1. A lot of businesses comply with law enforcement requests without a court order.
2. If you are capable of doing this, you are also capable of attacking the automated verification methods that low-assurance/domain-validated CAs use. For example, if you can spoof DNS for a domain, you can send the CA MX records that direct all validation email to the domain to your own server. Or, if you're a government, you can work with the target's email provider and/or domain name registrar and/or anybody else willing to help; then they could get forged certificates without the cooperation or knowledge of the CA.
I used to work for a company that was looking at making an SSL splicer. That was done in the context of a transparent pass-thru network device that scans and filters traffic.
The idea was that the client would install this device on their perimeter, generate a CA certificate for the device (on the device itself) and then install this CA cert on all internal clients. In other words the clients were assumed to be cooperating.
From the technical perspective it was a piece of cake. The project got shelved still, but only because they have failed to close the sale of the product.
The appliance itself doesn't seem that important. The big thing I take from the article is law enforcement needs to: "persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website." If you can get a forged certificate from a trusted cert provider, then there is a bunch of ways to do this. The box is just a convenience.
That, and it demonstrates how bad the default SSL trust model is. If the gmail.com certificate came from Thawte yesterday and comes from the Department of Defense or CNNIC today, your browser will happily accept it without warning.
If a CA is compelled to issue a false certificate by court order, this destroys their credibility completely. If I ran a CA, I'd rather face the consequences, and let the court ask another listed CA, rather than destroy my entire business model.
CAs must be audited and have a certification to be accepted in the major browsers (something like WebTrust). If anyone did this, they would lose that certification immediately and then they'd be out of business because their root CA would be revoked from Windows/Firefox/Mac OS.
The question is how WebTrust would treat this type of theoretical issue.
Especially with Americans new found willingness to accept overreaching law enforcement measures. So long as one of the right trigger words (terrorism, children) is used, the average purchaser of certificates won't blink at the idea that law enforcement completely subverted the chain of trust that enables their customers to believe they are dealing with who it says on the certificate.
Yes. Courts can also order you to destroy property, breach (most types of) confidences, alienate people from money in their accounts, etc etc, and lie about doing all of the above.
The real bad guys can just use symmetric encryption, with keys distributed by mail or by hashing parts of certain books. It's the typical end-user going to their banking site or reading their email that's most vulnerable to such devices. China might be a top customer.
Shouldn't it be possible to detect when this is happening, and who's issuing the certificates? We need a plugin that snarfs the certificates as they hit your browser, and a web service to log them to (send the SHA256 of the cert, and if it's not already there, send the complete contents of the cert).
A nice idea. But isn't the path from you->notaries still vulnerable to man-in-the-middle attacks? You would have to use CA authentication to verify the "notaries" you are talking to aren't fake.
If you can't connect to the servers because the middleman blocked them, a user might assume that the servers were updated, and then proceed to use the spoofed file...
There was an article on HN earlier talking about how certificates have never actually protected anyone from fraud (fraud cites don't try to forge certificates in the first place, or so the article said). Now it gets worse -- not only is it not protecting you, but it's luring you further into a false sense of 'security' and potential government surveillance? No thanks.
Authentication is hard. It's not a new problem at all. You can go to a great deal of trouble performing secure key distribution, but if you don't have a way of knowing you're doing it with who you think you're doing it with, you're basically screwed.
PGP is nice in that it bundles key distribution together with authentication, so you can at least be sure that the person you spoke to first is the same person you're speaking to now, assuming nobody's taken a $5 wrench to their knees. Unfortunately, PGP and all other factoring based key distribution methods are only secure for a limited time. People often say things like, "Secure for 1000 years assuming..." What they don't tell you is those assumptions (e.g. crackers only use classical computers with Moore's law scaling resources and currently known algorithms") are ridiculous. In general, advances in algorithms alone accelerate things greatly. Messages you send in PGP today will probably be trivial to crack within a decade, and that's not even accounting for quantum computing! Note: If you are interesting enough, this translates to messages you send today will be logged, archived, and cracked within 10 years. This is fine for credit card transactions. Not so fine for government secrets. (If you ever hear of a government employee transmitting state secrets using PGP, you are well justified to freak out.)
Quantum Cryptography promises to at least get rid of that problem, since the impossibility of cloning quantum information means that keys cannot be archived and cracked at a later time. However, authentication with a party you have not physically met remains a bit of a pickle.
Christine Jones, the general counsel for GoDaddy — one of the net’s largest issuers of SSL certificates — says her company has never gotten such a request from a government in her eight years at the company.
Wouldn't she be required by U.S. law to say this if that's what the government told her to say?
So to counter this kind of MITM attack the browser (or other SSL-app) should allow the user to store the certificate/root certificate for a certain site, and then provide a warning when it doesn't match the stored one. Doesn't sound that hard, maybe even an extension to Fx could do that?
Could it be possible that GoDaddy was under court order to say that they have not had any requests? My recollection is fuzzy, I think there was a hub-bub a while back about librarians being ordered to lie about Patriot Act requests.
I've always assumed that the government possessed the capability of creating false certs, but it is perhaps more troubling that boxes like these could be available to anyone.
The real news will be if anyone can prove that a default CA has been compelled by court order to generate a fake certificate.