[LINK] RFC: Could CAs Be Eavesdropping on Their Clients?

Roger Clarke Roger.Clarke at xamax.com.au
Sun Aug 15 10:58:59 AEST 2010

Lauren Weinstein has posted the link to an article which provides 
further information on the topic.  Google Scholar entries suggest 
that it hasn't been published in a reviewed venue yet:

Soghoian C. & Stamm S. (2010?)  'Certified Lies: Detecting and 
Defeating Government Interception Attacks Against SSL', at 

(Soghoian is a PhD candidate at Indiana, and Stamm is a Mozilla employee:
http://www.dubfire.net/, http://www.sidstamm.com/ )

As I currently understand it, the "eavesdropping" capability works as follows:

Assume that a third party wants to monitor messages flowing between 
Parties A and B.  Further assume that Party B supports channel 
encryption (e.g. https for the Web), i.e. has a set of key-pairs and 
a certificate.

(1)  The third party acquires a domain-name very similar to that of
      Party B (e.g. nab.biz, sydneyoperahouse.com)

(2)  The third party generates key-sets, and acquires a certificate
      in the name of Party B.

      This is easily done, because the authentication process is based
      simply on the ability to respond to an email sent to the address
      found in the whois directory.

      (The paper above describes two other ways - (1) the third party
      becomes a CA and issues itself a certificate, (2) the third party
      forces a CA to issue it a certificate, e.g. using legal powers)

(3)  The third party causes Party A to communicate with them at the
      masquerade domain-name.  This is non-trivial - and probably the
      only actually difficult part of the process;  but various means
      are available depending on the specific context

(4)  Party A's browser detects nothing amiss, because the site
      provides a valid certificate and channel encryption (e.g. https)
      is successfully established

(5)  Party A communicates with the third party on the assumption that
      it is talking to Party B

(6)  The third party connects with Party B at its real address, i.e.
      it asks for a secure channel in the normal manner, and passes
      Party A's messages on to Party B, and Party B's responses back to
      Party A

(7)  This constitutes a man-in-the-middle attack.  All communications
      between Party A and Party B flow through the third party, in a form
      that makes the content of the messages accessible to it

This does indeed appear feasible.

The original depiction was misleading, however.  It's not properly 
described as eavesdropping on a secure channel between two parties.

It's the contrivance of a man-in-the-middle attack by tricking one of 
the targeted parties into communicating with the third party instead 
of the party that they intended to communicate with.

Any further thoughts are very welcome of course!


On 2010/Aug/14, at 10:02 AM, Roger Clarke wrote:

>  The NYT story below says that Certificate Authorities (CAs) have
>  proliferated to c. 650, and, worse than that, are out of control.
>  Here follows a quick analysis (off the top of the head, without
>  research) on two key aspects of the points made in the article.  I'd
>  be delighted if linkers can show me that my analysis is awry.
>  _____________________________________________________________________
>  The fundamental function of a CA is to attest to the association
>  between a public key and an entity.
>  1.  Re the Value of a Certificate
>  Generally:
>  (a)  few organisations that could be expected to act as CAs actually
>       do so.  Possibilities in Australia, for example, include ASIC
>       for companies and Medical Registration Board(s) for health care
>       professionals
>  (b)  few organisations that act as CAs are trustworthy
>       (Verizon, for heaven's sake??)
>  (c)  quite limited investment is made by CAs in authenticating the 
>  claim
>       by the applicant that it really, truly is the entity that it
>       represents itself to be.  (There's been talk about enhanced
>       authentication processes, including in the article below, but
>       I remain sceptical about how much progress has been made)
>  (d)  the level of assurance provided by CAs to people who rely on the
>       certificates that they issue is almost zero
>  Ergo:  certificates are worth very little, nomatter who issues them.
>  Ergo:  whether a browser-supplier uses certificates issued by a
>  'brandname' organisation like Verizon, or by a twice-removed
>  sub-licensee called Dodgy Bros. Ltd, doesn't make much difference to
>  the assurance level.
>  2.  Re Eavesdropping by CAs
>  "Mr. Eckersley noted that [Dodgy Bros. Ltd] could misuse its position
>  to eavesdrop on the activities of Internet users".
>  I don't get it.  The analysis below explains why.
>  In order to "eavesdrop" on a channel protected using SSL/TLS, a third
>  party needs two things:
>  (1)  copies of the messages that flow between the two parties
>  (2)  the key needed to decrypt the messages.  (That's exchanged 
>  between
>       the parties using a public key-pair owned by one of the parties.
>       So the third party needs that particular private key, in order to
>       decrypt the key-exchange message and extract the encryption key)
>  As regards (1), an organisation that provides a CA service would not
>  normally be on a traffic-route between its customers.  So the CA
>  would have to either contrive to be there, or intrude spyware into
>  its client's device in order to get copies of messages.  In either
>  case, it would be in serious breach of its role, and quite probably
>  of local laws.
>  As regards (2), an organisation that asks for a certificate from a CA
>  provides its public key, but must under no circumstances expose its
>  private key - to anyone, least of all the CA.  So the CA would have
>  to either trick its client into providing its private key (e.g. by
>  offering a key-generation service), or intrude spyware into its
>  client's device in order to get a copy of the private key.  In either
>  case, it would be in serious breach of its role, and quite probably
>  of local laws.
>  I have no respect for Dodgy Bros Ltd, and little respect for Verizon.
>  But is corporate criminality so mainstream that behaviour of this
>  kind is actually going on?
>  _____________________________________________________________________
>  A Warning About a Weak Link in Secure Web Sites
>  Published: August 13, 2010
>  SAN FRANCISCO - Computer security researchers are raising alarms
>  about vulnerabilities in some of the Web's most secure corners: the
>  banking, e-commerce and other sites that use encryption to
>  communicate with their users.
>  Those sites, which are typically identified by a closed lock
>  displayed somewhere in the Web browser, rely on a third-party
>  organization to issue a certificate that guarantees to a user's Web
>  browser that the sites are authentic. But as the number of such
>  third-party "certificate authorities" has proliferated into hundreds
>  spread across the world, it has become increasingly difficult to
>  trust that those who issue the certificates are not misusing them to
>  eavesdrop on the activities of Internet users, the security experts
>  say.
>  "It is becoming one of the weaker links that we have to worry about,"
>  said Peter Eckersley, a senior staff technologist at the Electronic
>  Frontier Foundation, an online civil liberties group.
>  The power to appoint certificate authorities has been delegated by
>  browser makers like Microsoft, Mozilla, Google and Apple ... to
>  various companies, including Verizon.
>  [The expression 'delegation of power' isn't appropriate.  Less loaded
>  would be 'Browser-makers use certificates issued by various
>  companies'.]
>  Those entities, in turn, have certified others, creating a
>  proliferation of trusted "certificate authorities," according to
>  Internet security researchers.
>  According to the Electronic Frontier Foundation, more than 650
>  organizations can issue certificates that will be accepted by
>  Microsoft's Internet Explorer and Mozilla's Firefox, the two most
>  popular Web browsers. Some of these organizations are in countries
>  like Russia and China, which are suspected to engage in widespread
>  surveillance of their citizens.
>  Mr. Eckersley said Exhibit No. 1 of the weak links in the chain is
>  Etisalat, a wireless carrier in the United Arab Emirates that he said
>  was involved in the dispute between the BlackBerry maker, Research in
>  Motion, and that country over encryption. The U.A.E. threatened to
>  discontinue some BlackBerry services because of R.I.M.'s refusal to
>  offer a surveillance back door to its customers' encrypted
>  communications. Mr. Eckersley also said that Etisalat was found to
>  have installed spyware on the handsets of some 100,000 BlackBerry
>  subscribers last year. Research in Motion later issued patches to
>  remove the malicious code.
>  Yet Mr. Eckersley noted that Etisalat was one of the "certificate
>  authorities" and could misuse its position to eavesdrop on the
>  activities of Internet users.
>  In an open letter signed by Mr. Eckersley, the Electronic Frontier
>  Foundation is asking Verizon, which issued Etisalat's power to
>  certify Web sites, to consider revoking that authority.
>  Verizon declined to comment. Etisalat did not respond to an e-mail
>  requesting comment.
>  Mr. Eckersley wrote that Etisalat could issue fake certificates to
>  itself for scores of Web sites, including google.com, Microsoft.com
>  and Verizon.com, and "use those certificates to conduct virtually
>  undetectable surveillance and attacks against those sites." Etisalat
>  could also eavesdrop on virtual private networks used by corporations
>  to communicate securely around the world, he wrote.
>  "We believe this situation constitutes an unacceptable security risk
>  to the Internet in general and especially to foreigners who use
>  Etisalat's data services when they travel," he wrote, adding that the
>  foundation did not know whether Etisalat had misused its authority
>  yet.
>  Concerns about certificates have been raised before. When Firefox
>  considered granting certificate authority to a Chinese company
>  earlier this year, members of the Firefox community worried that the
>  company might be pressured by the government to eavesdrop, for
>  example, on the Gmail accounts of Chinese dissidents. Eventually,
>  Firefox decided to go ahead with the process.
>  Other security experts said that they were concerned about the
>  proliferation of certificate authorities.
>  "I think it is a really big deal," said Stephen Schultze, associate
>  director of the Center for Information Technology Policy at Princeton
>  University. Mr. Schultze said that the problem "is not a reason to
>  panic and stop doing online banking or e-commerce. But it is bad
>  enough problem that it should be receiving a lot more attention and
>  we should be trying to fix it."
>  Some browser makers, however, suggested that while attacks were
>  possible in theory, the system had worked reasonably well for more
>  than a decade.
>  "It has proven itself historically to be relatively secure," said
>  Johnathan Nightingale, Mozilla's director of Firefox development. Mr.
>  Nightingale said that many e-commerce sites were using a new type of
>  certificate that required extensive verification. If a certificate
>  authority was misusing its power to eavesdrop, he said, a user with
>  technical skills could detect the attack, and the organization's
>  power to issue certificates would be revoked.
>  --
>  Roger Clarke                                 http://www.rogerclarke.com/
>  Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 
>                     Tel: +61 2 6288 1472, and 6288 6916
>  mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/
>  Visiting Professor in the Cyberspace Law & Policy Centre      Uni of 
>  NSW
>  Visiting Professor in Computer Science    Australian National 
>  University
>  _______________________________________________
>  Link mailing list
>  Link at mailman.anu.edu.au
>  http://mailman.anu.edu.au/mailman/listinfo/link

Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Link mailing list
Link at mailman.anu.edu.au
Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list