×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Anonymous Source Claims Feds Demand Private SSL Keys From Web Services

Unknown Lamer posted about 9 months ago | from the world-wide-fool-proof-cage dept.

Encryption 276

Lauren Weinstein writes "With further confirmation of the longstanding rumor that the U.S. government (and, we can safely assume, other governments around the world) have been pressuring major Internet firms to provide their 'master' SSL keys for government surveillance purposes, we are rapidly approaching a critical technological crossroad. It is now abundantly clear — as many of us have suspected all along — that governments and surveillance agencies of all stripes — Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications." If this is true it means that SSL/TLS to any Internet service could be useless — the authorities could simply man-in-the-middle anyone. Without knowing who has given keys over, or if anyone has given keys over... The NSA does claim encryption poses a problem for them, but honesty isn't their best attribute. The source claims that major providers at least have resisted (assuming it is happening), but that smaller companies may have folded to the pressure.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

276 comments

"Main-in-the-middle"? (5, Funny)

Lieutenant_Dan (583843) | about 9 months ago | (#44372661)

Well, at least it's not "man-in-the-middle" because that would be bad.

Re:"Main-in-the-middle"? (4, Insightful)

TWiTfan (2887093) | about 9 months ago | (#44372803)

It's not a "man in the middle" attack. It's the "government on top" attack.

Re:"Main-in-the-middle"? (0)

Anonymous Coward | about 8 months ago | (#44373063)

Is "on top" suppose to make me feel better since it's not the "backdoor"?

Re:"Main-in-the-middle"? (0)

Anonymous Coward | about 8 months ago | (#44373401)

It's not a "man in the middle" attack. It's the "government on top" attack.

It is the standard fuck-you-all type of attack.

Re:"Main-in-the-middle"? (5, Interesting)

lgw (121541) | about 9 months ago | (#44372859)

The larger issue IMO is

governments and surveillance agencies of all stripes â" Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications.

We haven't had a constitutional amendment in the US for some time now. We need one here. Forget specific technologies and the bizarre precedents that have twisted the 4th to allow this - we need a major reset.

Something like "The government shall not collect or store any information, even publically available information, about the activities of a citizen except upon issuance of a warrant; said warrant shall only issue upon evidence that a specific individual has committed a specific crime."

I casn accept a lower bar for "collecting and storing information" than for "searching" but there must be some bar to clear.

Re:"Main-in-the-middle"? (0)

Anonymous Coward | about 8 months ago | (#44372923)

I fully agree, however, that is far too vague. The government does need access to some information such as census data, social security and related information, or even voter registration. That, and much more, is all controlled by the government and some of it may be public information that no ordinary person would care about them having access to.

The problem is that it is hard to write up a set of rules for what is allowed and what isn't. Too specific and it gets worked around, too vague and it is meaningless or counter-productive.

Re:"Main-in-the-middle"? (0)

Anonymous Coward | about 8 months ago | (#44372985)

I fully agree, however, that is far too vague. The government does need access to some information such as census data, social security and related information, or even voter registration. That, and much more, is all controlled by the government and some of it may be public information that no ordinary person would care about them having access to.

The problem is that it is hard to write up a set of rules for what is allowed and what isn't. Too specific and it gets worked around, too vague and it is meaningless or counter-productive.

I'd rather they didn't collect census data about me. I'd also rather they skipped the social security bullshit as well, considering it's unlikely that I will ever see any benefits from the system. I'm sure they'll find a way to let me keep the privilege of paying into it, though.

Re:"Main-in-the-middle"? (4, Insightful)

lgw (121541) | about 8 months ago | (#44373259)

I chose "the activities of a citizen" as a way to say "what we do, not who we are". Keeping "who we are" records: birth certificates, permits licensing of various kinds, etc, is different in kind from monitoring daily activities. But I'm no lawyer and don't know how to say this better.

Also, why does the government need "census data" beyond a simple headcount? Heck, I'd like to move to an income tax system that's purely a payroll tax (so the government doesn't learn how much any given individual makes, but can still tax our income).

The government collects every bit of information it possibly can, but it's time to start saying "NO! Find a way to do that without spying on us!" It's time for the pendulum to swing the other way.

Re:"Main-in-the-middle"? (1)

datavirtue (1104259) | about 8 months ago | (#44373297)

The government does need access to some information such as census data

Why? Taxation? Our antiquated income taxation system that stifles economic activity? Change over to a VAT-type or sales-tax type system and you wouldn't have to mess with a census.

Re:"Main-in-the-middle"? (1)

pixelpusher220 (529617) | about 8 months ago | (#44373251)

Probably has to be agency specific, as others have noted, some agencies legitimately do need your information to properly provide services.

Not a bad first start though.

Maybe something like 'information collected may not be used for prosecution except when collected under issuance of a warrant.'

Constitution writing is hard :)

Self signed? (4, Interesting)

Ubi_NL (313657) | about 9 months ago | (#44372683)

Does this mean a self-signed certificate is more secure than a commercial one?

Re:Self signed? (1)

i kan reed (749298) | about 9 months ago | (#44372695)

That's actually been my opinion a while. When Firefox tells me "This connection may not be trusted" I'm less inclined to worry, because the CA is just one extra link in the chain to be broken.

