a specific CA.

What things like pinning and TACK do is give us the opportunity to discover
MITM certificates and start tracing them. If that capability becomes
widespread enough, it can potentially foreclose on dragnet TLS MITM attacks,
because there will be too much of a risk that deploying a dragnet MITM net
will result in the death penalty for the implicated CA.

TACK (and the related efforts) are hugely more important than I think most
people think they are. If you want to advocate for something in the wake of
the NSA debacle, I think TACK is a great choice.

~~~
rx4g
I have high hopes for TACK too. The fact that it's not CA dependent is a big
deal. I wrote a bit about that, and getting by with ditching the root CAs in
Firefox here: [https://rx4g.com/2013/09/13/of-flying-pigs-and-
tofu/](https://rx4g.com/2013/09/13/of-flying-pigs-and-tofu/)

Unfortunately, ditching the root CAs is way harder than it should be, and flat
out impossible in a lot of environments. Compulsory trust isn't trust.

------
josteink
If this is true, and that NSA has been MITMing providers like Google, they are
undermining the already shabby trust the US cloud-industry has attempted to
build. I doubt Google and friends are very happy about that, since that's
their one big basket where all the money comes in.

NSA in their eagerness to do rampant spying on everyone have had quite some
collateral. They have decided to compromise the _one_ thing which allows us to
communicate securely on the internet: trust.

Right now we need to find out which (root?) CAs are compromised by the NSA.
Long term it would probably be a very wise decision to revoke _any_ US-based
CA from the default trusted-list of browsers and OSes.

We cannot have untrustworthy CAs in a system based on trust. That's simply not
an option.

Edit: As I've been pondering for a while (and which was also pointed out on
reddit) we now have a situation where self-signed certs are more secure than
CA-issued ones. They are the only ones you know can't be faked. How backwards
is that?

The NSA is ruining the internet one piece at a time. The NSA needs to be
dismantled.

~~~
semenko
The HSTS commits /maybe/ suggest that Google thinks a _Verisign_ intermediate
was signing MITMs for Google properties. They just blacklisted
"VeriSignClass3SSPIntermediateCA"

See:
[https://chromiumcodereview.appspot.com/23523051](https://chromiumcodereview.appspot.com/23523051)

Note that the associated bug is private
([https://code.google.com/p/chromium/issues/detail?id=173460](https://code.google.com/p/chromium/issues/detail?id=173460)).

There's a good explanation of the "bad_static_spki_hashes" parameter here:
[http://ritter.vg/blog-cas_and_pinning.html](http://ritter.vg/blog-
cas_and_pinning.html)

~~~
andrewcooke
if that's the case, how did they get the private key from verisign? was it
stolen? did verisign simply give them it? or was it obtained under some kind
of legal process? if it was under a legal process, doesn't this raise
additional questions about the judicial overview - did they realise how broad
this was?

~~~
anon1385
Sounds like it could be any of those things: they use all those tactics.

[http://www.nytimes.com/2013/09/06/us/nsa-foils-much-
internet...](http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-
encryption.html?pagewanted=all)

 _Because strong encryption can be so effective, classified N.S.A. documents
make clear, the agency’s success depends on working with Internet companies —
by getting their voluntary collaboration, forcing their cooperation with court
orders or surreptitiously stealing their encryption keys or altering their
software or hardware._

 _N.S.A. documents show that the agency maintains an internal database of
encryption keys for specific commercial products, called a Key Provisioning
Service, which can automatically decode many messages. If the necessary key is
not in the collection, a request goes to the separate Key Recovery Service,
which tries to obtain it._

 _How keys are acquired is shrouded in secrecy, but independent cryptographers
say many are probably collected by hacking into companies’ computer servers,
where they are stored. To keep such methods secret, the N.S.A. shares
decrypted messages with other agencies only if the keys could have been
acquired through legal means. “Approval to release to non-Sigint agencies,” a
GCHQ document says, “will depend on there being a proven non-Sigint method of
acquiring keys.”_

Sounds like there are plenty of possibilities: they have agents working at
verisign/they broke into verisign (either physically or electronically)/they
just asked and verisign said ok/they used legal processes.

~~~
juhanima
> they used legal process

They used a secret legal process. There, fixed that one for you!

------
SchizoDuckie
Holy shit.

This means that The Netherlands was a high-level target with Diginotar, and
they hit the frickin' jackpot.

Just for reference, read this:
[http://nl.wikipedia.org/wiki/Hack_bij_DigiNotar](http://nl.wikipedia.org/wiki/Hack_bij_DigiNotar)

The Diginotar hack basically exposed _all_ of the information about the Dutch
that NSA could ever want to digg through: Information about licenseplates
(RDW) Tax info (DigiD) Phone records (OPTA) and the complete dutch encrypted
government infrastructure (PKI Overheid)

Let's see what traction this new info will get now in The Netherlands...

