What's new

Law Enforcement Appliance Subverts SSL

Grat3fulh3ad

The Voice of Reason
Veteran
That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.:yoinks:
That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website's certificate to verify its authenticity.

At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.

"If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this," Blaze said.

The company in question is known as Packet Forensics, which advertised its new Man-In-The-Middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington DC wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.

According to the flyer: "Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike' keys designed to give the subject a false sense of confidence in its authenticity." The product is recommended to government investigators, saying "IP communication dictates the need to examine encrypted traffic at will" and "Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption."

Packet Forensics doesn't advertise the product on its website, and when contacted by Wired.com, asked how we found out about it. Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance.

"The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it," Saulino said. "Our target community is the law enforcement community."

Blaze described the vulnerability as an exploitation of the architecture of how SSL is used to encrypt web traffic, rather than an attack on the encryption itself. SSL, which is known to many as HTTPS://, enables browsers to talk to servers using high-grade encryption, so that no one between the browser and a company's server can eavesdrop on the data. Normal HTTP traffic can be read by anyone in between - your ISP, a wiretap at your ISP, or in the case of an unencrypted WiFi connection, by anyone using a simple packet sniffing tool.

In addition to encrypting the traffic, SSL authenticates that your browser is talking to the website you think it is. To that end, browser makers trust a large number of Certificate Authorities - companies that promise to check a website operator's credentials and ownership before issuing a certificate. A basic certificate costs less than $50 today, and it sits on a website's server, guaranteeing that the BankofAmerica.com website is actually owned by Bank of America. Browser makers have accredited more than one hundred Certificate Authorities from around the world, so any certificate issued by any one of those companies is accepted as valid.

To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities - using money, blackmail or legal process - to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.

Technologists at the Electronic Frontier Foundation, who are working on a proposal to fix this whole problem, say hackers can use similar techniques to steal your money or your passwords. In that case, attackers are more likely to trick a Certificate Authority into issuing a certificate, a point driven home last year when two security researchers demonstrated how they could get certificates for any domain on the internet simply by using a special character in a domain name.

"It is not hard to do these attacks," said Seth Schoen, an EFF staff technologist. "There is software that is being published for free among security enthusiasts and underground that automate this."

China, which is known for spying on dissidents and Tibetan activists, could use such an attack to go after users of supposedly secure services, including some Virtual Private Networks, which are commonly used to tunnel past China's firewall censorship. All they'd need to do is convince a Certificate Authority to issue a fake certificate. When Mozilla added a Chinese company, China Internet Network Information Center, as a trusted Certificate Authority in Firefox this year, it set off a firestorm of debate, sparked by concerns that the Chinese government could convince the company to issue fake certificates to aid government surveillance.

In all, Mozilla's Firefox has its own list of 144 root authorities. Other browsers rely on a list supplied by the operating system manufacturers, which comes to 264 for Microsoft and 166 for Apple. Those root authorities can also certify secondary authorities, who can certify still more - all of which are equally trusted by the browser.

The list of trusted root authorities includes the United Arab Emirates-based Etilisat, a company which was caught last summer secretly uploading spyware onto 100,000 customers' Blackberrys.

Soghoian says fake certificates would be a perfect mechanism for countries hoping to steal intellectual property from visiting business travelers. The researcher published a paper (.pdf) on the risks Wednesday, and promises he will soon release a Firefox add-on to notify users when a site's certificate is issued from an authority in a different country than the last certificate the user's browser accepted from the site.

EFF's Schoen, along with fellow staff technologist Peter Eckersley and security expert Chris Palmer, want to take the solution further, using information from around the net so that browsers can eventually tell a user with certainty when they are being attacked by someone using a fake certificate. Currently browsers warn users when they encounter a certificate that doesn't belong to a site, but many people simply click through the multiple warnings.

"The basic point is that in the status quo there is no double check and no accountability," Schoen said. "So if Certificate Authorities are doing things that they shouldn't, no one would know, no one would observe it. We think at the very least there needs to be a double check."

EFF suggests a regime that relies on a second level of independent notaries to certify each certificate, or an automated mechanism to use anonymous Tor exit nodes to make sure the same certificate is being served from various locations on the internet - in case a user's local ISP has been compromised, either by a criminal, or a government agency using something like Packet Forensics' appliance.