US Military shares your opinion. (5, Interesting)

ron_ivi (607351) | about 8 months ago | (#44372903)

The US DoD shares your opinion. https://www.my.af.mil/afp/netstorage/login_page_files/afportal_faqs.html [af.mil] Looks like a self-signed cert not issued by any commercial vendor in the default browser lists.

Re:US Military shares your opinion. (1)

Anonymous Coward | about 8 months ago | (#44372953)

DoD maintains its own CA authorities.

Re:US Military shares your opinion. (1)

Anonymous Coward | about 8 months ago | (#44372967)

That.

It's not self-signed; it's just that the CA isn't in your trusted authority store.

Re:US Military shares your opinion. (1)

ron_ivi (607351) | about 8 months ago | (#44373133)

Right - and using those CA Authoritizes they sign their own certs.

That's the whole point.

You set up the CA Authority - and use it to self-sign your certs - and it's safer than a commercial one.

Re:US Military shares your opinion. (2)

EvanED (569694) | about 8 months ago | (#44373377)

You set up the CA Authority - and use it to self-sign your certs - and it's safer than a commercial one.

That depends what you mean by "safer".

It's safer to you. Onto your machines you can install the certificate of your CA, and you'll know everything is peachy.

But if your audience is "the general internet population", e.g. because you're trying to sell stuff to them, it's less secure. Without a trusted or semi-trusted third party (normally served by the default CAs), there is no way to convey the authenticity of your own CA and thus of your own public key to them.

Re:US Military shares your opinion. (1)

EvanED (569694) | about 8 months ago | (#44373397)

You set up the CA Authority - and use it to self-sign your certs - and it's safer than a commercial one.

Unordained already gave a great rebuttal [slashdot.org] to your argument, said much better than what I did in my reply a minute ago.

Re:US Military shares your opinion. (0, Flamebait)

Anonymous Coward | about 8 months ago | (#44373087)

The certificate is issued by the U.S. Government. Looks like your browser is doing the right thing by not trusting it.

Re:Self signed? (2)

EvanED (569694) | about 8 months ago | (#44373339)

because the CA is just one extra link in the chain to be broken.

No, no it isn't. Not really.

According to this post [slashdot.org] , this post [slashdot.org] , and my own intuition [slashdot.org] , CAs never see your private keys. A CA cannot reveal more information than is known publicly anyway, even if they are thoroughly malicious. The most you could argue about the standard set up is that CAs give a false sense of security.

I can only think of one attack that could occur with CA-signed certificates but not with self-signed certs. If you remove all default CAs from being accepted and just store the fingerprint of the public key (e.g. what happens with SSH), then it becomes impossible for the real amazon.com public key to be silently substituted with an imposter (but malicious-CA-cleared) amazon.com public key. But if you don't clear out your list of CAs, there is no hard benefit to be gained here.

Re:Self signed? (0)

Anonymous Coward | about 9 months ago | (#44372729)

as long as you trust the source... which could have already been hijacked ;)
so maybe self signed preshared certs?

Re:Self signed? (0)

Anonymous Coward | about 8 months ago | (#44372929)

Why isn't anyone putting HTTPS certs into DNSSEC-enabled zones and making it a standard?

Oh right, all CAs would be useless and massive profits^W^Wjobs would be lost.

Re:Self signed? (2)

Darkinspiration (901976) | about 9 months ago | (#44372743)

Kind of ironic then that every modern browser treat self sign like a pestilence. Frankly i've always tought that forcing warning on self signed were more about creating a legitimate certificate racket. I mean when buying a wild card certificate cost you more then 5000$....

Re:Self signed? (2)

h4rr4r (612664) | about 9 months ago | (#44372781)

A wild card cert is a lot cheaper than that.
$600 is closer to what they actually cost.

Re:Self signed? (0)

Anonymous Coward | about 8 months ago | (#44372959)

If browsers didn't give these warnings then the NSA could just straight-up issue their own self-signed certs for any website they please and man-in-the-middle anyone at their leisure.

On another note, wild card certs cost a lot less than $5k. You can get one for 1/10th that price (per year) if you look around.

Re:Self signed? (4, Informative)

Unordained (262962) | about 8 months ago | (#44373025)

Self-signed is only fine if the client and server are in a trusted environment, exactly the environment where pre-shared keys are a possibility, so you should have loaded that cert into your client before attempting the connection.

Barring that, and in the 99% of cases where clients are talking to servers out on the wide-open internet, CA's and the warning against self-signed certs serve a very good purpose -- preventing man in the middle attacks during handshake.

If anyone (your ISP and the NSA included) hijacks your initial connection, proxies it, and substitutes their own cert, you need a way to know whether that cert is really from the destination site, or a phony. That's exactly the problem CAs solve. (Other solutions include "web of trust", pre-sharing all important keys, concensus methods, etc.)

At worst, this news means that it's possible NSA (but probably nobody else) has been able to decrypt legitimately encrypted traffic (no MitM attack with substituted keys, just a tap using the real ones) for some services, or if they have CA keys, might have been able to issue their own legit-looking certs, which with some additional work, could have enabled them to perform MitM attacks on arbitrary sites and all of their users.