~~~
anologwintermut
My understanding was DigiNotar was pretty strongly linked to an Iranian
government affiliated hacker. Indeed, the breach was caught because someone
man in the middled gmail in Iran and Chrome's certificate fingerprinting
caught it.

Although the NSA certainly has reason to spy on Iran, why risk discovery this
way? They can legally compel Google to give them the email of foreigners in a
foreign country.

So maybe NSA had DigiNotar's key, but the hack that shut it down was done by
someone else.

~~~
lambda
Or perhaps the Iran link was a misdirection. They were worried that people
would notice the MITMed certs, so they MITMed a lot of Iranian customers to
make it look like the attack came from there.

> They can legally compel Google to give them the email of foreigners in a
> foreign country.

They can, but they may wish to be more subtle than that. For example, if they
were engaged in economic espionage, they might not want that story to break,
and would be worried that someone at Google may leak the story. If they had to
ask Google, there would be more people who would know about what's going on.

------
newgre
If it is true that the NSA MITMed Google connections, then one could draw the
conclusion that the NSA doesn't actually have a direct connection to Google
data centers (as claimed by Google). If they had such a connection, then why
would they use MITM attacks against people?

~~~
discostrings
The "direct access" that the NSA has to Google accounts probably requires
sending a request for some set of information to Google. It likely needs to be
signed off on (even if it's all automated). I'd imagine the NSA would like to
hide some activities, especially corporate espionage, even from the watchers
at Google--it reduces the risk of anyone at Google growing a spine.

------
dpeck
A bit surprised at the shock here, CAs are, for the most part, in the lawful
intercept business and have been as long as they've existed.

Moxie Marlinspike and others have been talking about this for years. Its a
recognized problem, and thats why apps that are serious about protecting
communications have been moving to a pinning model.

Obviously this sucks at the browser level, though Chrome protect does this
with Google properties (and others?) at the CA level now, but at the app level
it's very doable and should be something you're implementing.

~~~
dkl
Please give some references about this "pinning model," as I'm having
difficulty finding anything via google. Thanks.

~~~
fejr
Parent is refering to public key pinning. Chrome for instance has been doing
it the last couple years [1].

Also see Moxie's comment in this very thread. [2]

[1]
[https://www.imperialviolet.org/2011/05/04/pinning.html](https://www.imperialviolet.org/2011/05/04/pinning.html)

[2]
[https://news.ycombinator.com/item?id=6381673](https://news.ycombinator.com/item?id=6381673)

------
diego_moita
Funny. I tried to submit the original Globo/Fantastico story to HN 4 days ago
([http://g1.globo.com/fantastico/noticia/2013/09/nsa-
documents...](http://g1.globo.com/fantastico/noticia/2013/09/nsa-documents-
show-united-states-spied-brazilian-oil-giant.html)) but was blocked as spam.

Schneier's credibility makes a lot of difference.

~~~
toyg
Of course. A simple visit to
[http://www.schneierfacts.com](http://www.schneierfacts.com) will tell you
why.

------
ReidZB
If I had to design a system to break TLS (and I had the authority of a
secretive government agency), selected MITM attacks would be exactly what I
would use.

Large-scale MITM attacks, i.e. ones against a huge section of the population,
really have a lot of disadvantages. First, there are always cautious people
who check certs religiously, sometimes with browser addons to help (in fact I
see that peterwwillis linked to some below). So, if you execute a large-scale
MITM effort, you run the risk of being discovered. Note that if the NSA can
compel Google to turn over its secret key(s), this isn't an issue, but I am
operating under the assumption that we don't want to give away our MITMing
easily.

Second, broad MITMs require a lot of resources to be effective. To MITM all of
Google's traffic requires network capacity equivalent to Google's, no small
thing (though I suspect very much within the power of the NSA if it were
deemed necessary). There's a _lot_ of data on the internet at any one time.

Third, the fact that you must have physical servers on physical networks
sitting between Google and the target means that the MITM server's IP address
will be the one that targeted clients appear under. That is, if you have a
single server MITMing thousands of requests, all of them will appear from the
same IP address. That's another risk of being discovered if the MITM is too
broad and the servers are too beefy. Although, this assumes that people on the
other end are doing some sort of analytics --- maybe not true. But intel
agencies are pretty paranoid, so whatever.

Fourth, it still pretty much gets the job done anyway, with less cost:
passively sniff traffic for, say, DNS requests to resolve suspicious domains,
or plaintext connections that have suspicious contents. Passive sniffing
requires less computational power than actual MITMs, and it can be done
without raising any red flags. Plus, even if you miss someone suspicious, just
get a NSL for Google to hand over all the data anyway in the worst case.

Fourth, if an investigation ever were launched about my breaking of TLS,
targeted attacks look great. See, we don't target the American people --- only
specific connections that are "suspicious" are targeted. Broad-scale MITMs
seem very illegal-wiretap-y, but the targeted connections look very
legitimate, at least in comparison.

So, these reasons are why I've always held the belief that the government is
_not_ executing large-scale MITM/dragnet collection of encrypted
communications ... and hence TLS is effective, so long as you're not the one
being targeted.

