Law Enforcement Appliance Subverts SSL [telecom]

Law Enforcement Appliance Subverts SSL

By Ryan Singel March 24, 2010

That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website's certificate to verify its authenticity.

At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications - without breaking the encryption - by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.


formatting link

Reply to
Monty Solomon
Loading thread data ...

........ It usually means that a SSL connection has been set up with some server that has a certificate that matches the URL you used to access the page and is responding to the IP address that the packets are being sent to, no more and no less.

If someone is indeed intercepting the packets and using a false certificate to see your data, then that just means that the integrity of the multi-billion dollar certificate industry has taken a hit as far as "site verification" goes.

Reply to
David Clayton

Speaking as a former Thawte Notary and a GsWOT Introducer, I want to point out that man-in-the-middle attacks aren't anything new, and they are also *not* evidence that either SSl or the PKI system have been "cracked" at a fundamental level.

Mr. Singel's story is a classic case of Social Engineering: in both tone and language, it attempts to make his readers afraid of a phantom that menaces their bank accounts and their ability to employ the Internet to save time and aggravation. The fact is that it is, by all accounts, impossible to "forge" a PKI certificate: i.e., there is no way that an attacking who is *not* *in* *possession* *of* *a*

*Root* *Certificate* can create subordinate certificates that attest to a non-existent identity. The article does admit that "To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities", but gives no details as to _how_ "the government" would be able to do so. Mr. Singel is relying on his readers' gullibility to build a straw-man that will fall down whenever someone uses their brain.

I'll provide some background: man-in-the-middle attacks have two "vectors", or ways that they can succeed:

  1. Taking advantage of someone's gullibility.

If I click on a link that says "

formatting link
", and I'm confronted with a warning screen that says the certificate the web site is presenting isn't trusted, then it's up to me to decide if I will allow the browser session to go forward. If I click "yes", what happens after that is my fault, one way or another: either I didn't choose to educate myself as to the risks of accepting untrusted certificates, or I didn't choose to believe that those risks could affect me.

Either way, it's my fault: *I* told my browser to violate the trust model.

  1. Breaking the PKI trust hierarchy by subterfuge.

If an attacker has *UNDETECTABLE* access to the certificate storage of a target machine, he can insert a "Root" certificate into the target, so that the phony certificate presented by a fraudulent website (which was, of course, signed by the false root) will appear to be genuine. This is the method used by System Administrators who want to monitor their users' use of online email systems.


Anytime *ANYONE* has physical access to a target machine, the game is over. That's why you shouldn't do any banking or any other sensitive transaction on a publicly-accessible computer, or for that matter, on _any_ computer you don't have complete control over. Instead of going to the trouble to generate a fake "Root" certificate, get it installed, create a false web page, etc., etc., it is much easier to install "key-grabber" software that will steal the users' banking password(s) at the source.

  1. Breaking the PKI Root security by force, threat, or legal action:

For a careful Internet user, who is using a secure machine, to be deceived into believing that a fraudulent website which claims to be

formatting link
is the real deal, the attackers must go through a multi-step process:

A. They must obtain access to a "root" certificate which can sign other certificates.

B. They must use the purloined root certificate to sign a secondary certificate which has the high-priced-bank name on it. C. They must set up a phony website which is a passable imitation of the site a victim _thinks_ they're going to.

D. The attackers have to intercept DNS calls made from the target computer, and supply a different IP address than the one actually used by high-priced-bank.

Now, here's the problem: steps "B" and "C" are very easy to _do_, but only if an attacker is _also_ able to accomplish step "A", which is several orders of magnitude harder.

Step "D" is relatively doable, assuming the attacker has access to the LAN the victim is using, but that's not as easy as it might seem: assuming the victim is using a DSL or Cable Internet connection, the only place the "LAN" connection is easily available is between the victim's computer and the high-speed modem, which is usually co-located with the computer. Keep in mind that the device Wired has featured is intended be used at a LAN interface, such as an Ethernet patch panel, but that assumes that "law enforcement" personnel have access to the wire closet _and_ that they can prove in a court that they did so legally.

Wired has a short-circuit on this subject. I suggest the publication tell its contributors to stick to the usual gee-wiz and leave fear-mongering to professional politicians who are properly trained to use it.

-- Bill Horne

(Filter QRM for direct repies)

Reply to
Bill Horne

I read the article as saying that it is routine for law enforcement to go to some CA and say "we're the cops, we need a fake cert for" and have the CA say, sure, here you go. The box would be pretty worthless otherwise.

The days of Thawte notaries are long gone. These days, all you need to get a cert from Geotrust, which like Thawte is now part of the Verisign empire, is $12.95 and the ability to click on a link in a message sent to any of several dozen addresses derived from the domain name in the cert. Sometimes they also want phone verification, which means that you give them a phone number which can be anywhere (I used the number of an old Belgian mobile phone prepaid SIM I had lying around), they call it, they ask you to punch in a four digit code on the web page and state your name, so you say "Your Name", and hang up. It takes ten minutes on a slow day.

That's at least a little hard to forge. But how do they verify that someone who calls and purports to be law enforcement really is?

R's, John

Reply to
John Levine

Do you really think the US government would have any trouble getting a trusted certificate authority (especially one doing business in the USA) to do (B)? (The certificate authorities already have their own root certificates, so (A) isn't an issue). And perhaps revoke the real certificate for

formatting link
at the same time?

It wouldn't be hard for the US government to obliterate all traces of the company (and its employees) behind the *real* site and just take it over. It's hard to be sure that hasn't already happened yet, several times, with say, Bank of America or General Motors. Then they don't need to forge a certificate; they just steal the real certificate and web site and forge an entire bank.

Who runs the real DNS servers? Do they have more guns than the US government?

Threatening to kill or make disappear several orders of magnitude more employees (and then doing it anyway when they cooperate) doesn't take much more time.

Reply to
Gordon Burditt

I suggest you read Matt Blaze's comments on the topic.

The FeeBees do so by waving a National Security Letter at the CA; and threatening them with jail for asking for a lawyer.. After all, anyone who does not do their bidding MUST be a terrorist, right???

Reply to
David Lesher


If the last decade has taught us anything, it is that government employees ("LEO" is just another three-letter acronym) sometimes don't bother with that last step. And that it is very rare that they be held responsible for the omission. And of course, we can be pretty sure that nongovernment types won't worry about it.

Though I suspect that since the infrastructure is so unreliably maintained (certificates not renewed, IP numbers changed, links to noncovered servers) most users will just click through the warnings, since the certificates have cried "wolf!" so many times already.

Though for your VoIP calls, I expect it's much simpler just to get access from the VoIP provider. I think it's the height of naivete to think that LEOs _always_ have court orders to back them up when doing wiretaps, whether of telephones or data networks.


Reply to
Dave Garland Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.