[Infowarrior] - Governments May Fake SSL Certificates

Richard Forno rforno at infowarrior.org
Wed Mar 24 21:05:25 UTC 2010 

March 24th, 2010

http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

New Research Suggests That Governments May Fake SSL Certificates
Technical Analysis by Seth Schoen
Today two computer security researchers, Christopher Soghoian and Sid  
Stamm, released a draft of a forthcoming research paper in which they  
present evidence that certificate authorities (CAs) may be cooperating  
with government  agencies to help them spy undetected on "secure"  
encrypted communications. (EFF sometimes advises Soghoian on  
responsible disclosure issues, including for this paper.) More details  
and reporting are available at Wired today. The draft paper includes  
marketing materials from Packet Forensics, an Arizona company, which  
suggests that government "users have the ability to import a copy of  
any legitimate keys they obtain (potentially by court order)" into  
Packet Forensics products in order to impersonate sites and trick  
users into "a false sense of security afforded by web, e-mail, or VoIP  
encryption". This would allow those governments to routinely bypass  
encryption without breaking it.

Many modern encryption systems, including the SSL/TLS system used for  
encrypted HTTPS web browsing, rely on a public-key infrastructure  
(PKI) in which some number of CAs are trusted to vouch for the  
identity of sites and services.  The CA's role is crucial for  
detecting and preventing man-in-the-middle attacks where outsiders  
invisibly impersonate one of the parties to the communication in order  
to spy on encrypted messages. CAs make a lot of money, and their only  
job is to make accurate statements about which cryptographic keys are  
authentic; if they do this job incorrectly — willingly, under  
compulsion, by accident, or negligently — the security of encrypted  
communications falls apart, as man-in-the-middle attacks go  
undetected. These attacks are not technically difficult; surveillance  
companies like Packet Forensics sell tools to automate the process,  
while security researchers like Moxie Marlinspike have publicly  
released tools that do the same. All that's needed to make the attack  
seamless is a false certificate. Can one be obtained?

This risk has been the subject of much speculation, but Soghoian and  
Stamm's paper is the first time we've seen evidence suggesting that  
CAs can be induced to sign false certificates. The question of CAs'  
trustworthiness has been raised repeatedly in the past; researchers  
recently showed that some CAs continued to use obsolete cryptographic  
technology, signed certificates without verifying their content, and  
signed certificates that browsers parsed incorrectly, putting users at  
risk of undetectable attacks. What's new today, however, is the  
indication that some CAs may also knowingly falsify certificates in  
order to cooperate with government surveillance efforts.

Soghoian and Stamm also observe that browsers trust huge numbers of  
CAs — and all of those organizations are trusted completely, so that  
the validity of any entity they approve is accepted without question.  
Every organization on a browser's trusted list has the power to  
certify sites all around the world. Existing browsers do not consider  
whether a certificate was signed by a different CA than before; a  
laptop that has seen Gmail's site certified by a subsidiary of U.S.- 
based VeriSign thousands of times would raise no alarm if Gmail  
suddenly appeared to present a different key apparently certified by  
an authority in Poland, the United Arab Emirates, Turkey, or Brazil.  
Yet such a change would be an indication that the user's encrypted  
HTTP traffic was being intercepted.

Who are these CAs, and why do we trust them? Most are for-profit  
companies, though Microsoft Internet Explorer is willing to trust two  
dozen governments as CAs, from a list of around 100 entities. Soghoian  
and Stamm identify the governments Internet Explorer currently trusts  
as Austria, Brazil, Finland, France, Hong Kong, India, Japan, Korea,  
Latvia, Macao, Mexico, Portugal, Serbia, Slovenia, Spain, Switzerland,  
Taiwan, The Netherlands, Tunisia, Turkey, the United States and  
Uruguay. (Some countries have more than one government entity on the  
list; Internet Explorer also trusts subnational governments like that  
of the Autonomous Community of Valencia in Spain, and government- 
affiliated organizations like the PRC's China Internet Network  
Information Center.) Although there is no public evidence that this  
power has been abused or that government-run CAs are less trustworthy  
than private-sector CAs, each of these states has the power to  
facilitate attacks on encryption anywhere in the world — not just in  
its territory or Internet domain.

Certificate authorities get on browsers' trusted lists by making a  
public statement about how they operate and submitting to some sort of  
external audit. If they do their job properly, they make it easy for  
users to securely interact with web sites and services automatically,  
without having to somehow look up and manually verify encryption keys.  
Yet these organizations' position at the center of the web encryption  
infrastructure is largely unaccountable, since users will never know  
if a CA signs off on something untrue. But any CA could choose to do  
so. Given what we now know about the vulnerability of the trust  
infrastructure to both technological and legal interference, we  
urgently need a meaningful way to double-check the CAs. Soghoian and  
Stamm propose some mechanisms and offer a plug-in to give users  
browsers' more information about who is certifying sites and where the  
CAs are located, which could be of particular interest to those  
concerned about international espionage.

Concerned by this and other research on the vulnerabilities introduced  
by CAs, EFF has also been working on concepts to help Internet users  
make use of many more sources of information to supplement and double- 
check the CAs — and help detect when they certify things that are not  
true. We will be publishing a whitepaper to outline some of our  
proposals in the near future.

More information about the Infowarrior mailing list