~~~
mdavidn
If a MITM attacker is confident they control all paths between a server and a
victim, they need not alter IP addresses on packets in transit. To pull this
off, the attacker must be near the victim (e.g. compromise a broadband
router), thereby reducing the number of targets, or near the server (e.g.
compromise every link into a multihomed datacenter), thereby reducing the
number of sites intercepted.

------
peterwwillis
Some firefox add-ons to help defend against mitm:

Certificate Patrol (notifies you when certs change)
[https://addons.mozilla.org/en-
us/firefox/addon/certificate-p...](https://addons.mozilla.org/en-
us/firefox/addon/certificate-patrol/)

Force-TLS (force websites to always use HTTPS) [https://addons.mozilla.org/en-
us/firefox/addon/force-tls/](https://addons.mozilla.org/en-
us/firefox/addon/force-tls/)

Perspectives (compare certs with peers to verify authenticity)
[https://addons.mozilla.org/en-
us/firefox/addon/perspectives/](https://addons.mozilla.org/en-
us/firefox/addon/perspectives/)

~~~
dingaling
> Some firefox add-ons to help defend against mitm:

In theory yes, but not more than 10 minutes ago Cert Patrol noticed that
Amazon have changed the _CA_ for the SSL cert for an image server.

What am I supposed to do? It is interesting info, but if I reject the cert
then I can't be sure my connection is secure. If I accept it... I can't be
sure my connection isn't MiTMed.

The human factor is always the weak link.

~~~
peterwwillis
The nature of certificates means a site can use more than one. If you use such
a site, you can try to notice the pattern of which certs they use and if it
changes, but it's not going to be perfect. If you choose to only use sites
which use one certificate it might be a big help. Here are some more useful
plugins for Firefox:

HTTPS Everywhere (preset list of sites to use only HTTPS on)
[https://www.eff.org/https-everywhere](https://www.eff.org/https-everywhere)

Safe (shows you when a site might not or isn't using HTTPS)
[https://addons.mozilla.org/en-
US/firefox/addon/safe/](https://addons.mozilla.org/en-US/firefox/addon/safe/)

If you want to keep your information private, don't put anything on an
internet-connected device that wasn't encrypted on an airgapped computer
first.

------
fejr
Weird. This has been submitted in less than two hours, has 90 points, but it
is at the bottom of the front page. Other stories from 6+ hours ago with less
points are at the top.

~~~
mcphilip
This has been the case for nearly all NSA related stories in the past week.
There is a lot of flagging going on. I'd be interested in a data dump of who
is doing the flagging and getting an idea if it's an indicator that the HN
community as a whole doesn't want these stories or if it's just a small, but
vigilant subset.

~~~
dictum
[https://news.ycombinator.com/item?id=6369530](https://news.ycombinator.com/item?id=6369530)

------
chopin
The documents mention the DigiNotar hack explicitly. What I do not understand
is that the hack was detected when (afair) Iranian authorities tried to MITM
Google connections, so the hack was claimed to come from an Iranian hacker.
This begs the question whether this is wrong and the NSA hacked DigiNotar
genuinely or they just used the breach (perhaps then only known to them) to
fake certificates themselves. One may also take into account that DigiNotar
was responsible for Netherlands public key infrastructure. This made DigiNotar
possibly an even more valuable target.

~~~
jlgaddis
If memory serves, the Internet in Iran is state-controlled. While it was a
user in Iran who initially discovered the MITM'ing being performed and the
obvious assumption is that it was the Iranian government MITM'ing its
citizens, it is also quite possible that it was (e.g.) the NSA MITM'ing
(everyone|a group of people) in Iran (possibly attempting to MITM connections
from Iranian officials/nuclear power plants/etc.).

------
wmeredith
At one point does the NSA become considered a terrorist organization in and of
itself? It seems to me that they have stared too long into the abyss.

