Weekly Edition
Return to the Security page
| |||||||||||||
Blaze: The Spy in the Middle
Matt Blaze looks at the
business of SSL man-in-the-middle attacks. "A paper published
today by Chris Soghoian and Sid Stamm suggests that the threat may be far
more practical than previously thought. They found turnkey surveillance
products, marketed and sold to law enforcement and intelligence agencies in
the US and foreign countries, designed to collect encrypted SSL traffic
based on forged 'look-alike' certificates obtained from cooperative
certificate authorities. The products, available only to government
agencies, appear sophisticated, mature, and mass-produced, suggesting that
'certified man-in-the-middle' web surveillance is at least commonplace and
widespread enough to support an active vendor community."
(Log in to post comments)
Blaze: The Spy in the Middle Posted Mar 24, 2010 20:51 UTC (Wed) by Gollum (subscriber, #25237) [Link]
If anyone wants to play with this capability, OWASP Proxy allows you to simulate it quite easily.
Basically, it uses a CA cert to sign site-specific certs on demand (as encountered). Typically, that CA cert will be self-generated, and self-signed, and would have to be manually imported into the targeted browsers. However, in the scenario in the story, that CA cert would actually already be trusted by the browser, and no manual import step would be required.
Blaze: The Spy in the Middle Posted Mar 24, 2010 22:38 UTC (Wed) by PaulWay (✭ supporter ✭, #45600) [Link]
In a way this shouldn't surprise anyone. The weakest link in issuing SSL certificates has always been the question of how much checking the issuing CA does to make sure that the requester of the certificate has the right to ask for that certificate - I shouldn't be able to get a certificate for a domain if I'm pretending to be "Google Inc." (the real one doesn't have the dot). How hard do they check? How do we know that they haven't just been bribed to give it, or strong-armed by their government? How do we know that the person who got this certificate hasn't shopped around to find the CA that offers the least amount of checking? We don't, that's the problem.
But I disagree with Matt's assertion that this means we have to invent a new certificate signing and authentication technology in order to solve this. This is not a technological problem, it's a social one. We need to reduce the number of Certificate Authorities, ensure they verify everything to the same (high) standard as everyone else, and make the process open so that we can verify it. The issue of the Chinese CA in Firefox only highlights this issue. Coming up with a standard even more complex than X.509 is not the answer.
Have fun,
Paul
Blaze: The Spy in the Middle Posted Mar 24, 2010 23:27 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
The problem with reducing the number of CAs is that it gives those companies monopoly power to set the pricing of the certs.
Remember, these are the same companies that have charged $300 for a cert, but upped the price to $900 if you wanted the cert to have a flag turned on to let export browsers use full encryption strength.
Blaze: The Spy in the Middle Posted Mar 24, 2010 23:56 UTC (Wed) by martinfick (subscriber, #4455) [Link]
Not to mention that it means that by compromising/bribing/strong-arming one CA, it means you would now potentially compromise more certificates. This makes it more valuable to compromise a single target CA, and thus more worth the effort.
Blaze: The Spy in the Middle Posted Mar 25, 2010 5:40 UTC (Thu) by branden (subscriber, #7029) [Link]
Does *every* LWN discussion have to degenerate into Mark Shuttleworth-bashing?
Blaze: The Spy in the Middle Posted Mar 25, 2010 12:08 UTC (Thu) by stevan (subscriber, #4342) [Link]
:-) That comment must have taken some thawte.
Blaze: The Spy in the Middle Posted Mar 26, 2010 21:56 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
huh?, where was the Mark Shuttleworth bashing in this thread? I was talking about the pricing that verisign puts on certs.
Blaze: The Spy in the Middle Posted Mar 26, 2010 22:30 UTC (Fri) by foom (subscriber, #14868) [Link]
It was a joke.
Mark Shuttleworth is rich enough to fund Ubuntu because he sold Thawte (another company that
Blaze: The Spy in the Middle Posted Mar 26, 2010 23:29 UTC (Fri) by nix (subscriber, #2304) [Link]
And stevan's comment was one of the worst puns I've seen this year.
Cert generation Posted Mar 28, 2010 6:28 UTC (Sun) by man_ls (subscriber, #15091) [Link] $900 to generate a random prime number, no matter how long, does indeed seem a bit steep. Nowadays even $10 is a ripoff: it takes about 10 seconds of CPU time.
Cert generation Posted Mar 28, 2010 6:46 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link]
to be fair, the cost of the cert is supposed to cover the cost of validating the identity of the person asking for the cert and then to maintain housekeeping things like security, redundancy of the signing key, revocation list, etc.
the thing that makes the $900 so bad is that all of this work needed to be done for th $300 cert as well, the only difference between the $300 and $900 option is a tag inside the cert. Most cert vendors don't have the two grades anymore.
also, since the export browser restrictions were lifted, there really shouldn't be anyone using an 'export browser' that would act any differently with the two types of certs (when was the last 'export' browser shipped?) If anyone is still using such a browser they have so many security holes that downgrading the encryption to 40 bits is a minor risk.
