State Subversion of SSL

Discussion in 'privacy general' started by snowdrift, May 13, 2010.

Thread Status:
Not open for further replies.
  1. snowdrift

    snowdrift Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    394
    Old news to some, but:

    World governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds.

    http://www.grc.com/sn/sn-243.htm
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Yep, this is a real problem with CA's -- you have to trust people you don't know.

    It has long been suspected that some of the CA's were actually ran by NSA and that some may even be fronts for criminal organizations. We just don't know. All we know is that it's not hard for even a legit CA to give out forged certificates either by coercion (NSA -- do your patriotic duty) or pay-off (mafia puts some cash in a CA's employee's pocket in exchange for forged certs).

    I would never assume SSL is secure -- you should always at least assume the government is listening. For most of us this doesn't matter as it's doubtful the NSA will be conducting identify theft. And we always have the recourse of lawsuits if our bank accounts are hijacked as a result of a forged cert being given to criminal enterprises by a CA.

    The only encryption that is secure is that where keys were signed at "key signing parties." That is where PGP keys are signed after checking the photo ID of a contact face-to-face so that you can ensure the key belongs to the person that it's supposed to belong to. This way you can build a decent WOT with other people who have also checked ID of other contacts. Relying on third party CA's is a very flawed model.
     
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    The only thing you can be sure w/ SSL is that your traffic is encrypted... And, while at this - it's kinda ironic how much self-signed certificates are criticised and how much their usage is being hindered by current idiotic behaviour implemented in the browsers (FF being the most infamous example). They are practically immune to this MITM stuff. Just need to verify the fingerprints with their issuer.
     
  4. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Since this is a Steve Gibson thing I have a hard time taking it seriously. He is the tinfoil king of computer security. Remember "raw sockets" anyone? If the SSL encryption was compromised through certificate abuse or whatever - the entire financial system would be in turmoil. Nobody could trust their banking information was safe(!) This is the kind of stuff that really gripes me about Gibson. Anonymous sources, companies identified by numbers in memos that were "accidentally read." Everything is so cloak and dagger with Gibson.

    Most here DO realize Gibson isn't taken seriously by the computer security community, right? They laugh about him. No kidding.
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    While I agree that Gibson is the tinfoil hat king, he is right about this (I didn't even know he was even talking about this, so I'll take your word for it.

    At any rate, there are other (much more respected) people who have stated the entire SSL model needs to be scrapped. Matt Blaze wrote an interesting blog post advocating just that. With the advent of these MITM boxes being sold to government, the threat is very real. All it takes is a cooperative CA (which going by some of their track records, will not be hard to find). The government probably already has their own fake CA's set-up. You can bet that at least NSA has some tricks up its sleeves.
     
  6. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Thanks, chrono and mvario. Good information. You have to wonder why this has not received more attention. The WIRED article is excellent, but this should be everywhere. Matt Blaze is sharp, much more trustworthy than Gibson. Thanks to you both!
     
  8. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    'darknets to collect real-time network intelligence' (packetforensics, enterprise)

    Can someone translate that for me ?
    Does it have any impact on the internet ?
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    "I still lock my doors even though I know how to pick the lock".

    Very true, and I think there will always be a way found to pick the lock.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  11. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
Loading...
Thread Status:
Not open for further replies.