South Korea does not "possess the technology to decrypt the packets transmitted over Internet lines after intercepting them", no matter what this credulous article says.
The list of things law enforcement can do to capture GMail messages without secretly having compromised the most important encrypted protocol in the world includes:
* Having owned up the target's box and installed malware
* Having owned up the target's box and installed a bogus certificate
* Redirecting the target to a bogus GMail and assuming the target doesn't care about cert warnings
* Posing as a man in the middle and assuming the target doesn't care about cert warnings
and on and on.
Is it outside the realm of possibility that a nation state actor might have figured out a flaw in the SSL/TLS protocol that would allow them to decrypt traffic? No.
Is it outside the realm of possibility that such an actor could have a bogus root certificate, or a bogus Google certificate? No.
Is it outside the realm of possibility that an actor possessing one of those things would then proceed to use that capability in the course of mundane law enforcement activity, on the record, exposed to public court proceedings? Yes. It is unpossible that that happened.
The most probable situation here (if it actually occurred) is that South Korea owns a certificate authority that is accepted by browsers and did a MITM attack with their own google cert.
Also, it's not clear that this is "run of the mill law enforcement". This is NIS, the S. Korean state intelligence service, which is admitting to having done this.
For your first point, if they own their own root CA that is trusted by browsers, then the capability is definitely in their hands. And that doesn't need any kind of special hacking capabilities, just signing a certificate that is for Google services. The whole SSL certificate trust hierarchy depends on CAs not being that evil, there is no tech keeping them non-evil. Of course Chrome does certificate pinning at least for their own services, but not the others.
But on you second point I agree. If they are prepared to use such capability, it would be really stupid to reveal their will to do such dirty tricks in some ordinary matter - better save it for a real need.
So if they just pwned the guy's PC like a normal investigator would, why wouldn't they just admit to doing that? Why would they admit to having this capability of court-ordered "packet tapping"?
For what it worth, the support for this sort of MITM was the feature du jour among "unified security" appliance vendors back in 2003-04. Basically the idea was that the corporate IT department would install an additional CA certificate on all company's computers and this would enable the appliance to access raw data of SSL/TLS streams going in and out of company's networks. The purpose was benign and it was to scan downloads for viruses and malware.
I do not doubt for a second that any reasonable national cybersecurity agency has this functionality readily available, utilizing one of the CA certificates bundled with common OSes. Whether they are actually using it and to what extent is another question, which ties into political implications should someone detect the certificate forgery.
You've linked to a story about someone penetrating a fringe CA, and the galactic shitstorm that resulted, including the revocation of that CA's CA status in most Internet browsers.
Which is what he speculated South Korea as having done, right?
The most probable situation here (if it actually occurred) is that South Korea owns a certificate authority that is accepted by browsers and did a MITM attack with their own google cert.
Isn't HTTPS disabled by default in Gmail (other than the login page)? This was definitely true about a year ago, if not today.
If so I would imagine 95+% of users aren't/weren't using HTTPS, making it trivial to read most of the population's Gmail.
Edit: I was wrong about "definitely true about a year ago", they turned HTTPS on by default in January 2010. http://gmailblog.blogspot.com/2010/01/default-https-access-f... . Seems reasonable that the government could only have been "packet tapping" before 2010.
In that spirit, which is more likely: that South Korea has figured out how to decrypt arbitrary TLS connections, or that a clueless reporter was clueless?
The article also claims that Google uses deep packet inspection to do its targeted advertising. This does not inspire confidence in its accuracy.
Seems to me pretty clear that SSL is kind of a joke as far as security goes, a little like WEP wireless security. Yes, unlike WEP if everything is working properly SSL is in theory safe. But there are so many gotchas, from the byzantine CA system to the fact that most of the time when a browser warns you that a certificate is bad there's nothing wrong, SSL just doesn't hold up to a determined attacker (especially a government.)
WEP is completely broken. Even if you do everything right, it's trivial for an attacker to access a WEP-protected network.
most of the time when a browser warns you that a certificate is bad there's nothing wrong
I've never had a false-positive browser warning. I assume you're complaining about Firefox's and Chrome's treatment of self-signed certificates, which is completely appropriate. Self-signed certificates should always be rejected, unless the user has manually added them to the keystore.