But this does not mean that self-signed certs are just as good as CA-backed ones in a general sense; if you rely on those, without pre-sharing keys with all clients, then all clients are vulnerable to MitM attacks from anyone with access to modify the communication channel, not just the NSA. And considering the known issues with insecure DNS, that's a much wider field of potential attacks.

Re:Self signed? (1, Insightful)

GameboyRMH (1153867) | about 9 months ago | (#44372757)

In some situations yes, but in those same situations I don't think this news really changes anything (where you set up the cert yourself on one of your own servers for use by yourself, for instance). Otherwise this just means that these certs are slightly less secure because governments have a copy. If you're connecting to a strange server, it may be better to have a signed cert because they're still not quite as easy to come by as a self-signed one.

In any case this doesn't change the old fact that a self-signed cert is at least as good as an unsecured connection and browsers should stop throwing a shit-fit when they run into one.

Re:Self signed? (1)

Unordained (262962) | about 8 months ago | (#44373477)

In any case this doesn't change the old fact that a self-signed cert is at least as good as an unsecured connection and browsers should stop throwing a shit-fit when they run into one.

If you think browsers should instead always notify you when using a trusted CA-signed cert ("Congratulations! This site appears to actually be legit!"), with the default for self-signed and unencrypted communications being silence, yeah, I can kinda see your point. You should default to paranoia, right?

Otherwise, no; the warning issued on self-signed certs is useful because the browser doesn't know ahead of time whether a given site ought to have a CA-signed cert or not; assuming that most will, this is your first clue that your connection to amazon.com may have been compromised by a MitM attack, and what they thought was a secure channel for payment information is not only potentially vulnerable to snooping or modification, but probably being specifically hijacked for some nefarious purpose. That's some important stuff right there.

Re:Self signed? (4, Interesting)

MightyMartian (840721) | about 9 months ago | (#44372763)

Yes, providing you can guarantee the security of the private keys, if you're concerned about government(s) spying on your communications, that is definitely the way to go.

For our organization, due to the highly confidential nature of some of our data and communications, I am about to build a machine that will have no network connection whatsoever that will hold the CA and private keys, and will use it to produce public keys for our VPN, mail server, web services and the like. The server will be behind lock and key and locked down with LUKS, and the keys for that will be held in a separate location. Obviously nothing is 100%, but it's going to physical access to the server and to the private keys to compromise the system.

Re:Self signed? (2)

TubeSteak (669689) | about 8 months ago | (#44373137)

For our organization, due to the highly confidential nature of some of our data and communications, I am about to build a machine that will have no network connection whatsoever that will hold the CA and private keys, and will use it to produce public keys for our VPN, mail server, web services and the like. The server will be behind lock and key and locked down with LUKS, and the keys for that will be held in a separate location. Obviously nothing is 100%, but it's going to physical access to the server and to the private keys to compromise the system.

Counterpoint:
http://www.foreignpolicy.com/articles/2013/07/16/the_cias_new_black_bag_is_digital_nsa_cooperation?page=full [foreignpolicy.com]

During a coffee break at an intelligence conference held in The Netherlands a few years back, a senior Scandinavian counterterrorism official regaled me with a story. One of his service's surveillance teams was conducting routine monitoring of a senior militant leader when they suddenly noticed through their high-powered surveillance cameras two men breaking into the militant's apartment. The target was at Friday evening prayers at the local mosque. But rather than ransack the apartment and steal the computer equipment and other valuables while he was away -- as any right-minded burglar would normally have done -- one of the men pulled out a disk and loaded some programs onto the resident's laptop computer while the other man kept watch at the window. The whole operation took less than two minutes, then the two trespassers fled the way they came, leaving no trace that they had ever been there.

Over the past decade specially-trained CIA clandestine operators have mounted over one hundred extremely sensitive black bag jobs designed to penetrate foreign government and military communications and computer systems, as well as the computer systems of some of the world's largest foreign multinational corporations. Spyware software has been secretly planted in computer servers; secure telephone lines have been bugged; fiber optic cables, data switching centers and telephone exchanges have been tapped; and computer backup tapes and disks have been stolen or surreptitiously copied in these operations.

Re:Self signed? (2)

Adnonify (2964415) | about 8 months ago | (#44373169)

You are better off this way (which I use by the way) Get some PKI compliant smartcard, compile everything on an offline machine (drivers, pcsc / opensc) and then make the smartcard's crypto engine generate a private key and protect it with a pin. Use the smartcard to hold the keys. Keep the card on you at all times. Cloak it with printing a banklogo on top! You can make 2 cards, one holding the CA and you can vault that one (it has 3 pin attempts after which the cards data is LOST) and use that card to sign some other certs for your SSH keys and others ;) Its secure and if you modify the DF(filesystem) of the smartcard any non-targetted attack against you, even when you connect it to non-secure machine will fail! Your private key will always stay safe. Y

Re:Self signed? (2)

Abalamahalamatandra (639919) | about 8 months ago | (#44373505)

If the data is that confidential, you should probably look into an actual FIPS-certified network-connected HSM instead of rolling your own.

I did a project a few years back using nCipher NetHSMs (they've since been bought up, I believe) and they were quite cool technology. Even then, I think one of these devices was in the $25K range at most.