~~~
mindcrime
They already are in my book.

~~~
jgross206
Can you expand on that? Under what definition of terrorism is the NSA a
terrorist organization?

It seems to me that their intent to be as clandestine as possible makes them
distinctly non-terroristic.

~~~
cmircea
Spreading terror.

~~~
meowface
That's not their goal, though. If anything they'd prefer that everyone in the
world didn't know they existed whatsoever, which is quite the opposite to what
any terrorist group would like.

You could call what they do criminal, but it's not terroristic.

------
gregschlom
> One document [1] published by Fantastico, apparently taken from an NSA
> presentation [...]

> Another screenshot [2] implies is that the 2011 DigiNotar hack was either
> the work of the NSA, or exploited by the NSA.

I doubt that those 2 documents are original slides or screenshots from NSA
material. They both are written with the familiar rounded font that Globo uses
for all its text [3]

[1] [http://www.scribd.com/doc/166819124](http://www.scribd.com/doc/166819124)

[2] [http://imgur.com/a/g3UGP#1](http://imgur.com/a/g3UGP#1)

[3] [http://www.fonts.com/font/urw/vag-
rundschrift?siteId=2c670c8...](http://www.fonts.com/font/urw/vag-
rundschrift?siteId=2c670c80-4121-4446-893f-d7fe9690be92))

------
bostik
The simplified view given in the documentcloud link begs a question: just
which CA certificate(s) is/are controlled by NSA?

Because in order to pull that MITM off, they either need to have the target
service's CA - or they have the ability to fake any certificate. My guess is
on the latter.

And that means at least one commonly accepted CA certificate is effectively
compromised.

~~~
chopin
Afaik it is not necessary that a root CA is compromised. Sufficient would be
to compromise any intermediate CA who is not on a revocation list. How to
circumvent Googles certificate pinning in Chrome, I have no good idea. They
would need to compromise any certificate in the chain.

------
einaros
And here I was thinking I was being an all paranoid nutter when I expressed
privacy concerns with US hosted CDNs and analytics services ..

[https://2x.io/read/would-the-nsa-infiltrate-cdns-to-
circumve...](https://2x.io/read/would-the-nsa-infiltrate-cdns-to-circumvent-
https)

------
coldcode
Eventually we will find out enough about what the NSA can do that the entire
internet is as good as screwed. If they can get away with MITM against just
about any secure site then how does the internet economy function any more?

~~~
arbitrage
consider that, if there have been undetected rampant MITM attacks, the economy
never noticed or cared.

the economy side of things will be fine. the economy of what the internet is
used for isn't really the concern, here. arguably, even with rampant MITM
attacks going on, e-commerce is loads more secure that what we've had for in
place for the past 5,000 years.

this is much more than an economic issue.

------
anologwintermut
I'd say this is likely bullshit at least that it was done against a Brazilian
company. Why take the risk of getting caught and burning your ability to do
this when you can get the information from Google?

1) Chrome(and some plugins) pin's certificates and would notice a man in the
middle attack(unless it was done with google's key). Sure, most corporate
targets probably use IE, but if anyone uses chrome on or one of these plugins
on the network, you've both alerted your target and exposed a presumably
tightly guarded ability. Hell, if it get's reported, you've probably burned
the ability. Of course, you might be able to filter out both the plugins and
chrome, but it's a risk.

2) NSA could legitimately just ask for the company's emails from Google.
Petrobras is a Brazilian company in Brazil staffed by Brazilians and as such a
legally allowed target for Foreign Surveillance without either the NSA's
twisted definitions of search and who is a US national. Google is legally
required to hand over the information by the Foreign Intelligence Surveillance
Amendment Act of 2008. Why authorize an operation that could reveal both the
CA's you have in your pocket and you network penetration exploits?

As a side note, the cited slide looks nothing like anything else we have seen
and lack security/ handling information (e.g the prominent TS/SCI/ORCON/NOFORN
on the top of the prism slides).

~~~
taway2012
AFAIK, Chrome "certificate pinning" may not exactly be what you think
"certificate pinning" means. It should be more precisely called "certificate
authority pinning". What it means is that Chrome will not trust certs for
Google properties except those issued by certain certificate authorities.
Reference:
[https://www.imperialviolet.org/2011/05/04/pinning.html](https://www.imperialviolet.org/2011/05/04/pinning.html)

Unless things changed since I last checked.