Users should not accept self-signed certificates. IMO, browsers shouldn't even offer them the option. If someone is smart enough to verify the certificate fingerprint, they can add it to their certificate store manually.
I disagree. SSL is meant to do 2 things: prove identity and provide encryption. Self-signed certificates do just the latter. While, yes, they might provide a false sense of security in that they can't prevent MITM attacks, at least you're not sending out data in the open.
Still, if protection from completely passive eavesdropping is all you care about, you can use anonymous Diffie-Hellman to negotiate an ephemeral key. The protocol supports it. Heck a lot of home-grown client software doesn't even check the name on the cert and ends up with effectively just that by accident.
Feel free to add your own self-signed exceptions. I find it useful myself.
But that's not what HTTPS is and it's not how web browsers work. By definition, the lock icon in the user's browser means that the server (as displayed in the URL) has been authenticated to the user.
No, SSL is not as bad as WEP. If you follow all the rules and do things right with WEP, everyone knows how to break it. It's like doing rot-13 correctly. No matter how correct you are, you are not protected. In theory and in practice, WEP is insecure.
SSL is possible and commonly done correctly. It is not a joke security wise. (If it is a security joke, show me something that isn't a security joke).
Unless you are a government (or have similar resources), you cannot hack SSL.
What are the rules? Hand-pick all of your certificate authorities and regularly check up on them? The idea that you can have dozens of authorities any one of whom might be compromised and be secure is intrinsically broken.
SSL would work a lot better if it worked more like SSH, where you could check to see if you have the right fingerprint at the beginning. And of course you can use it like this, but your browser tells you horrible things will happen. Alternately, a true web of trust with something more like the notaries might be useful.
But when it comes right down to it, any scheme of communication that relies on a variety of third parties for security isn't going to work, because you never know when one or more trusted parties are the eavesdropper.
Sure, the crypto works fine, but in practice good crypto often just lulls people into a false sense of security. "The browser shows https" is really a pretty weak indicator that no MITM is happening. I especially say this in contrast to something like an SSH handshake, which is a pretty strong indicator that no MITM is happening, especially if you validate your keys.
SSL would work a lot better if it worked more like SSH, where you could check to see if you have the right fingerprint at the beginning.
And the 95% of the population who don't know what a key fingerprint are, the people who are most likely to click on random things online, those people will just blindly accept that from every site on the web and then they can get MitM'ed easily by people in Starbucks. Right now you can't do that with HTTPS.
One would assume they forced a CA to sign a false google.com certificate and substituted that for the real one, MitM style, in order to do the decryption. Governments are obviously capable of this.
Firefox's Cert Patrol or Chrome's certificate pinning are really the best defenses against this kind of thing. If you're on Chrome 13 or later, you're mostly guaranteed that gmail.com is the real deal.
I don't really see why it needs any discussion as a citation, it's fairly obvious that "tapping", as in "phone tapping", means listening in to, aka sniffing when talking packets.
This is probably an old pre-default HTTPS Gmail, man in the middle attack and the original article is badly written as others have posted. However, the man in the middle based packet inspection and injection is widely used. From what I can tell this is how the censorship banner (http://en.wikipedia.org/wiki/File:KCSC-Warning.png) gets pasted over JS and html partials within sites the government takes issue to. Packet inspection is almost certainly being widely used.
The list of things law enforcement can do to capture GMail messages without secretly having compromised the most important encrypted protocol in the world includes:
* Having owned up the target's box and installed malware
* Having owned up the target's box and installed a bogus certificate
* Redirecting the target to a bogus GMail and assuming the target doesn't care about cert warnings
* Posing as a man in the middle and assuming the target doesn't care about cert warnings
and on and on.
Is it outside the realm of possibility that a nation state actor might have figured out a flaw in the SSL/TLS protocol that would allow them to decrypt traffic? No.
Is it outside the realm of possibility that such an actor could have a bogus root certificate, or a bogus Google certificate? No.
Is it outside the realm of possibility that an actor possessing one of those things would then proceed to use that capability in the course of mundane law enforcement activity, on the record, exposed to public court proceedings? Yes. It is unpossible that that happened.