The great thing is, if you generate a key pair with one of these, you literally cannot get access to the private key to hand over to the government, even if you wanted to.

Re:Self signed? (5, Informative)

Todd Knarr (15451) | about 9 months ago | (#44372777)

No. The Feds are requesting the private keys from the server operators themselves, not from the CA. A self-signed certificate's no guarantee the site operator hasn't coughed up the private half to the surveillance people. I'm not any more worried about this, though, since as demonstrated with XMission the government doesn't need to eavesdrop on communications when they can get access directly at the server end of things. As long as the Feds can threaten the site operator with unspecified nasty things if they don't cooperate or if they even say a word about what's going on, I have to assume any site I don't control myself is potentially compromised and any data sent to it's potentially visible to the various agencies involved or to the private contractors those agencies are using to do the grunt work. In many cases that doesn't matter much since the nature of the site's such that I won't put anything sensitive or compromising on it in the first place.

Re:Self signed? (2)

TWiTfan (2887093) | about 9 months ago | (#44372853)

The Feds are requesting the private keys from the server operators themselves, not from the CA.

Something tells me that before this is over, we'll find out they've been requesting them (and getting them) from the CA's too.

Re:Self signed? (2)

EvanED (569694) | about 8 months ago | (#44373035)

Actual question: do the CAs even ever have access to the private keys?

I'm pretty sure there's no technical reason they need them -- the CAs just need to attest to the public key, which they could do just by signing the public key. But that doesn't mean that's how the system is set up in practice, of course.

Re:Self signed? (4, Informative)

Abalamahalamatandra (639919) | about 8 months ago | (#44373269)

Actual answer: no.

The CSR (Certificate Signing Request) contains only the public half of the key, to be signed by the CA's key which results in the CA attesting that the information is verified.

The entity whose key was signed always maintains control of the private key. Which, to me, is the reason that public-key encryption is not "over". The NSA would have to strong-arm every single holder of an SSL key, not just the Certificate Authorities.

Granted, though, those private keys are not often held terribly securely - they're most often just files on a server that aren't even password-protected, because that requires an admin to type in passwords whenever the Web server is restarted. They COULD be held in an HSM, a hardware security module much like a TPM on steroids, but that's very expensive and difficult to set up.

However, none of this means that public-key crypto is broken. It's possible that individual sites could be compromised via this route (Facebook, Google, etc) but as a whole, no.

Re:Self signed? (3, Insightful)

Speare (84249) | about 8 months ago | (#44373121)

Please see Schneier's paper on the "compelled certificate creation attack." Rather than asking a CA for the keys from Alice to Bob, they could compel a CA to vouch for an Alice to Eve, Eve to Bob connection as if it were Alice to Bob directly.

Re:Self signed? (1)

skids (119237) | about 8 months ago | (#44373185)

That would only be useful to forge certificates, and using such forged certificates would allow tracking of surveilance activities -- the provider would not see them in their own keyring so if they were seen in the wild and came to a privider's attention, their natural reaction would be to accuse the CA of having been compromised... because you have no way of knowing it's the NSA that's doing it.

Unless it totally sucks or is also hosting your SSL service, a CA neither needs nor asks for your private key, it just signs your public key.

I wonder what the NSA would do were they to make such a request and the company were to reply that the private key has been ensconsed in secure crypto hardware from which it cannot be downloaded and without which the web service would not function (or would have to change its keys.)

Re:Self signed? (1)

alostpacket (1972110) | about 9 months ago | (#44372799)

Not more, but not necessarily less. With a self signed cert, you cant verify the identity of the signer/cert. With the possibility of a compromised CA, you have (essentially) the same problem. (As far as understand it anyways).

What I would like to know is what (if anything) can be done to verify keys without a CA? I don't know that much about crypto, so am genuinely curious. Are there techniques to do this? (Diffie-Hellman-Merkle?)

Re:Self signed? (2)

Sarten-X (1102295) | about 8 months ago | (#44372973)

With a self signed cert, you cant verify the identity of the signer/cert.

Correct, and that's really all you're paying for when you buy a certificate from a CA: You pay enough money and provide enough documentation that they're confident you are who you say you are.

With the possibility of a compromised CA, you have (essentially) the same problem.

Almost correct. You can't really verify the identity, but your computer won't really even try because it trusts the compromised CA. The solution is to check revocation lists, but there are problems with that.

What I would like to know is what (if anything) can be done to verify keys without a CA?

Let each person be a CA [wikipedia.org] . If I know you, I can sign your certificate myself. Anybody who knows me and trusts me would then trust you. Again, compromises are fixed by revocation and expiration, but the impact is somewhat less severe.

Re:Self signed? (1)

leonardluen (211265) | about 8 months ago | (#44373187)

Let each person be a CA [wikipedia.org]. If I know you, I can sign your certificate myself. Anybody who knows me and trusts me would then trust you. Again, compromises are fixed by revocation and expiration, but the impact is somewhat less severe.

then you get something like the ebay problem where every review is AAAAAAA++++++++++++!!!!!!1!!!!one!!eleven!!
and are useless

just because i trust my friend doesn't mean i always trust him to show good judgement...how do i know he was of sound mind when he signed the cert for that tattoo parlor and came back with the pink bunny tattoo on his forehead?

