Government Could Forge SSL Certificates 168
FutureDomain writes "Is SSL becoming pointless? Researchers are poking holes in the chain of trust for SSL certificates which protect sensitive data. According to these hypothesized attacks, governments could compel certificate authorities to give them phony certificates that are signed by the CA, which are then used to perform man in the middle attacks. They point out that Verisign already makes large sums of money by facilitating the disclosure of US consumers' private data to US government law enforcement. The researchers are developing a Firefox plugin (PDF) that checks past certificates and warns of anomalies in the issuing country, but not much can help if government starts spying on the secure connections of its own citizens."
If security is really important to you (Score:5, Insightful)
If you really want to be secure and you are using certificates you should be self signing and exchanging the self signed certs with your partners out of band.
Generate your own certificates... (Score:2, Insightful)
and distribute them by mail or something. That doesn't help taking to your bank,
but then again if the government wants your bank balance they'll just ask the bank.
DNSSEC has a similar attack against it (Score:4, Insightful)
with DNSSec we can put IPSEC public keys in DNS entries
Unless the government compels domain name registrars to sign phony DNS public keys.
For the ultra-paranoid, you can publish the same IPSec public key on both and make clients compare the two.
Which is little different from hosting something at two different domains with TLS certs from different registrars in different countries.
They've Always Been Pointless (Score:4, Insightful)
Re:If security is really important to you (Score:5, Insightful)
I like the way OpenSSH does it -- Trust On First Use (TOFU). First time you visit a server you're warned of possible MITM and given a fingerprint (which you could have, say, confirmed in person). After that you never see a warning again unless the server's key unexpectedly changes. No forcing you to automatically trust CAs, and no overstated warnings about self-signed certs.
no duh (Score:3, Insightful)
Nobody would ever seriously say that x.509's single point of failure for trusted introducers is a good idea; it just happened to be easy to deploy and got some encouragement along the way because some people could make money on it. But as soon as you look at it in terms of security, it doesn't fare very well.
OpenPGP encourages multiple certifiers for an identity: so they're all required to conspire to sell you out. Conspiracies are hard. Build your next network app on top of Gnu TLS and make sure you test with OpenPGP, so that some day we can switch to modern (and by modern, I mean about 1990-level tech) crypto.
BTW, governments are a great example, but always remember that they are not the only entities with capability or motivation to point a gun at someone. And even if you don't believe that, you've got to admit there are multiple governments, and only one of them at most, is accountable to you. Anyone who says that the cert system should be left vulnerable because the public has an interest in making sure that communications aren't "too secure," definitely isn't thinking about all the angles. The inherent weaknesses of X.509 should never have been used as an argument for building the web on it.
Story misses the point (Score:3, Insightful)
Re:Does that mean... (Score:5, Insightful)
A specific self-signed cert, that you have some out-of-band reason for trusting, is extremely secure because only by compromising the computer storing the signing key could an adversary produce a fake one of those.
The problem is, outside of fairly trivial scenarios(corporate intranet with self-signed certs, worker drones' browsers trust that cert by group policy; small group of paranoics who know each other IRL exchange keys under the bridge at midnight), establishing that out of band reason for trusting a cert is a pain in the ass, and not amenable to any particularly clear solution.
CAs are basically the ugly-not-really-all-that-good solution that has the virtue of working in practice. You trust the cert because the big corporation whose business is attesting to the trustworthiness of certs says you should trust it. Easy, simple, and actually works ok from a strictly financial perspective(ie. the amount of money that Verisign can make by selling overpriced sequences of bits that make the magic green bar appear in consumer browsers is greater than the amount that they could make by MiTM attacking a whole bunch of banking sessions and then fleeing to Namibia with their reputation in tatters).
Where it breaks down is non-strictly-financial situations. It is highly unlikely that clandestine cooperation, for surveillance purposes, with state agencies is all that costly to Verisign, or their ilk(and may in fact be lucrative, as doing various sorts of wiretaps is for the telcomms). If your threat space is just occupied by script-kiddies and Ukranian cyber criminals, commercial CAs work pretty well. If it is occupied by state entities who want information rather than money, there is no particular reason to expect them to work.
