State Subversion of SSL

Old news to some, but:

World governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds.

http://www.grc.com/sn/sn-243.htm

 

Yep, this is a real problem with CA's -- you have to trust people you don't know.

It has long been suspected that some of the CA's were actually ran by NSA and that some may even be fronts for criminal organizations. We just don't know. All we know is that it's not hard for even a legit CA to give out forged certificates either by coercion (NSA -- do your patriotic duty) or pay-off (mafia puts some cash in a CA's employee's pocket in exchange for forged certs).

I would never assume SSL is secure -- you should always at least assume the government is listening. For most of us this doesn't matter as it's doubtful the NSA will be conducting identify theft. And we always have the recourse of lawsuits if our bank accounts are hijacked as a result of a forged cert being given to criminal enterprises by a CA.

The only encryption that is secure is that where keys were signed at "key signing parties." That is where PGP keys are signed after checking the photo ID of a contact face-to-face so that you can ensure the key belongs to the person that it's supposed to belong to. This way you can build a decent WOT with other people who have also checked ID of other contacts. Relying on third party CA's is a very flawed model.

 

The only thing you can be sure w/ SSL is that your traffic is encrypted... And, while at this - it's kinda ironic how much self-signed certificates are criticised and how much their usage is being hindered by current idiotic behaviour implemented in the browsers (FF being the most infamous example). They are practically immune to this MITM stuff. Just need to verify the fingerprints with their issuer.

 

Since this is a Steve Gibson thing I have a hard time taking it seriously. He is the tinfoil king of computer security. Remember "raw sockets" anyone? If the SSL encryption was compromised through certificate abuse or whatever - the entire financial system would be in turmoil. Nobody could trust their banking information was safe(!) This is the kind of stuff that really gripes me about Gibson. Anonymous sources, companies identified by numbers in memos that were "accidentally read." Everything is so cloak and dagger with Gibson.

Most here DO realize Gibson isn't taken seriously by the computer security community, right? They laugh about him. No kidding.

 

While I agree that Gibson is the tinfoil hat king, he is right about this (I didn't even know he was even talking about this, so I'll take your word for it.

At any rate, there are other (much more respected) people who have stated the entire SSL model needs to be scrapped. Matt Blaze wrote an interesting blog post advocating just that. With the advent of these MITM boxes being sold to government, the threat is very real. All it takes is a cooperative CA (which going by some of their track records, will not be hard to find). The government probably already has their own fake CA's set-up. You can bet that at least NSA has some tricks up its sleeves.

 

http://www.wired.com/threatlevel/2010/03/packet-forensics/

http://www.packetforensics.com/

 

Thanks, chrono and mvario. Good information. You have to wonder why this has not received more attention. The WIRED article is excellent, but this should be everywhere. Matt Blaze is sharp, much more trustworthy than Gibson. Thanks to you both!

 

'darknets to collect real-time network intelligence' (packetforensics, enterprise)

Can someone translate that for me ?
Does it have any impact on the internet ?

 

"I still lock my doors even though I know how to pick the lock".

Very true, and I think there will always be a way found to pick the lock.

 

You must have all missed this thread It happens

https://www.wilderssecurity.com/showthread.php?t=268422

 

I don't venture out of the privacy section too often - so thank you!