Re:Self signed? (3, Interesting)

Znork (31774) | about 8 months ago | (#44373115)

There's always the Convergence project (based on the previous Perspectives CMU work).

Basically, instead of CA's you have notary servers that track changes to certificates and that you (your browser) contacts to verify that they and you are seeing the same certificates.

That way, if a MITM attack is ongoing it will, if targetting you specifically, probably show a discrepancy between the certificate presented to you and the one presented to them. If targetting the specific website and MITM'ing all connections to it the only demonstration of a problem might be that the site suddenly appears to have a new certificate, but that would still most likely alert site operators who may be surprised to note a change they didn't do.

Re:Self signed? (2)

tlhIngan (30335) | about 8 months ago | (#44373157)

What I would like to know is what (if anything) can be done to verify keys without a CA? I don't know that much about crypto, so am genuinely curious. Are there techniques to do this? (Diffie-Hellman-Merkle?)

Well, you can always fingerprint a key and verify with the owner of the site that the fingerprint is correct.

The CA model is called a "web of trust" model - it relies on you trusting someone and then seeing if a key you've been given was signed by someone you trust. In the CA model, the CA signs public keys with their private key. Your browser looks at the certificate and sees if it can verify it against the pre-stored CA public key (you presumably trust the browser vendor to give you good keys - though you're able to import the CA cert yourself if you don't trust them). If so, it's considered "trusted".

It's called a web of trust because it starts with someone. A more personal example would be your friend gives you his public key - you trust it because he physically handed it to you and for the most part, he appears to be himself. Now, your friend sends you some public keys online. You verify those keys against your trusted key you got earlier. If they match, you trust your friend has given you good keys. (This is the weakest link - which is why CAs get compromised).

Of course, you can always verify the keys yourself - you can choose to meet with those people and compare the public keys you got (or a subset, i.e., the fingerprint).

Basically, for public key encryption, the weakest link has always been trusting that the key you have is legit.

Re:Self signed? (0)

Anonymous Coward | about 9 months ago | (#44372811)

Shit. Yes it does.
If the master certs for the major signing authorities are compromised then rolling your own CA (Or self signing) is indeed more secure.

Re:Self signed? (0)

Anonymous Coward | about 9 months ago | (#44372817)

You don't give a private key to the Certificate Authority to be signed; only the public key. The same public key that you give out to each SSL/TLS connection. Getting your key signed by a commercial CA does not make it more or less secure, it only changes who trusts your key by default.

Re:Self signed? (1)

Daimanta (1140543) | about 9 months ago | (#44372831)

I really dislike the way certificates are treated right now. Certs incorporate two different things, namely authentication and encryption. Ofcourse I understand that it is more secure to have an encrypted channel while communicating with a host that needs to be authenticated but the reverse isn't always the case.

Sometimes I am not interested in authentication with a machine because I know that the machine in question is the right one. What I AM interested in is the fact that I should be able to communicate with that machine knowing that an outsider won't snoop on my line. The most common application I can think of where there is only authentication is an SSH-connection. The fact that the link is encrypted is essential given that userdata and other sensitive data passes a lot of(NSA-enabled) routers on the internet. Given the simple authentication(this is the key, are you sure?), you can quickly set up an encrypted connection without the hassle.

The www is more annoying in this respect. You have to buy(this implies paying and spending time) a certificate from a signing authority and only then you can safely browse the web the way it SHOULD be. What complicates matters is that (some/all?) browsers are absolutely allergic to self-signed certs. This is purely placebo since it is just as easy to build your own signing authority and signing your own cert with that authority. Apparantly, some browsers(firefox I'm looking at you) don't have the reserve while the security level is exactly the same since evildoers are probably willing to go the extra mile and create their own signing authority.
There is only one option, allow self-signing as an encryption measure but not as an authentication measure. Naturally you have to take care while doing this since it could implicate that any encrypted connection is secure. On the other hand, I'm not sure that people even look at the cert-status of lets say a bank while they are connecting. The people who do that are smart enough to do the right thing anyway.

Re:Self signed? (4, Insightful)

Sarten-X (1102295) | about 9 months ago | (#44372845)

No. When a CA signs a certificate, they don't get the private key used for decryption. They just assert that a particular public key really does belong to who it says.

If the NSA has Verisign's key, for example, they'd be able to do two things:

  1. decrypt traffic sent to Versign, which isn't very useful in itself
  2. Create and sign their own certificates as though they were Verisign.

The latter is where the man-in-the-middle attack comes in. The NSA can claim to be whoever you're trying to reach, and the certificate will look valid and be trusted by default on any system that trusts Verisign. On the other hand, a self-signed certificate isn't signed by anybody else. The NSA doesn't need anyone else's private keys to make their own and claim to be anyone. The client will see the certificate, ask you if you trust it, and unless you're in the habit of memorizing certificate fingerprints, you won't notice a difference. Once any certificate is trusted (either by default or by your acceptance), your traffic will be sent to (and decrypted by) the certificate holder.

This is actually already a problem. CAs have been compromised, and their stolen credentials have been used to sign certificates claiming to be governments, Microsoft, and other generally-trusted sites. The apparently-trusted certificates are then used to make scams look more legitimate.

