Man In The Middle attacks are increasing and users usually ignore error messages about them.
(Firefox throws an error dialog but it has an 'I understand the risks' button. People just ignore the error).
Also, last year many Iranian FriendFeed users were arrested and the goverment knew about all their private discussions on FriendFeed.
(FriendFeed has been censored since the beggining. But it suddenly became uncensored for a day or two. On the other hand, FriendFeed generates an 'auth' key for each user and lets him see his RSS feed using that key. And puts the auth key in every page: goverment probably collected auth keys and used it to read discussions of people they arrested)
Goverments using internet to spy on their civilians is not a myth. Anonymity, trusting the cloud and related issues seem far more important when you suddenly find out a friend of yours has been arrested and his location and charges is unknown.
Note that the reported MiTM attack should not result in a popup warning, because the CA certificate used in the MiTM is supposedly technically valid. Does anybody know which browsers include this CA? Browser vendors should consider removing it based on ethical concerns, especially if this MiTM attack is being performed very broadly, at the country level.
Instructions on how to delete it yourself are available at http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-ce...
Alternatively, you can use i2p and i2p outproxies, but i2p may be vulnerable to similar poisoning attacks if the government had an interest in perpetrating them. That said, it's probably much safer to use an i2p outproxy for your browsing anyway, and definitely much safer to use eepsites.
As such, the only way to ensure your electronic communications are safe is to get the information necessary to bootstrap the crypto from a medium where the government has no ability to poison, which means offline transmission (CDs/USB disks). And then you still have to be careful because if the government gets the private key of your compatriot all of your conversations will be readable.
The only way to provide security for the people of Iran in a reasonable manner is to educate them on PGP and key exchange. This is not the time to talk about fairy dust, because it's not going to help anyone at this point. When you're transmitting information that will get you thrown in jail or worse, you don't dink around -- they need something tried and true, and need to understand the risks and costs associated with the communications platforms they're using.
If you want to communicate with other people securely, then, in my opinion, then everyone in that communications group needs to consider learning information security and operational security, and then applying it. It's not simple, it's not easy, but if you want to be secure, you're going to have to plan to be serious.
The only solution I can think of is a false door method, where you send some fake communication over one channel and somehow hide the encrypted channel.
That's steganography, and there are some open source programs for that. Steghide, for example, can hide encrypted data in JPEG images.
And.. if your cover gives reason for you to put out a lot of data in forms that are easily stego'd, you're in good shape.
edit: You refer to something that is either steganography or something in that class of communication.
Goverment isnt trying to spy specific people for specific reasons. They are trying to spy everyone.
Communicate in the open free from the molestations of ahrimanan.
If you expect that the use of secure encryption at all would get you disappeared, you're screwed. And the previous situation can turn into this one on a whim.
Either way, the long-term solution does not involve technology; it involves emigration.
It was close to impossible to emigrate legally, they would use anything to stop you. They would make you lose your job (or even do that to members of your family), they would interrogate you and members of your family (and don't think about any human rights).
A friend of my father was shot on the spot when they saw he was using a boat to cross the Danube to Yugoslavia.
It's not that simple to escape, especially with your family. You're living in a different world.
yet some of them are (as of 17:25 PST 08/29/2011 AD) classified as "bad" and some as "good"
Also, how are people sure this is being perpetuated by the Iranian government? I'm asking because I see no evidence in the pastebin dumps, yet many people here seem sure the Iranian government is behind this.
There was another indecent earlier this year for which Iran was assumed responsible. This turned out to be false (http://www.computerworld.com/s/article/9215245/Solo_Iranian_...)
My brother works in a company that produces spying software for government. Days ago, he told me he himself has written several programs to spy on yahoo, hotmail and gmail but he thought they couldn't deploy the gmail program because of https. I guess, he should think again.
I am scared. My only hope was SSL and I can't trust that anymore?
Who might/could do this except for the goverment?
[1-7 are ISP routers]
I used mtr and the route to google is changing every several seconds, but I thinks it's normal.
All I know is that internet blocking happens in LCT [78.38.255.] or KAMYARAN [78.38.245.].