Profit! Posted Mar 28, 2010 8:11 UTC (Sun) by man_ls (subscriber, #15091) [Link] The marginal cost of an additional certificate, in terms of keeping backups and revocation lists and securing master keys is close to zero. Storing and sending 2KB has always been cheap. The only item with an appreciable marginal cost is identity validation, and the validation done by "certificate authorities" is a joke, now as always. Why? Because they are businesses; you just have to follow the incentives.Imagine the amount of identity validation done by credit agencies such as Visa, or even by banks: they are very superficial. These guys are actually giving you credit, and they will have to pay if you don't. Even so, the amount of validation is (at least here in Europe) hardly worth 10, according to my own estimations. Now what incentives do CAs have to make thorough checks? They are not giving you credit, and they have zero liability if you are not who you claim to be. Therefore it makes good business sense to skim over any ID presented and not think twice about it.
DNSSEC Posted Mar 24, 2010 23:34 UTC (Wed) by dwheeler (guest, #1216) [Link] A useful counter to this would be DNSSEC, if it were widely deployed and used to get SSL certs. Then the browser could get a cert for google.com, and check that it's right for google.com. Of course, it's not perfect. For example, there's the problem that someone may direct people to g00gle.com... but more people can check URLs (as compared to certificate data), so I think it'd still be an improvement.
DNSSEC Posted Mar 24, 2010 23:50 UTC (Wed) by gmaxwell (subscriber, #30048) [Link]
DNSSEC also reduces the need to have so many separate CAs able to mint arbitrary certificates.
The automatic "follow the name" trust delegation in DNSSEC doesn't suffer the flat trust model problems that we have with SSL certificates. E.g. the trusted authorities running .cn can't use that authority to create fake .us domains.
DNSSEC Posted Mar 24, 2010 23:58 UTC (Wed) by martinfick (subscriber, #4455) [Link]
No, but it sure seems like it would actually make it easier for the US gov. to intercept us domains...
DNSSEC Posted Mar 25, 2010 0:58 UTC (Thu) by foom (subscriber, #14868) [Link]
Why would the US govt having control over the signing key for .us make interception easier than
them having control of N of the M signing keys browsers trust for SSL? (I hope you don't think the US Govt somehow lacks the ability to sign arbitrary SSL certificates...)
DNSSEC Posted Mar 25, 2010 3:09 UTC (Thu) by martinfick (subscriber, #4455) [Link] Why would the US govt having control over the signing key for .us make interception easier than them having control of N of the M signing keys browsers trust for SSL? Since in one case interception is easy for 100% of the cases that I specified (US domain traffic), and in the other case, interception is only easy for a fraction of the US domain, i.e that fraction of the US sites which are signed by the N US gov. controlled keys. (I hope you don't think the US Govt somehow lacks the ability to sign arbitrary SSL certificates...) Why wouldn't they? Even I can sign any arbitrary key, as long as I can see it. But what good does it do for them or me for intercepting traffic? It is only valuable if they/I can sign it with the key of a CA that others trust.
DNSSEC Posted Mar 25, 2010 5:38 UTC (Thu) by foom (subscriber, #14868) [Link]
> in the other case, interception is only easy for a fraction of the US domain, i.e that fraction of the
> US sites which are signed by the N US gov. controlled keys.
That's not the case. It's easy for *all* sites on the internet, .US domain or not!
As this article points out, all they need is to have control of the private key for *ONE* CA that web
And, as I tried to say in the message you responded to, I'm pretty certain that some three-letter-
DNSSEC Posted Mar 25, 2010 6:18 UTC (Thu) by martinfick (subscriber, #4455) [Link]
True, it does seem that trusting a certificate signed by any single CA of a
vast list is ripe for abuse.
DNSSEC Posted Mar 25, 2010 20:16 UTC (Thu) by HenrikH (guest, #31152) [Link]
Also browsers should put up a warning then a site all of the sudden have changed certificate/ca. Yes, it would give false positives when sites change their certificates due to expiry date, but the algorithm could include expiry date and also moste sites probably change their CA more seldom than they change their certificates so stronger warning could be issue then.
DNSSEC Posted Mar 27, 2010 2:06 UTC (Sat) by hamish (subscriber, #6282) [Link]
A firefox extension that pretty much does this is available (surprise surprise)
It shows you each site's certificate when the browser first encounters it, then shows you a side-by-side comparison if the site ever changes its certificate.
Multiple authorities Posted Mar 25, 2010 5:20 UTC (Thu) by ncm (subscriber, #165) [Link]
I might trust a certificate more if it were signed by several independent and mutually hostile authorities. Why can't my browser tell me how many independently-rooted signatures a certificate has? Why shouldn't my bank have its certificate signed by two dozen of them? Shouldn't I be notified if they had two dozen, last time I connected, and now only have two? The more sensitive the service, the more signatures I would like to see. If it takes a full minute at 100% CPU to check them all, fine. I'll put in my password when I'm satisfied, after 15 seconds, or 30, or after it's done.