Re:Self signed? (0)

Anonymous Coward | about 8 months ago | (#44373047)

But you can set up your own CA and use it to sign your own certificates, setting up a private chain of trust. Send the CA certificate to your users and have them trust it, then any certificate you signed with that CA is also trusted.

Re:Self signed? (0)

Anonymous Coward | about 8 months ago | (#44373003)

My site has always used a self-signed certificate. It's not a problem because it's a small site used by 100 people. I had been considering buying a certificate from a commercial certificate authority until I heard about the NSA spying. On that day one of my first thoughts was that the commercial certificate authorities had probably been compromised, and I was glad that I hadn't spent my money.

I'm surprised that this story took so long to come out.

Re:Self signed? (0)

Anonymous Coward | about 8 months ago | (#44373109)

By using a self-signed certificate, it is even easier for big brother to perform a man-in-the-middle attack. If you, as a user, are expecting a site to use a self-signed certificate, then how would you know if the server suddenly switched and started using a "different" self-signed certificate.

The idea behind the private key is that a 3rd party proxy couldn't be inserted into your data stream and mimic your target website because it doesn't have access to the private key (and thusly can't decrypt the communication channel data in a time-effecient manner). If your cert is self-signed, then the proxy can use any self-signed cert that it wants and the end user won't get any more alerts than if they went to the website directly.

Of course, this brings up the obvious conclusion that if there were enough computing resources brought to bear on the problem, then the communication channel data COULD be decrypted in a time-effecient manner (yes, even without the original private key). The next obvious question here is "how much computing power is that?" I honestly don't know the answer to that, but I am sure that it is a measurable amount.

Re:Self signed? (0)

Anonymous Coward | about 8 months ago | (#44373167)

How hard is it to set up a CA?
At least that would mean that both the server and the CA would need to be hacked. Am I right?
I understand that the CA needs to be added to the client as well. Maybe not that practical for browsers and web client/server applications but maybe for M2M?

Re:Self signed? (2)

X.25 (255792) | about 8 months ago | (#44373391)

Does this mean a self-signed certificate is more secure than a commercial one?

I have spent almost 10 years of my life trying to explain people why self-signed certs are much more secure.

People don't care.

Re:Self signed? (0)

Anonymous Coward | about 8 months ago | (#44373519)

Does no one know what a self-signed certificate is any longer?

Running your own CA is not the same as using a self-signed cert.

Time To Learn Klingon (2, Funny)

Anonymous Coward | about 9 months ago | (#44372701)

Time to learn Klingon, or invest in carrier pigeons and a Little Orphan Annie decoder pin.

I wonder if our government will be responsible for single handedly killing our consumer tech industry.

Re:Time To Learn Klingon (1)

Anonymous Coward | about 9 months ago | (#44372873)

Time to learn how to go Klingon on these government asshats.

Quantum Cracking (0)

Anonymous Coward | about 9 months ago | (#44372725)

If they don't already have it, then they'll probably soon have the ability to crack traditional encryption methods using quantum cracking algorithms. Our only hope then is post-quantum cryptography.

Distinct from quantum cryptography--which is the practice of using quantum computing algorithms for encryption--post-quantum cryptography refers to encryption methods whose algorithms can be run on traditional computer processors, but that have been specifically designed to be resistant to quantum cracking algorithms.

Forget the dollar, start saving gold. (2)

MobSwatter (2884921) | about 9 months ago | (#44372755)

Nice, now all the carders need to do is hack the NSA to get the keys to the palace on credit card fraud. By the aspect that NSA systems are 'antiquated' and incapable of even searching for an email, just how hard could that be?

Being cheap wins again (0)

Anonymous Coward | about 9 months ago | (#44372789)

For all our offiste (well and onsite too) certs we have typically used self signed, and simply installed the certs in the client machines.

this was done because we're cheap and lazy but yay

Re:Being cheap wins again (1)

Skapare (16644) | about 8 months ago | (#44373283)

Actually, being cheap loses. You are trivially vulnerable to a man in the middle attack by anyone who can intercept your traffic. They only need to create their own self-signed key (or a CA-signed one) with your site name in it.

Cisco (2)

zlives (2009072) | about 9 months ago | (#44372793)

I wish I was back in my last cisco vpn class and see what my instructor (who according to his self was installing security for major industry) has to say now about my question about transparent proxies and ssl and cisco road map. he was recommending ssl as a better replacement to ikev2. Granted my tin foil hat was fully deployed about NSA snooping but...

i wish i was wrong.

Re:Cisco (1)

skids (119237) | about 8 months ago | (#44373291)

They were doing this not for NSA reasons it's just what the tech industry does: find a protocol that is a bit inconvenient to set up, and instead of making it more convenient to set up, figure out an alternate scheme that's a little easier to set up, but for which they can charge a license fee for the feature, because it's new and shiny, and the sales force has been told to make sure all the PHBs know it is new and shiny.

Of course then the rimshot comes and they realize in their haste they've done something stupid, like subject multiple streams of lan-like traffic to the ravages of a single TCP flow control session during a period of time when the Internet is designed (badly) around per-connection fairness.

Oh the land of the free ... (2, Insightful)

Anonymous Coward | about 9 months ago | (#44372813)

So the next time the US wants to chastise another country for spying on their citizens, the response is going to be "go away you hypocritical assholes".

