Hacker News new | comments | ask | show | jobs | submit login

Internet encryption depends on two keys. One key is private and not shared, and the other is public, and is embedded in most computer operating systems. Unknown to most computer users, Microsoft, Apple and other software makers embed the public certificates in their operating systems. They also trust that this system won’t be abused.

Umm, yeah, right. Basic fail at understanding public/private key cryptography.

If crypto systems relied on trusting that everyone does the right thing, they would be useless.

After such a fundamental failure, it's hard to take the rest of the article seriously.

Actually, I think the article is right. They have not failed to understand public/private key cryptography; you have failed to understand where you actually get your bank's public key from. Obviously, the bank has to send it to you. But then the problem is, how can you trust it really is your bank's key? The way we use is to trust a long list of people (CAs) to sign certificates saying "this key belongs to this domain."

So, if your browser has a CA belonging to CCNIC, a Chinese corporation which could certainly act for the Chinese government, they could pull off this spoofing. The question then is, is CCNIC in people's browsers? According to http://www.mozilla.org/projects/security/certs/included/, it is in Firefox.

As to how to pull off the spoofing, if you have a root CA, you can sign arbitrary certs, i.e. for domains you don't own.

So, the article is right and SSL does require trusting all your trusted CAs are trustworthy.

(edited for clarity and tone)

Great points. Another thing to keep in mind is that traffic encrypted using 1024 bit RSA keys, which the vast majority of SSL sites use, is no longer considered secure enough to withstand brute force decryption. In fact, the NIST has recommended that all sites upgrade to 2048 bit private keys by Jan. 1, 2011. They wouldn't make this recommendation unless people with GPGPU could crack it.

You are not going to do an exhaustive search on a 1024bit keyspace, ever.

You break RSA by factoring n into p x q.

SSL may require "trusting all your trusted CA's", but that statement is a tautology. If you don't want to trust a Chinese CA, remove them from your root certificate store. SSL will continue to work, and you probably won't even notice the impact.

Yes, the last sentence was meant to be a tautology — the trusted CAs are trusted, if a trusted element is hosed, you are hosed, that's what trusted means. I have no doubt you are more knowledgeable and experienced in this than me, and of course you're right that you can remove the Chinese CA, but I don't think that is a sufficient solution to the proposed attack.

Firstly, I doubt that US (say) government personnel will remove Chinese CAs, never mind contractors or even ordinary business people or citizens, so to my mind this is a risk to trusting SSL, even if expert users can mitigate it as you have described.

Secondly, I believe CAs can also sign other CAs (and indeed Entrust did this for this very Chinese CA) so it's not that simple. You might need to distrust most CAs, which makes using SSL slightly tricky.

Thirdly, even if you remove the CA now, how do you know you weren't already MITM-attacked back in February? It's too late.

As for mitigation, alerting the user on CA or certificate changes might help, but getting the UX right will be hard. I could see a solution in the future where your bank sends you a memory stick with portable firefox installed on it and precisely one trusted certificate — the bank's. Of course, that means trusting the mail system, but since we already trust the mail system (e.g. using mailed statements for ID verification) we can't be worse off. An attack would require hijacking the USB stick and your connection to the bank at the beginning of the same session for it not to be noticeable — not so easy.

Does this lead to certificate revocation as the next form of economic trade wars?

The discussion about CNNIC's inclusion in Firefox is here: http://news.ycombinator.com/item?id=1095121

This is a failure of the journalist to understand the distinction between "public/private key cryptography" and "public/private key cryptography as used in the SSL/TLS certificate authority scheme". I'm pretty sure that they guy (s)he was interviewing knew the difference.

Of course, configuring your system to trust any valid certificate is just stupid.

You are right, this explanation of public key encryption is wrong. Maybe this stems from misunderstanding by the author, or is just the result of oversimplification.

However, that threat of Chinese authorities sniffing on SSL traffic is real. Just remember the root certificate issued by the China Internet Network Information Center that ended up in Firefox, see http://news.ycombinator.com/item?id=1244444

> If crypto systems relied on trusting that everyone does the right thing, they would be useless.

Acutally, in-brower SSL crypto without certificate verification (as in "is this the same certificate that it was before?", not as in "is this certificate signed by trusted CA?") relies exactly on that assumption.

In this case, wouldn't a leaked CA private/signing key constitute "abuse"?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact