PWNed by the Government

David Heath
Tuesday, 13 April 2010 22:58

Business IT - Security

It is rapidly getting to the stage that the 'secure' padlock in your browser means nothing.  Get your self a blanket, find a cave; and crawl into it. Don't bring your computer.

Both Matt Blaze and Bruce Schneier have pointed out a HUGE problem with SSL (Secure Socket Layer) certificates and the way in which they are issued.

Putting it simply, most browsers don't care if a supposedly valid certificate is replaced by another (seemingly valid) certificate.

Think man-in-the-middle; think "the Government did it!" (more on that later)

Both Blaze and Schneier are augmenting the research described in a paper by Christopher Sogoian and Sid Stamm which lays out very clear ground for Governments to execute man-in-the-middle attacks upon any SSL connection. 

As Blaze notes, "A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much."

According to the abstract of Sogoian and Stamm's paper, "This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications.

We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks."

In essence, the attack permits a strong-enough authority to compel a Certificate Authority to create a fake certificate.  Once they do, all bets are off.