In contrast, "real" "certificate pinning" as done in some mobile apps (IIRC
Twitter) involves storing the hash of the certificate itself in the app. No
other certificate, even from the same CA, will be accepted.

~~~
anologwintermut
You are correct chrome pins the authority, not the cert. And at least as for
2011, they don't just pin their own sub authority, they include a couple of
real authorities who's keys the NSA might have.

[https://www.imperialviolet.org/2011/05/04/pinning.html](https://www.imperialviolet.org/2011/05/04/pinning.html)

------
danbruc
This might also be an indication that their advances in attacking commonly
used ciphers are not that major - it does not make that much sense to perform
a relatively complex MITM attack if you are able to just break the used
cipher.

~~~
nly
Not so, active MITM is absolutely required if you want to get around PFS.

------
rurounijones
"Google directly by performing a man-in-the-middle attack to impersonate
Google security certificates."

Which CA did they use to get those certs, they should be obliterated from
trust networks.

------
venomsnake
Flying Pig - I wonder if it has something to do with the "With sufficient
trust pigs fly just fine". Seems to summarize very well the NSA approach
towards its mandates.

------
cromwellian
It's worth noting that Chrome's use of TLS Channel ID makes it unlikely this
attacks can be pulled if the end user has a ChannelID capable browser.

------
leef
Applied Cryptography mentions the 'Interlock Protocol' [1]. Why is something
like this not used in today's protocols to try and detect MITM attacks?

1 -
[http://en.wikipedia.org/wiki/Interlock_protocol](http://en.wikipedia.org/wiki/Interlock_protocol)

~~~
sillysaurus2
It sounds like the interlock protocol only protects against MITMs that try to
modify the conversation. It seems likely that most MITMing is for the purpose
of merely reading a conversation, not modifying it. The wiki page also
describes an attack against the protocol, so it might not be very effective.

------
coenhyde
Cut the cables. The USA should be kicked off the internet. They've proven they
can't be trusted.

It is irresponsible on behalf of the rest of the world to allow this behavior
to continue. Maybe after US businesses have experienced enormous economic
damages they will change their way.

~~~
j_baker
If the USA were kicked off the internet, US businesses would be far from the
only ones that would experience enormous economic damages.

~~~
coenhyde
Absolutely. IMO it would hurt the rest of the world more. However I don't
think it is unreasonable to start thinking about this as a possible solution.
This would be a drastic action but its severity is matched by the issue at
hand.

------
state
Relevant (and just posted on the Cryptome list):
[http://www.freelists.org/post/cryptome/MITM-Manipulation-
of-...](http://www.freelists.org/post/cryptome/MITM-Manipulation-of-Snowden-
Documents)

------
Create
[https://tools.ietf.org/html/rfc6091](https://tools.ietf.org/html/rfc6091)
[http://web.monkeysphere.info/](http://web.monkeysphere.info/)

------
yk
Google cache version:

[http://webcache.googleusercontent.com/search?q=cache:www.sch...](http://webcache.googleusercontent.com/search?q=cache:www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html)

------
louwrentius
If you worry about the NSA spying on your company, DUMP MPLS WAN networking
ASAP, it's unencrypted and basically just VLANS at layer 3.

The easiest way to snoop on all internal company data is to sniff those MPLS
links at ISPs.

------
txutxu
Wait. They access google directly... without depend on routing your traffic
and tramp your SSL to get a lot of compressed js and ajax traffic.

So... maybe this was only needed or relevant before have direct access ?

~~~
stordoff
MITMing a Google server doesn't _necessarily_ mean that they want the info
Google has. Google host a number of libraries such as Analytics and jQuery
which are widely used on other sites. The attack could have been to send a
modified version of those so that websites (other that Google) transmit
information that is normally kept on the client (e.g. sending the key to the
NSA in an app that normally does client-side encryption).

~~~
txutxu
Great point.

Then I understand better the relevance. Thanks.

------
leef
The ephemeral session keys should protect against the MITM attacker getting
anything but another encrypted stream of data, right?

~~~
jedbrown
No, MITM works by spoofing identity. Certificate pinning is what can protect
you from a MITM with the ability to sign certificates that say "google".
Ephemeral keys only protect the session from being decrypted by a passive
adversary.

------
educating
Some security solutions actually rely on doing MITM to read secure packets to
identify malware, etc. Really stupid.

------
frank_boyd
One more reason to _not_ use any of the giant email providers like Yahoo,
Google, and Hotmail.

~~~
joekrill
And what makes any smaller providers any more safe?

~~~
ArchD
A smaller provider with fewer clients probably provides a lower ROI for the
NSA because of the economy of scale, although if they are specifically
targeting you, it may still not make a meaningful difference.

~~~
jacquesm
There is a trade-off here, sure there are fewer people that they can listen in
on like that but presumably a smaller provider will also be a softer target,
possibly much softer.

------
brennenHN
Bucket Brigade is a better term for this kind of attack. Non-gendered speech
and all.