One of the most interesting questions raised by Packet Forensics product is how often do governments use such technology and do Certificate Authorities comply. Christine Jones, the general counsel for GoDaddy - one of the net's largest issuers of SSL certificates - says her company has never gotten such a request from a government in her 8 years at the company. "I've read studies and heard speeches in academic circles that theorize that concept, but we never would issue a ‘fake' SSL certificate," Jones said, arguing that would violate the SSL auditing standards and put them at risk of losing their certification. "Theoretically it would work, but the thing is we get requests from law enforcement every day, and in entire time we have been doing this, we have never had a single instance where law enforcement asked us to do something inappropriate."

VeriSign, the largest Certificate Authority, declined to comment.

Matt Blaze notes that domestic law enforcement can get many records, such as a person's Amazon purchases, with a simple subpoena, while getting a fake SSL certificate would certainly involve a much higher burden of proof and technical hassles for the same data.

Intelligence agencies would find fake certificates more useful, he adds. If the NSA got a fake certificate for Gmail - which now uses SSL as the default for e-mail sessions in their entirety (not just their logins) - they could install one of Packet Forensics' boxes surreptitiously at an ISP in, for example, Afghanistan, in order to read all the customer's Gmail messages. Such an attack, though, could be detected with a little digging, and the NSA would never know if they'd been found out.

Despite the vulnerabilities, experts are pushing more sites to join Gmail in wrapping their entire sessions in SSL.

"I still lock my doors even though I know how to pick the lock," Blaze said.
 
Last edited:

Anti

Sorcerer's Apprentice
Veteran
[paraphrase]
The attack is a classic man-in-the-middle attack, where you think you are talking directly to the SeedBank, but instead Uncle Sam found a way to get in the middle and pass the messages back and forth without you or the SeedBank knowing the FEDS were there.
[/paraphrase]

Not good, folks.
 

bergerbuddy

Canna Coco grower
Veteran
It is IMPOSSIBLE to tell the difference between the crooks and the gov. any more.... there was a time yoiu'd a been arrested for selling that kinda crap... now its just marketed to LEO and its... ok.... ok..
 
There was a case about a year ago where hackers were able to obtain signed SSL certs for a domain they did not own. This was fairly big deal then because it exposed a very weak link in otherwise secure 256 bit encryption.

Every time I've had certs signed we got multiple phone calls and we had to fax tax id numbers to the signing authority etc. If these signing authorities get caught falsifying these certs for anyone, especially the government, it will turn web security into one giant farce. It's a big problem, these signing authorities are supposed to be like banks, they are supposed to be legit. If they fold up to the government we're screwed.
 

BakedBeans

Member
The way underground sites get around this is to not purchase their SSL certificates from a "trusted" certificate authority. Anyone can sign their own cert using their own Certificate Authority (CA) and install it on their server. The browser will alert the user the first time this happens, but if the user is forewarned that it is to be expected, then you can be sure that no agency will be able to subpoena a cert to perform this type of attack if the CA is all done by the server operator themselves.

That won't stop an elite penetration team from breaking into your server using unpublished exploits though, which is what will happen if you are a valuable enough target. Better have a good admin and obfuscate your services well. :)

bb
 

BakedBeans

Member
Don't think for a second that Verisign is trustworthy. Nor GoDaddy or any of them, but ESPECIALLY not Verisign.

bb
 
Self signed certs would open the door to anyone (the feds) generating one under your domain name though. You'd still get the browser notice the cert changed, but you'd be conditioned to ignore it.

I think in terms of the article self signed would be even easier for the government to generate, like under a minute. I think modern browsers only accept trusted certs anymore without some influx.

My clients could never afford verisign certs, haha.
 
I wouldn't confuse law enforcement and the Intelligence syndicate, even though the cops do confuse themselves. The FBI does a lot of Intelligence work, they work with Foreign Governments more than law enforcement.

It is amazing how much information cops can get, just talking to a company. I'd think that banks would want to have a warrant or court order, since they don't want bad publicity.
 

SpasticGramps

Don't Drone Me, Bro!
ICMag Donor
Veteran
More of the same. Much more to come too guys! You haven't seen anything yet.

nsa_1984.gif


1984TC0923.jpg


1984-social-classes.gif
 

BakedBeans

Member
Self signed certs would open the door to anyone (the feds) generating one under your domain name though. You'd still get the browser notice the cert changed, but you'd be conditioned to ignore it.

I think in terms of the article self signed would be even easier for the government to generate, like under a minute. I think modern browsers only accept trusted certs anymore without some influx.

If each user was instructed to make their browser install the cert locally (Firefox does this, for sure), then it would only throw an exception if the cert changes and that should throw a red flag to anyone. Also, the site admin can write a quick perl script to hit the site with an internal browser looking for the real cert. If this is done from an external host then it could be a useful early warning system while still avoiding the whole trust chain. I don't trust that cert chain. :)

bb
 
Top