Law Enforcement Appliance Subverts SSL

If a CA is issuing bad certificates then they need to be removed from the default CA list. Mozilla was worried about this with China a little while ago. <a href="http://www.freedom-to-tinker.com/blog/felten/mozilla-debates-whether-trust-chinese-ca" rel="nofollow">http://www.freedom-to-tinker.com/blog/felten/mozilla-debates...</a><p>The real news will be if anyone can prove that a default CA has been compelled by court order to generate a fake certificate.

The appliance itself doesn't seem that important. The big thing I take from the article is law enforcement needs to: "persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website." If you can get a forged certificate from a trusted cert provider, then there is a bunch of ways to do this. The box is just a convenience.

Shouldn't it be possible to detect when this is happening, and who's issuing the certificates? We need a plugin that snarfs the certificates as they hit your browser, and a web service to log them to (send the SHA256 of the cert, and if it's not already there, send the complete contents of the cert).<p>I'm game if someone else is.

"The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it."<p>I hope I never suffer a brain cramp and say that about my company to a reporter.

There was an article on HN earlier talking about how certificates have never actually protected anyone from fraud (fraud cites don't try to forge certificates in the first place, or so the article said). Now it gets worse -- not only is it not protecting you, but it's luring you further into a false sense of 'security' and potential government surveillance? No thanks.

Authentication is hard. It's not a new problem at all. You can go to a great deal of trouble performing secure key distribution, but if you don't have a way of knowing you're doing it with who you think you're doing it with, you're basically screwed.<p>PGP is nice in that it bundles key distribution together with authentication, so you can at least be sure that the person you spoke to first is the same person you're speaking to now, assuming nobody's taken a $5 wrench to their knees. Unfortunately, PGP and all other factoring based key distribution methods are only secure for a limited time. People often say things like, "Secure for 1000 years assuming..." What they don't tell you is those assumptions (e.g. crackers only use classical computers with Moore's law scaling resources and currently known algorithms") are ridiculous. In general, advances in algorithms alone accelerate things greatly. Messages you send in PGP today will probably be trivial to crack within a decade, and that's not even accounting for quantum computing! Note: If you are interesting enough, this translates to messages you send today <i>will</i> be logged, archived, and cracked within 10 years. This is fine for credit card transactions. Not so fine for government secrets. (If you ever hear of a government employee transmitting state secrets using PGP, you are well justified to freak out.)<p>Quantum Cryptography promises to at least get rid of that problem, since the impossibility of cloning quantum information means that keys cannot be archived and cracked at a later time. However, authentication with a party you have not physically met remains a bit of a pickle.

<i>Christine Jones, the general counsel for GoDaddy — one of the net’s largest issuers of SSL certificates — says her company has never gotten such a request from a government in her eight years at the company. </i><p>Wouldn't she be required by U.S. law to say this if that's what the government told her to say?<p>[Edit: Seems I'm out of date; the gag-order provisions I was thinking about were ruled unconstitutional a couple of years ago: <a href="http://www.aclu.org/national-security/court-rules-patriot-acts-national-security-letter-gag-provisions-unconstitutional" rel="nofollow">http://www.aclu.org/national-security/court-rules-patriot-ac...</a>]<p>P.S. God, I hate this copy/paste Read More crap.

So to counter this kind of MITM attack the browser (or other SSL-app) should allow the user to store the certificate/root certificate for a certain site, and then provide a warning when it doesn't match the stored one. Doesn't sound that hard, maybe even an extension to Fx could do that?

Could it be possible that GoDaddy was under court order to say that they have not had any requests? My recollection is fuzzy, I think there was a hub-bub a while back about librarians being ordered to lie about Patriot Act requests.

I've always assumed that the government possessed the capability of creating false certs, but it is perhaps more troubling that boxes like these could be available to <i>anyone</i>.

Cool. So as long as I'm my own CA and I use self-signed certificated (distributed off-band) then I'm safe.