A government agency in Iran has obtained the private key of the root certificate for the DigiNotar Certificate Authority. And with that, they can decrypt and re-encrypt SSL traffic by pretending that they have the valid SSL certificate for *.google.com.
Is that the way this works?
Either way, IMHO DigiNotar's root certificate should be revoked and they should be barred from participating in the CA system ever again. The seriousness of SSL MITM attacks is such that a "one strike and you're out" policy is warranted. With so much commerce running over SSL these days, possession of the private key of a CA's root certificate would allow you to implement plots worthy of a James Bond supervillan.
Indeed. I strongly suspect too that it's only "the first one we've seen", and not "the first one".
I have very little doubt that most nation-state sized adversaries have the ability to forge whatever certs they want. It's only careful use of those forged certs (or dumb luck) by the agencies using them that have kept them out of the blogosphere...
From what I can see:
- Google Search & Google+ (https://encrypted.google.com/ https://plus.google.com/) are using a *.google.com from GeoTrust/Google Internet Authority
- Google Mail (https://www.google.com/accounts/) is using a www.google.com from VeriSign/Thawte
Ofcourse I'm also afraid that this is indeed a MITM attack against Iranian users.
With SSL certs that costs less than $15 you can expect that things cannot be thoroughly checked, however a Wildcard DigiNotar SSL cert is costing you € 750 a year (in a 4 year contract http://diginotar.nl/OnlinePrijsindicatie/tabid/1417/Default....), you would expect that these things would not be possible.
If they however hacked the root CA, it's even more scary, also Vasco (the mother company) makes virtually every Two-factor authentication used for Dutch Banking..
EDIT: This definitely works for Safari, not 100% sure if it does for Chrome after all.
The Firefox root CA list has dozens and dozens of organizations on it. Could a compromise of any one of them mean that this attack could be repeated?
You may think that's a good tradeoff. I don't, but reasonable people can disagree about it. However, it's completely untenable for financial information, because attackers after financial information aren't laser targeted and are perfectly happy with a constant stream of compromised sessions. Remember what TLS was designed for in the first place.
The OpenSSH model implies that you check the fingerprint of the public key before you send encrypted data using that key. That is why SSH shows you the fingerprint of the server key when you first connect, and you have to answer "yes" in order to accept the key and add it to your keyring. You are supposed to have talked to the person managing the system and that person should have given you the fingerprint of the key.
It is virtually impossible for the ISP to intercept and sniff the stream without changing the fingerprint.
The user still has to trust its SSH client.
I think you think that "Trust On First Use" means "automatically accept keys the first time you hit a site". In fact, that's only true in practice. Presumably everyone's going to get the "Watch Out! This Could Be Iran!" dialog from their browser, too.
Theoretical models that have no practicality in a given real life context aren't worth discussing as a solution.
normally it just shows you a horizontal bar alerting you when a host's ssl certificate changes, and whether it thinks it was for a good reason like the old cert being near its expiration date.
annoyingly, google has a number of different ssl certificates installed on different servers/load balancers (some wildcard, some not, some signed by different CAs, some signed by google's root) so nearly every time i would use a google service, the add-on would be throwing warnings at me that must be manually clicked to be dismissed. eventually i gave up and stopped using the add-on.
Note that Chrome's key pinning feature (http://www.imperialviolet.org/2011/05/04/pinning.html) is a somewhat comparable idea, except the well-known key hashes are hard coded in Chrome and not user updateable.
SSH users understand the issue and are happy to triage a "not in known_hosts" error. The general public won't have a clue.
If it is a case of a root CA signing a cert for someone else, this shouldn't have actually produced an error. What did the MITMers screw up here?
