NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL

On Jan 31, 2011, at 7:45 PM, Lauren Weinstein wrote:

> Certified Lies: Detecting and Defeating Government Interception
> Attacks Against SSL
> http://bit.ly/fdA1Nb  (Cryptogon)


Compromised, accidental, tricked, malicious and compelled CAs are
included in the things that the DANE (nee KIDNS nee KeyAssure) IETF WG
is working to address ( charter here:
https://datatracker.ietf.org/wg/dane/charter/ )

The very very high level overview is that an end user generates their
own (self-signed) certificate, or gets a CA issues cert, and publishes
a means of identifying that certificate in the DNS, signed with
DNSSEC. When a relying party comes to use the certificate, they
perform DNSSEC validation to ensure that the certificate they have
received is the one intended. If their has been some malfeasance
either the certificate fingerprint will not match, or the DNSSEC
validation will fail...  [ Description horribly oversimplified ]


   [ Of course, currently most browsers make using self-signed
     certs a royal pain -- by doing everything possible to 
     scare users into not accepting them.  I've addressed this
     a number of times, including in:

     Firefox 3's Step Backwards For Self-Signed Certificates
     http://bit.ly/b4LgFc  (Lauren's Blog)

     Firefox makes you click through a bunch of alarming hoops to
     accept an SS cert, but ultimately allows you to save it for
     future use.  Chrome also puts up an alarming message, but allows
     to accept the cert with a single click.  However, it provides no
     simple mechanism to save that cert for the future.

     I am, as you might imagine, not enthusiastic about adding
     additional functionality to DNS, given that I really am very much
     dedicated to helping DNS ultimately wither away, through the
     deployment of alternative name/address mechanisms, such as IDONS.

         -- Lauren Weinstein
            NNSquad Moderator ]

> "This paper introduces the compelled certificate creation attack, in
> which government agencies may compel a certificate authority to issue
> false SSL certificates that can be used by intelligence agencies to
> covertly intercept and hijack individuals' secure Web-based
> communications. Although we do not have direct evidence that this form
> of active surveillance is taking place in the wild, we show how
> products already on the market are geared and marketed towards this
> kind of use-suggesting such attacks may occur in the future, if they
> are not already occurring. Finally, we introduce a lightweight browser
> add-on that detects and thwarts such attacks."
> --Lauren--
> Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
> Co-Founder: People For Internet Responsibility: http://www.pfir.org
> Founder:
> - Network Neutrality Squad: http://www.nnsquad.org
> - Global Coalition for Transparent Internet Performance: http://www.gctip.org
> - PRIVACY Forum: http://www.vortex.com
> Member: ACM Committee on Computers and Public Policy
> Blog: http://lauren.vortex.com
> Twitter: https://twitter.com/laurenweinstein 
> Google Buzz: http://bit.ly/lauren-buzz 
> Quora: http://www.quora.com/Lauren-Weinstein
> Tel: +1 (818) 225-2800 / Skype: vortex.com