List of software & Hardware that is known to have backdoors

There is a difference between Windows 7 and other OSs in the details but how does that behaviour open a new "backdoor" that doesn't already exist in every other browser and OS combination which are all vulnerable to the presented compelled certificate creation attack?


Windows does have a backdoor, Windows Update. Even if it's not used in the typical fashion it technically is backdoor as it allows MS full remote access to the system (if you keep the default/recommended settings)
http://windowssecrets.com/2007/09/20/02-Protect-yourself-from-silent-Windows-updates

 

It's not just W7, but Vista too

From the ssl-mitm.pdf that SteveTX posted earlier

 

Yes, I read the paper, so?
Linux distros and Mozilla push ca updates depending on your settings via automatic updates. But even if your local root certs are static you are vulnerable to (government level) attacks, especially through intermediate CAs. I fail to see the "backdoor".

 

Man in the middle attacks against SSL are not new (From 2005 same attack concept). These kinds of attack have neen recognised as a fundamental flaw in the PKI architecture for a long time.

This kind of attack is also not specifically targeted against Windows 7 or later, In fact any operating system is potentially vulnerable, if there is a web browser installed (similar article related to Linux Breach of Trust» (PDF)) . Hence the extension Soghoian and Stamm present, which is for firefox ( Certificate Patrol an alternative is Perspectives : Firefox Extension). There are also similar extensions available for IE and Chrome.

Interestingly, whilst this kind of attack could be used by unscrupulous government agencies, it's not exactly an ideal way of obtaining information without detection and thus not particularly useful for said bodies.

Here's a quote from an article regarding the Soghoian and Stamm paper:

http://www.crypto.com/blog/spycerts/

The other consideration is one of legality. If a CA betrays the trust relationship with the customer by sharing private keys, it's questionable whether this would be legal in the US.

Here's a direct quote from Soghoian and Stamms' paper:

Of course, this only applies to the US and what may be illegal in that country may be relatively easily sanctioned in others.

 

Perhaps the primary goal is sowing distrust about internet security technologies.

 

So we switch to something more secure, raise awareness of such issues and educate the people. How noble!

But, that not how you meant it, right?

 

No, that's not how I meant it. Unless I've missed something, Steve hasn't even claimed that the Safehouse browser will protect against treacherous CAs. Indeed, given the system's flaws, protection may be impossible. Warning users about suspicious certificates would hardly be unique, given the availability of browser extensions.

In retrospect, the development of CA-based internet security reminds me of the infamous Clipper chip gambit -- except that it was subtle enough to succeed.