"...DigiNotar is an official Dutch certification authority, capable of issuing, validating and registering certificates (identities) of Dutch nationals and entities that are recognized throughout the European Union and are used to authenticate government applications. As such, DigiNotar provides VASCO with a strong foothold in the Dutch eGovernment market with the potential to expand the product line to government applications in other countries. Currently, DigiNotar’s market scope for its CA activities is limited to the Netherlands. VASCO may decide to introduce DigiNotar as a certification authority in other EU countries...."
all that security was riding on 10M euros (with such [meager] amounts in play, one would think that it would be easier for a player like Iran just buy an authority than to crack/hack it, though seems like VASCO was faster (if of course VASCO isn't in the game as well) :) :
"...VASCO acquired DigiNotar in stock and asset purchase for aggregated cash consideration of Euro 10.0 million..."
what is the cost in Netherlands to have a reasonably secure office building with some access controlled areas suitable for CA authority core operations? Sounds like very cheap.
... and so they have
The Syrian government was doing this recently as well:
Oh and don't forget about the EFF's SSL Observatory:
It still is a good idea to blacklist that root certificate on your internet devices though. If this certificate is being used, who knows what other websites it has issued legitimate but malicious certificates for.
The obviously compromised root CA shipped by default in every computer in operation is something we very much should worry about. Who else has access to DigiNotar's cert? Surely there are players out there willing to pay more than Iran is...
Interestingly, this is why corporations and governments managing secret information continue to rely on Blackberry, where each device gets a locked certificate on activation. That provides the only serious protection from man-in-the-middle attacks in the wireless industry today. Remember the public pressure on RIM to support wiretapping in India? They were the only company not making it easy.
GMail still shows a certificate issued by Thawte for me (in the USA).
more precisely they can poison any traffic (CA-ed by Diginotar) that passes through the routers/wires under Iran's control, that can be anything what they have already hacked into before as well as just redirected traffic using BGP similar like this
Btw, aren't China and Iran collaborating usually? There is potential for synergy.
He even invokes the Comodo incident, which as we know turned out to be the work of a single individual and NOT Iran.
Propaganda spreads quickly, even in the HN circle where people usually pride themselves on requiring evidence as a prerequisite to belief.
Today, when I trid to login to my Gmail account I saw a certificate warning in Chrome .
I took a screenshot and I saved certificate to a file .
this is the certificate file with screenshot in a zip file:
and this is text of decoded fake certificate:
when I used a vpn I didn't see any warning ! I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)
In such cases paranoia is perfectly justified.
It's a real pity this requires a code update because that means that the change will take long to propagate and will likely never be really complete, at the same time I'm sure there are good reasons for that and that an automated process to revoke just any certificate could itself probably be used as an attack vector.
What would happen if they simply revoked the root certificate that was used to sign this fake?
Fraudulent certificates were given out for:
().mozilla.org (backdoored software?)
And Baladin (an Iranian social network)
MITM = Man In The Middle.
Does this mean that Iran is eavesdropping on gmail users IN Iran? Or outside their country too?
Does anyone mind sharing what this means to the end user?
I did block the certificate on my Air as wxs mentioned. http://news.ycombinator.com/item?id=2938755
If you were using an Iranian ISP to log in to *.google.com, you may have been hacked.
Some critique here to back me up:
How about instead of "SSL sucks!", you propose things that will (from your vantage point) improve SSL/TLS? What, so you don't like that Mozilla gets to dictate what all the trust roots are? Neither do I. But that is not one of the worlds great compute or UX problems to solve. Propose a solution.
It's a virulent misconception that the SSL/TLS security model depends on Verisign and Thawte. The only place in the whole model we have that dependency is your browser's configuration and that stupid dialog it shows when a cert doesn't check out. You can replace just those two parts and get virtually any other trust model you want.
There should be an explicit trust model where the service vendor ships your keys via an alternative side channel -or- a decentralised model which works on reputation or trust.
If it works, why do all the online banks use two-factor authentication these days?
Oh wait, there is the solution!
Psst. I've got news for you. adb56780a76686326612a1eb3c2b32053bbcf3d8. Ask a friendly vulnerability researcher what I probably meant by saying that. Guess what? More confident as a result of knowing it.
The rest of your comment is just pique. "Why do online banks use two-factor auth?" Because the alternative is passwords. "There should be an explicit trust model!" Go ahead and build it. Because TLS is well-designed, your new scheme will work just fine with it.
OK. Hey tptacek... :)
Mind elaborating a bit more, for those of us who don't happen to know any other vulnerability researcher who know what that hash means? The one vulnerability researcher I know had no idea what you were talking about.