America has lost her moral compass, and is quickly turning into a police state.

Papers please comrade.

Re:Oh the land of the free ... (2, Insightful)

Anonymous Coward | about 8 months ago | (#44372931)

america has been a police state ruled by fear for some time now, your among the most oppressed people in the world but its balanced by ignorance, its taken you guys this long to notice.

How is this "confirmation"? (2, Insightful)

xxxJonBoyxxx (565205) | about 9 months ago | (#44372835)

>> "The government is definitely demanding SSL keys from providers," said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

So...some guy said "yes, they're collecting keys." No written evidence, no names. We demand "citation" from people posting backstories of cartoon characters on Wikipedia, so how exactly is this "confirmation" of anything?

Re:How is this "confirmation"? (5, Insightful)

Alok (37687) | about 8 months ago | (#44372963)

Do you really expect people to say this publicly, when the most likely consequence is imprisonment and a media circus that paints them as evil villains?

Re:How is this "confirmation"? (0)

Anonymous Coward | about 8 months ago | (#44373089)

No, but then it's not actually confirmation. Who is to say the writer didn't just make up the source?

Re:How is this "confirmation"? (2)

zlives (2009072) | about 8 months ago | (#44373039)

I am sorry we are currently on a little trip winding through Hong Kong and Russia, please try again when the constitutional rights are restored.

What about non-american CA's? (3, Interesting)

Midnight_Falcon (2432802) | about 9 months ago | (#44372837)

Many have assumed for a long time that root SSL certificates have been provided by American CA's (GoDaddy, VeriSign, Network Solutions etc), but what about foreign ones? StartSSL is Israel-based, so it can be assumed the Israeli government has the root key. What about SwissSign, based in Switzerland and run by the Swiss Post? :)

Re:What about non-american CA's? (2)

GameboyRMH (1153867) | about 8 months ago | (#44372897)

Who says they don't all have a big sharing agreement? Even countries that are unfriendly to each other, it would be worth it to both sides. You can be sure the governments themselves aren't using this stuff.

Re:What about non-american CA's? (1)

Midnight_Falcon (2432802) | about 8 months ago | (#44373149)

That is absolutely true -- there is no way to be sure. However, it seems as though the Swiss have a penchant for privacy, especially from the Americans, which has only been rarely and recently broken. Switzerland isn't unfriendly so much as perpetually neutral, which is why it is used for private banking services, so it seems less likely a Swiss CA is compromised than an American one. Unless anyone has any information that might point otherwise...

Re:What about non-american CA's? (0)

Anonymous Coward | about 8 months ago | (#44373165)

Who says they don't all have a big sharing agreement? Even countries that are unfriendly to each other, it would be worth it to both sides. You can be sure the governments themselves aren't using this stuff.

You do realise that in the real world, if said unfriendly country found out that one of their CAs were divulging information outside the country to an unfriendly country, those CAs would have their doors kicked in with government men's guns pointed at sweating heads in no time.

Re:What about non-american CA's? (1)

GameboyRMH (1153867) | about 8 months ago | (#44373257)

Who says a government would contact the CA directly? They could call someone in the other spy agency and say "Hey wanna trade certs? We can watch terrorists using your certs and you can watch dissenters using ours. Deal? OK great, get certs from the authorities in your own country, I'll do the same and we'll trade tomorrow."

Re:What about non-american CA's? (0)

Anonymous Coward | about 8 months ago | (#44373295)

Well, if it's anything like China, they are probably watching every single byte from a CA anyway, they probably also have surprise raids by the government on the slightest suspicion, rogue employee perhaps? they will know.

one time pads.. (0)

spiffmastercow (1001386) | about 9 months ago | (#44372885)

Time to start giving your friends one time pads on physical media.. a few GB worth should provide plenty of encrypted chat time, though you will have to get the key to them in the first place.

Re:one time pads.. (0)

Anonymous Coward | about 8 months ago | (#44373077)

Or... you could just chat together somewhere. Its a lot more fun that way....

Think of cold war police states (3, Interesting)

DickBreath (207180) | about 8 months ago | (#44372913)

In some cold war police states half the population was employed to spy on the other half. No wonder their economies sucked.

Re:Think of cold war police states (1)

Kjella (173770) | about 8 months ago | (#44373369)

Yeah today between machines and self-service spying (meaning, people post it on Facebook themselves) it's like shooting fish in a barrel.

Isn't this more of a political issue? (-1)

Anonymous Coward | about 8 months ago | (#44372933)

Maybe once a big bad Republican is in the presidency the outrage will become more vocal and get more front and center. Until then, who really cares?

Will this do it? (5, Interesting)

Taantric (2587965) | about 8 months ago | (#44372987)

If this does not kill off the cloud or at least seriously damage the business model, I think it would be safe to say human apathy has reached critical mass and we deserve everything that is coming in the next 20-30 years.

all certs? Not just ca? (1)

KDN (3283) | about 8 months ago | (#44372993)

To decrypt, don't they just need the private key for the CA? From there I believe its all down hill to eventually get the session keys.