Re:DNSSEC has a similar attack against it (Score:4, Insightful)
It's worth pointing out that the technique described here isn't a "hack" that can be patched, it's an intrinsic feature of public-key crypto, and specifically a direct consequence of unreservedly trusting the CAs. The CAs are capable, using no tricks or computer hackery, of creating as many "redundant" signed certs for the same qualified name as they wish.
Paranoia is all well and good... (Score:5, Insightful)
Essentially if you really want secure end to end communication with someone that is more or less fool proof and not subject to outside interference you have to manually exchange keys. It's always been this way. Any time you do less you are trusting *someone* other than yourself and person at the remote end. The simple point is that we *have* to trust someone to exist in society. We trust that the government will not suddenly decide to print "Braquats" and declare Dollars (or Pounds, or Euros, or whatever) useless. We trust that the bank won't wander off with all our money. We trust that our ISP isn't just putting up servers that pretend to be the Internet and are slowly stealing everything we type into our browsers. We trust that the grocery store hasn't poisoned all the produce. Virtually every social action we take involves some modicum of trust that the "other guy" is acting in reasonably good faith.
Thus far the certificate authorities have been trustworthy. Could they be compromised? Of course. Could the clerk at the grocery store be bribed to poison all the produce? Of course. Do we have any reason to think the CAs *have* been compromised? Not that I'm aware of. It's pretty straightforward. Are you doing something that needs to be *completely* secret? Exchange keys with the remote end manually. Are you doing something that needs to be as secret as one can reasonably expect while still dealing public entities? Use the CAs. They have an extremely good track record and seem to be about as trustworthy as anyone can reasonably expect.
Re:DNSSEC has a similar attack against it (Score:3, Insightful)
The problem with a system that relies on trusted third parties is that these third parties have to be, well, trusted. This implies that they are trustworthy. Have you evaluated all of the CAs on the list included with your operating system and browser for trustworthiness? I know I haven't. I've delegated that to the OS vendor and the browser vendor. Should I be doing this? Do I have evidence that shows that my OS vendor and browser vendor are trustworthy? And whose interest do they work for?
These are all things that need to be evaluated when dealing with a system that requires trusted third parties. The problem, of course, is that very few people actually do this. SSL is a system that requires trusted third parties if you are to put any trust in the fact that the certificate signed by a CA really belongs to the person the CA says it belongs to.
[This is, technically not true with self-signed certificates. Anybody can be a CA. Just self-sign a certificate and use that to sign the certificates of others. The problem is that you're not included by default. Of course, there are some sites that have their own CA, either for business reasons or because they can. They have an internal CA that they use to sign certificate for business purposes. These CAs are verified and pushed to machines, either by Active Directory at Windows sites or some other mechanism. There's no reason that an individual can't do the same when they generate certificates. The problem is that the fingerprint of CA certificates needs to be validated out of band in order for you the avoid a man in the middle attack when distributing the CA certificate to somebody else. This sort of distribution of SSL certificates would not require a trusted third party, but you would need to be able to identify the person or organization giving you the fingerprint and judge their trustworthiness.]
Re:Generate your own certificates... (Score:3, Insightful)
Actually, the banks already have a way to distribute the certs: put them on smart cards. The bank can trust the cert because they issued it. The customer can trust the cert because the bank handed it to them.
There are many good security features a smart-card based solution brings to the table. First, the bank is entirely in charge of their own security from end-to-end. There is no trusting of third parties*. The bank is able to uniquely verify the presence of your card, and can refuse to transfer money without it. And if the bank is compelled by a warrant to cooperate with the government, they just hand over the data without fooling around with a clumsy man-in-the-middle attack, .
What's really needed is a ubiquitous smart card reader to be included on standard computer builds.
*Actually, you still have to trust the third parties who provide the applications, operating systems and hardware. The only completely secure way around that is for the bank to provide the actual computer to the customer, via a handheld card device like Vasco makes. A close second is by providing a custom bootable image on read-only media. [slashdot.org]
Re:If security is really important to you (Score:3, Insightful)
Exactly like Firefox (and probably other browsers): if you delete all the CA certificates, you'll get warned the first time you visit an encrypted site. Firefox shows you the certificate data, and you can accept and mark "Permanently store this exception".