
Law Enforcement Appliance Subverts SSL - phsr
http://www.wired.com/threatlevel/2010/03/packet-forensics/
======
aero142
If a CA is issuing bad certificates then they need to be removed from the
default CA list. Mozilla was worried about this with China a little while ago.
[http://www.freedom-to-tinker.com/blog/felten/mozilla-
debates...](http://www.freedom-to-tinker.com/blog/felten/mozilla-debates-
whether-trust-chinese-ca)

The real news will be if anyone can prove that a default CA has been compelled
by court order to generate a fake certificate.

~~~
briansmith
1\. A lot of businesses comply with law enforcement requests without a court
order.

2\. If you are capable of doing this, you are also capable of attacking the
automated verification methods that low-assurance/domain-validated CAs use.
For example, if you can spoof DNS for a domain, you can send the CA MX records
that direct all validation email to the domain to your own server. Or, if
you're a government, you can work with the target's email provider and/or
domain name registrar and/or anybody else willing to help; then they could get
forged certificates without the cooperation or knowledge of the CA.

------
jimdeterman
The appliance itself doesn't seem that important. The big thing I take from
the article is law enforcement needs to: "persuade one of the Certificate
Authorities — using money, blackmail or legal process — to issue a fake
certificate for the targeted website." If you can get a forged certificate
from a trusted cert provider, then there is a bunch of ways to do this. The
box is just a convenience.

~~~
billybob
Yes - I thought this was a cryptographic breakthrough, but it's just people
breaking promises.

~~~
orangecat
That, and it demonstrates how bad the default SSL trust model is. If the
gmail.com certificate came from Thawte yesterday and comes from the Department
of Defense or CNNIC today, your browser will happily accept it without
warning.

------
tptacek
Shouldn't it be possible to detect when this is happening, and who's issuing
the certificates? We need a plugin that snarfs the certificates as they hit
your browser, and a web service to log them to (send the SHA256 of the cert,
and if it's not already there, send the complete contents of the cert).

I'm game if someone else is.

~~~
tbrownaw
<http://www.cs.cmu.edu/~perspectives/firefox.html>

~~~
codexon
A nice idea. But isn't the path from you->notaries still vulnerable to man-in-
the-middle attacks? You would have to use CA authentication to verify the
"notaries" you are talking to aren't fake.

~~~
tbrownaw
It comes with a list of the notaries and their public keys. So, the only
concern is if your initial download is MitM'ed.

<http://www.cs.cmu.edu/~perspectives/notary_list.txt>

~~~
codexon
Or the attacker could just block those servers and then spoof that file with
new URLs and public keys.

~~~
tbrownaw
Hard to spoof a file that you've already got a local copy of...

~~~
codexon
If you can't connect to the servers because the middleman blocked them, a user
might assume that the servers were updated, and then proceed to use the
spoofed file...

------
dhyasama
"The technology we are using in our products has been generally discussed in
internet forums and there is nothing special or unique about it."

I hope I never suffer a brain cramp and say that about my company to a
reporter.

------
Qz
There was an article on HN earlier talking about how certificates have never
actually protected anyone from fraud (fraud cites don't try to forge
certificates in the first place, or so the article said). Now it gets worse --
not only is it not protecting you, but it's luring you further into a false
sense of 'security' and potential government surveillance? No thanks.

------
beloch
Authentication is hard. It's not a new problem at all. You can go to a great
deal of trouble performing secure key distribution, but if you don't have a
way of knowing you're doing it with who you think you're doing it with, you're
basically screwed.

PGP is nice in that it bundles key distribution together with authentication,
so you can at least be sure that the person you spoke to first is the same
person you're speaking to now, assuming nobody's taken a $5 wrench to their
knees. Unfortunately, PGP and all other factoring based key distribution
methods are only secure for a limited time. People often say things like,
"Secure for 1000 years assuming..." What they don't tell you is those
assumptions (e.g. crackers only use classical computers with Moore's law
scaling resources and currently known algorithms") are ridiculous. In general,
advances in algorithms alone accelerate things greatly. Messages you send in
PGP today will probably be trivial to crack within a decade, and that's not
even accounting for quantum computing! Note: If you are interesting enough,
this translates to messages you send today _will_ be logged, archived, and
cracked within 10 years. This is fine for credit card transactions. Not so
fine for government secrets. (If you ever hear of a government employee
transmitting state secrets using PGP, you are well justified to freak out.)

Quantum Cryptography promises to at least get rid of that problem, since the
impossibility of cloning quantum information means that keys cannot be
archived and cracked at a later time. However, authentication with a party you
have not physically met remains a bit of a pickle.

------
dkarl
_Christine Jones, the general counsel for GoDaddy — one of the net’s largest
issuers of SSL certificates — says her company has never gotten such a request
from a government in her eight years at the company._

Wouldn't she be required by U.S. law to say this if that's what the government
told her to say?

[Edit: Seems I'm out of date; the gag-order provisions I was thinking about
were ruled unconstitutional a couple of years ago:
[http://www.aclu.org/national-security/court-rules-patriot-
ac...](http://www.aclu.org/national-security/court-rules-patriot-acts-
national-security-letter-gag-provisions-unconstitutional)]

P.S. God, I hate this copy/paste Read More crap.

------
zokier
So to counter this kind of MITM attack the browser (or other SSL-app) should
allow the user to store the certificate/root certificate for a certain site,
and then provide a warning when it doesn't match the stored one. Doesn't sound
that hard, maybe even an extension to Fx could do that?

------
adolph
Could it be possible that GoDaddy was under court order to say that they have
not had any requests? My recollection is fuzzy, I think there was a hub-bub a
while back about librarians being ordered to lie about Patriot Act requests.

~~~
blasdel
"The government has not had us sign a MITM certificate yet. Watch closely for
the removal of this notice."

<http://www.librarian.net/technicality.html>

------
kylec
I've always assumed that the government possessed the capability of creating
false certs, but it is perhaps more troubling that boxes like these could be
available to _anyone_.

------
FlorinAndrei
Cool. So as long as I'm my own CA and I use self-signed certificated
(distributed off-band) then I'm safe.