Re:all certs? Not just ca? (0)

Anonymous Coward | about 8 months ago | (#44373101)

No, the private key for the CA just enables someone else to sign certs as if they were the CA themselves. It does not permit an entity holding that private key to decrypt all data encrypted by certs issued by the CA. Each cert signed by the CA contains a public key; the corresponding private key is typically not in the possession of the CA but is in the possession of the person/organization who's identity the CA is certifying in the cert signed by the CA.

Re:all certs? Not just ca? (1)

Skapare (16644) | about 8 months ago | (#44373241)

If they have the CA key, they can create a new private key for the service you are going to, reroute your traffic intended to go to that service sending it to their own server, provide the public half of the "master" key they created which is signed by the CA key, and your client (browser) will believe it is reaching that service when it is not. This is the man in the middle attack, styled slightly different by having the CA key instead of the target private key.

Browsers could help with that by saving the public keys its gets from every site you visit, and warn/block your access later when the key is changed. Even this is not perfect since it is vulnerable to the attack on the first visit, or when the key change is believed to be when the old one expired.

fuck that (0)

Anonymous Coward | about 8 months ago | (#44373059)

Never heard about "main-in-the-middle" before reading this Article?

Well you don't have to be ashame of yourself, this is a secret technique only available for government agencies, you see they can tap into the "main" routes, AKA THE MOTHERFUCKING INTERNET BACKBONE, CORE ROUTERS, T1 AND YOUR FUCKING ISP!

Its time to move towards self-signed certificate AKA DO NOT FUCKING TRUST ANYONE!

If true not so bad! (2, Informative)

Anonymous Coward | about 8 months ago | (#44373085)

If true this could be bad as presently SSL uses the public / private RSA key pair for encryption as well as authentication.

BUT under the latest SSL / TLS standard (only presently client side supported by Chrome) the encryption half of the secure connection can be performed by Diffie-Hellman key exchange and that would offer perfect forward security. Meaning that all a government with the private key can do is a MITM attack, and it is possible to spot that by using multiple IP path checking and other tests.

Unfortunately, for now this scenario seems unlikely as many providers excluding google are not providing access to this key exchange scheme.

ALSO, under existing SSL you are not protected presently if a provider hands over their old expired keys to the government and these are used to crack stored session data.

SO - Put pressure on your providers to support TLS with Diffie-Hellman, like Gmail and OpenSSL!!

Not just man in the middle (0)

Anonymous Coward | about 8 months ago | (#44373275)

It is worse than that. Much worse.

SSL is typically deployed on the web without Diffe-Hellman, the RSA public key is used directly to encrypt the symmetric cipher.

If you acquire the RSA private key then you don't need to man in the middle. A packet capture is sufficient to recover the symmetric cipher and decrypt the entire session.

Re:Not just man in the middle (1)

EvanED (569694) | about 8 months ago | (#44373513)

If you acquire the RSA private key then you don't need to man in the middle.

Except that even if the claims in the article are true, no one is getting the RSA private keys.

CAs aren't given [slashdot.org] your private keys [slashdot.org] when you register for a certificate [slashdot.org] . You just give them your public key. Which means that the CA knows absolutely no more about you than anyone who goes to your website does.

Don't entirely buy this (1)

Enderandrew (866215) | about 8 months ago | (#44373341)

I've seen this claim a few times in the past. Someone a few months ago told me they were confident that the government already have private keys for every major US site.

If that were the case, why would they need to request data from Google, Microsoft, Facebook, Yahoo, AOL, etc. All of these companies have discussed how the government requests data from them, and how they have to provide it. If the government simply had the private keys and could just sniff all traffic, they wouldn't need to.

I wouldn't be shocked if someone asked for private keys at some point, but no company is obligated to hand them over. The government wouldn't have any legal recourse to do anything about it, and it would hurt the program if it went public and went to court. The government has zero leverage in this case.

The only reason the NSA has been able to get data currently is because of the NSL program. That program needs to stop and go out the window. There is zero reason why the previous system (obtain warrants, or prove in court good reason why you had probable cause and literally didn't have time for the warrant in each case) can't work.

http://en.wikipedia.org/wiki/National_security_letter [wikipedia.org]

Re:Don't entirely buy this (1)

Skapare (16644) | about 8 months ago | (#44373457)

Having the CA keys, or the site private keys, does not automatically hand data over to them. They still have to intercept the data, being sure none of it reaches the intended destination except through their MitM attack. They have the taps and the means to do this. They do NOT have the resources to do this for 100% of the population ... yet. They still need to get certain subsets of other data from these providers to do what they are doing. Don't assume that because they are asking for certain data that they do not already have a lot of other data.

SSL Certs (0)

Anonymous Coward | about 8 months ago | (#44373395)

We haven't used "legit" certs from companies like VeriSign for almost 6 years. Unless someone wants to break into our company and rip the keys from the HSM's inside the companies secured vault then I doubt there will be any compromise of our keys by ANYONE at a federal agency.

Gag orders, duress (1)

Skapare (16644) | about 8 months ago | (#44373527)

Update, 11:40 a.m. PT: Adds additional comments from a Facebook representative saying the company has not received such requests.

So how do we know this statement is not as it is due to a FISA or other type of gag order with accompanied threat? The truth is we simply do not if this statement is as it is due to the duress of a gag order. We have not have a pre-established a duress code word, nor the trust the needs to accompany it.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...