Governments May Fake SSL Certificates

Electronic Frontier FoundationToday two computer security researchers, Christopher Soghoian and Sid Stamm, released a draft of a forthcoming research paper in which they present evidence that certificate authorities (CAs) may be cooperating with government agencies to help them spy undetected on “secure” encrypted communications. (EFF sometimes advises Soghoian on responsible disclosure issues, including for this paper.) More details and reporting are available at Wired today. The draft paper includes marketing materials from Packet Forensics, an Arizona company, which suggests that government “users have the ability to import a copy of any legitimate keys they obtain (potentially by court order)” into Packet Forensics products in order to impersonate sites and trick users into “a false sense of security afforded by web, e-mail, or VoIP encryption”. This would allow those governments to routinely bypass encryption without breaking it.

Many modern encryption systems, including the SSL/TLS system used for encrypted HTTPS web browsing, rely on a public-key infrastructure (PKI) in which some number of CAs are trusted to vouch for the identity of sites and services. The CA’s role is crucial for detecting and preventing man-in-the-middle attacks where outsiders invisibly impersonate one of the parties to the communication in order to spy on encrypted messages. CAs make a lot of money, and their only job is to make accurate statements about which cryptographic keys are authentic; if they do this job incorrectly — willingly, under compulsion, by accident, or negligently — the security of encrypted communications falls apart, as man-in-the-middle attacks go undetected. These attacks are not technically difficult; surveillance companies like Packet Forensics sell tools to automate the process, while security researchers like Moxie Marlinspike have publicly released tools that do the same. All that’s needed to make the attack seamless is a false certificate. Can one be obtained?

This risk has been the subject of much speculation, but Soghoian and Stamm’s paper is the first time we’ve seen evidence suggesting that CAs can be induced to sign false certificates. The question of CAs’ trustworthiness has been raised repeatedly in the past; researchers recently showed that some CAs continued to use obsolete cryptographic technology, signed certificates without verifying their content, and signed certificates that browsers parsed incorrectly, putting users at risk of undetectable attacks. What’s new today, however, is the indication that some CAs may also knowingly falsify certificates in order to cooperate with government surveillance efforts. Continue reading.

Related Posts

Sign the petition: iPad DRM is iBad for our freedoms Today, Apple launched a computer that will never belong to its owner. Apple will use Digital Restrictions Management (DRM) to gain total veto power ov...
EFF Seeks Attorneys to Help Alleged Movie Downloaders Are you an attorney licensed to practice law in the United States? If you are, EFF needs your help to fight spam-igation. The U.S. Copyright Group ...
Help EFF Research Web Browser Tracking What fingerprints does your browser leave behind as you surf the web? Traditionally, people assume they can prevent a website from identifying them...
Software sniffs out criminals by the shape of their nose Forget iris and fingerprint scans -- scanning noses could be a quicker and easier way to verify a person's identity, according to scientists at the Un...
On Selling Exceptions to the GNU GPL When I co-signed the letter objecting to Oracle's planned purchase of MySQL 1 (along with the rest of Sun), some free software supporters were surpris...
3 Problems Cloud Security Certification Can Solve What if there were widely accepted standards for cloud security and, better yet, a universally recognized designation for “trusted” cloud providers?...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at ContainerizeThis.com

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


Leave a Comment

Your email address will not be published. Required fields are marked *

*