(and a meta-comment; OMG, look how quick google is getting hackernews into it's index these days!)
Google doesn't turn up anything for that particular hash, though, nor did I see anything on the Matasano website, but I'm probably looking in the wrong places. I don't claim to be a security researcher, after all, even if I try to keep up to date.
Everyone knows the weakness with our current system isn't the protocol--it's the "trusted" roots. There are upwards of 100 organizations that have roots installed on my computer and each of them is an attack surface. And it's frustrating because if I'm Google, there's no way I can protect myself from these other firm's security flaws. That is the part of SSL/TLS that needs to change. Getting certs from DNSSEC would be a good start...
Again: the problem we have is that the UX and policy for HTTPS/TLS is brittle, so that it's hard to recognize and even harder to react to misconfigurations like "we're trusting CAs who are not trustworthy".
Faced with a policy and UX problem, someone needs to explain to me how a reasonable next step is to bake a new PKI into the core of the Internet.
There is a reason the IETF-types are so gung-ho on DNSSEC. But it isn't that they know it's a sound replacement for the CA system. It's that it bothers them that DNS- the- protocol is insecure. And that's fine (I think their solution stands a good chance of making DNS even less secure, but whatever). But they shouldn't get to piggyback on other security issues to achieve their goal.
I don't know about where you are, but even if I show up at my bank branch in person, they do two-factor authentication (card + PIN).
So card = identify. PIN = authenticate. That's not two factor.
The second factor would be an RSA key or a Digipass device.
That's used to authenticate the client. SSL's job here is to authenticate the server. So no, that's not a solution.
Besides, it's completely preposterous to claim that HTTPS is useless just because it's not enough for banks. Should each website send an RSA Token to each user?
(I don't suppose anybody's more up-to-date than me on if/when that'll be possible?)
Part of the intrinsic concept is that there's no authoritative identity service. Without an authority, you can't crack the authority.
Of course, this is just a sketch of an idea; it has the usual issues with peer to peer nets such as "evil majority wins". Plus, it has the potential to eat a good deal of bandwidth.
Regardless, I think it'd be a good idea to explore, probably in an academic setting first.
I get that a false sense of security is worse, but we haven't yet figured out a better way that is still decentralized and works with a wide variety of user skill levels.
Because people who aren't expert users deserve security too. And they deserve functionality.
Well, SSL certainly isn't giving serious security in the "My ISP has been intruded" attack model.
You can't have both security and ignorance. If you really want to be secure, you're going to have to learn how to be secure, and then to know how to implement it.
--- edit. Not looking for argument. Looking for facts.
- This is my top hit for 'tls mitm proxy'
It's dated as '06, however.
- I can install Fiddler (Windows https debugger) on my machine and read https traffic in the clear.
- A competent admin assures me that Websense can read https traffic. Couldn't really dig real detail up on the websense sites though. This chap suggests the admin is not wrong (search for corporate, it's toward the end): http://www.carbonwind.net/blog/post/Random-SSLTLS-101%E2%80%...
(Sigh). Fiddler pops the browser certificate warning when you use it; it's not breaking TLS.
You must just as productively say "my friend assures me AES is broken; maybe that's what Iran is doing." Just like your competent admin friend, there would be some reason for him to say that; it just wouldn't be relevant.
I don't have details on that, unfortunately.
It sounds pretty clear to me that with some work on the adversary's part and lack of checking of the certificate chain, TLS can be subverted.
Websense is used in organizations that distribute their own root ca key to the workstations behind it. The Websense machine is then given that root ca key and allowed to generate dynamic certs with it, so that a workstation with your organizational CA trusts them, but nobody on the regular inter webs will.
It's a really, really shitty way to do things, and effectively violates the trust of every user on your corporate network, but hey, they signed an agreement.
Use case 2: 40 year old man wants to use his laptop from starbucks for email. He has used computers for much of his life, but doesn't really understand how it works. He is on the road working 60-80 hours a week. He is taught to VPN in to work, but that is the extent of his understanding of security.