We should be able to educe some sort of objective, albeit probably noisy, measure of independence, between root authorities by scanning sites.
Multiple authorities Posted Mar 25, 2010 20:48 UTC (Thu) by blitzkrieg3 (subscriber, #57873) [Link] From TFA:It's worth pointing out that, from the perspective of a law enforcement or intelligence agency, this sort of surveillance is far from ideal. Although current browsers don't ordinarily detect unusual or suspiciously changed certificates, there's no fundamental reason they couldn't (and the Soghoian/Stamm paper proposes a Firefox plugin to do just that).I would absolutely LOVE to see this. I had no idea that the CA's were willing to sign certs for governmental agencies, but that information is actually not that surprising.
Web of trust and fingerprints in print Posted Mar 25, 2010 14:43 UTC (Thu) by edmundo (guest, #616) [Link]
Is the solution to stop using CAs and use a web of trust, like PGP/GPG, instead?
And in the case of banks and other large organisations, shouldn't there be an easy way for them to publish a fingerprint of their genuine key, which they could mention in the small print in every brochure they print, and for me to compare that fingerprint with what my browser thinks it is?
Web of trust and fingerprints in print Posted Mar 26, 2010 1:03 UTC (Fri) by PaulWay (✭ supporter ✭, #45600) [Link]
In a word, no. The web of trust is much easier to subvert - partly because you then have a non-uniform level of verification (see Martin Krafft) and partly because the number of checks you need to perform slows things down.
But what you're probably thinking of is just having multiple CAs able to sign a single SSL certificate. I think this would probably give a lot better assurance in the short term.
One thing that might be interesting would be an academic survey of which CAs are signing which SSL certificates. See if there are patterns that might indicate a level of trust or distrust that isn't publicly stated.
Have fun,
Paul
Web of trust and fingerprints in print Posted Mar 26, 2010 12:52 UTC (Fri) by __alex (subscriber, #38036) [Link]
There is also a non-uniform level of verification among CAs right now. A GPG style WOT is perfectly
acceptable *if* you constrain your trusted signers list to only signers you trust to offer a high level of verification (e.g. what CAs are meant to do.)
I agree that a multiple signers approach *combined* with audited high levels of verification that CAs theoretically provide is a strong approach. I don't think it's only useful as a short-term fix though.
Web of trust and fingerprints in print Posted Mar 28, 2010 17:29 UTC (Sun) by PO8 (guest, #41661) [Link]
Web of trust is the right solution, if you do it right. It models the situation with paper credentialing rather nicely, and society seems to function pretty well on that system.
The key is that each side needs to be able to easily specify an automatically-checkable trust policy that meets its needs. There is no one "right criterion" for deciding whether to trust a counterpart---different situations and different counterparties demand different levels of trust verification. If the web of trust is treated as a credentialing mechanism, and a trust policy is used to check for the right credentials, then this to my mind is a far better solution than any centrally-run identity-based one.
Blaze: The Spy in the Middle Posted Mar 25, 2010 15:35 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
So, I read this article, and the article it links to, but then I grew bored of following links. Maybe the below is answered, somewhere, somehow.
Where's the beef? Forging a web cert leaves a trail of evidence. We already had one LWN thread in which it was claimed that this is done (CAs creating certs for organisations without their knowledge), and now we have people saying it's "routine", and yet still no evidence.
When someone offers me shrill warnings about something they have no evidence is happening at all, I wonder what their agenda is. When other problems were claimed in the CA system the claims came with ample evidence, in the form of home-forged MD5 certs, bogus certs issued based on stolen headed note paper, that sort of thing. So why not this time?
And I say all this as someone who deeply distrusts the current CA system and hopes to see movement towards hierarchical DNS based public key distribution which would make working security affordable to almost everyone.
Blaze: The Spy in the Middle Posted Mar 25, 2010 20:52 UTC (Thu) by blitzkrieg3 (subscriber, #57873) [Link]
The article and even the summary stipulate that there *are* bogus certs out there that are signed by CA's for the government's use. I'm assuming finding such a cert as "evidence" is hard to do, either because the researchers couldn't get the government to eavesdrop on them or they didn't work in these government agencies and couldn't get their own bogus cert signed by the CA as proof.
Blaze: The Spy in the Middle Posted Mar 26, 2010 4:15 UTC (Fri) by jhhaller (subscriber, #56103) [Link]
If I were betting, the most likely certificates to be forged would be the ones for "anonymous proxies", or for sites dealing in illicit videos. For most of the sites people typically visit, either the government already has access via warrants, or the site is "uninteresting", although the definition of uninteresting may vary by government. These sites may not get enough attention for anyone to notice a changed certificate.
|
|||||||||||||