We're not talking about the use case 3: activist in Iran needs to communicate with compatriots. That is a much harder problem for which SSL is insufficient.
How do we set up a sufficiently easy system for use cases 1 and 2? Charging them $1,000 for a 2 day class in security is not going to work in scale, and nobody has yet written a security primer for dummies past the most basic of "don't give people your password and don't use your dog's name."
If Iranian activists want to trust Google for their sensitive email, all they have to do is track down Google's authentic certificate (by asking anybody outside of Iran to fetch it) and add it to their browser. Iran does not have the ability to break RSA. All they (apparently) have the ability to do is to con incompetent CAs into making new RSA signatures that some browsers are configured to believe.
We need a reputation based, distributed public key architecture.
I'm not being sarcastic. Your decentralized reputation scheme could very well be better than our severely compromised system of central CAs.
After you've done that, yes, it'll exist.
(Edit: Well, not really—have a look at the thread below.)
No cryptographic system is perfect.
The reality is that DNSSEC is a lot more fragile than even that. Even on paper (DNSSEC hasn't been deployed in the large successfully) it has gaps. For instance, did you know that as conceived in the standards, your browser isn't even meant to speak DNSSEC? Your browser doesn't run a full recursive cache --- in other words, your browser isn't a full DNS name server, which is why your computer has to be configured with the address of a name server. DNSSEC doesn't secure the leg between your computer and its name server.
"No cryptographic system is perfect" is a worthless sentiment. Only in the rarest instances do we know whether any system, from "hello world" to the Tacoma Narrows, is absolutely sound. Our job as engineers is to make determinations about which system is sounder. DNSSEC takes approximately the same architectural problems that X.509 has, rebuilds them from scratch in the context of a protocol that has for 20 years been riven with security flaws, and then still requires HTTPS/TLS to function. It is less sound than HTTPS/TLS.
I won't say more regarding this matter because you know a lot more about cryptography than I do. What do you think the best solution for this kind of problem is? PGP?
Back to DNSSEC:
What we do not need to do is take this extremely complex policy problem and bake it further into the Internet's infrastructure, so that only the greybeards at the IETF and the product managers at the five largest software companies in the world get to make choices about the Internet's security model.
Today's HTTPS debacle was brought to you by a policy mistake. When we originally deployed HTTPS/TLS, we did not understand enough about the forces acting on us to make totally safe policy decisions. What we need is more flexibility and more thought, not the exact same system we have now baked into one of the core protocols on the Internet.
Moving this into authentication/trust - how do you 'start' something like this at an Internet scale, assuming actively hostile, nation-state level players, such as in this article? It seems very chicken-and-egg for something as critical as encryption and protection of important content.
Just thoughts - it seems there's some big issues I'm missing though, such as initial seeding for 'new' users en masse. I can also see the code to keep track of all the trust vectors, etc. becoming VERY complicated...
Actually, for many people their bank seems like a good start for the trust chain; visit them in person and get the information you need for your trust root. And unlike the certificate companies, banks have end-users as their customers, not people who want certificates.
I'd consider subscribing to a few services that provided plausible claims to properly curate lists of ssl cert fingerprints for at least the majority of my security-critical domains. Even if it were just limited to the major internet properties (start with google/yahoo/amazon/paypal/twitter/facebook/etc), and add in major (and minor) banks, government institutions... If someone started up a service claiming to have telephoned the appropriate security people at those places and confirmed the cert fingerprints via non-internet/real-world-confirmable means, I'd certainly consider paying a few tens of dollars a year for that... Especially if it integrated nicely with a browser/os plugin.
But what we see is CAs authenticating cert applicants based on DNS (the ability to receive email verifies your "control" of the domain) and DNSSEC rooting to a Verisign-managed registry, just like the early days of SSL PKI.
That's exactly what SSL is supposed to do, and tptacek is saying DNSSEC has the same problems as any PKI, including SSL.
And more importantly, using DNSSEC without SSL, even if you know you have the right IP address you don't you're not being MITM'd.
note: Nothing against dnssec. I think it is an improvement, but I don't see how it would have helped in the situation in question.