Law Enforcement Appliance Subverts SSL
- By Ryan Singel
- March 24, 2010 |
- 1:55 pm |
- Categories: Surveillance, Threats
That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.
Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.
At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.
“If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.
The company in question is known as Packet Forensics, which advertised its new man-in-the-middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington, D.C., wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.
According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will.” And, “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”
Packet Forensics doesn’t advertise the product on its website, and when contacted by Wired.com, asked how we found out about it. Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance.
“The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it,” Saulino said. “Our target community is the law enforcement community.”
Blaze described the vulnerability as an exploitation of the architecture of how SSL is used to encrypt web traffic, rather than an attack on the encryption itself. SSL, which is known to many as HTTPS, enables browsers to talk to servers using high-grade encryption, so that no one between the browser and a company’s server can eavesdrop on the data. Normal HTTP traffic can be read by anyone in between — your ISP, a wiretap at your ISP, or in the case of an unencrypted Wi-Fi connection, by anyone using a simple packet-sniffing tool.
In addition to encrypting the traffic, SSL authenticates that your browser is talking to the website you think it is. To that end, browser makers trust a large number of Certificate Authorities — companies that promise to check a website operator’s credentials and ownership before issuing a certificate. A basic certificate costs less than $50 today, and it sits on a website’s server, guaranteeing that the BankofAmerica.com website is actually owned by Bank of America. Browser makers have accredited more than 100 Certificate Authorities from around the world, so any certificate issued by any one of those companies is accepted as valid.
To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.
Technologists at the Electronic Frontier Foundation, who are working on a proposal to fix this whole problem, say hackers can use similar techniques to steal your money or your passwords. In that case, attackers are more likely to trick a Certificate Authority into issuing a certificate, a point driven home last year when two security researchers demonstrated how they could get certificates for any domain on the internet simply by using a special character in a domain name.
“It is not hard to do these attacks,” said Seth Schoen, an EFF staff technologist. “There is software that is being published for free among security enthusiasts and underground that automate this.”
China, which is known for spying on dissidents and Tibetan activists, could use such an attack to go after users of supposedly secure services, including some Virtual Private Networks, which are commonly used to tunnel past China’s firewall censorship. All they’d need to do is convince a Certificate Authority to issue a fake certificate. When Mozilla added a Chinese company, China Internet Network Information Center, as a trusted Certificate Authority in Firefox this year, it set off a firestorm of debate, sparked by concerns that the Chinese government could convince the company to issue fake certificates to aid government surveillance.
In all, Mozilla’s Firefox has its own list of 144 root authorities. Other browsers rely on a list supplied by the operating system manufacturers, which comes to 264 for Microsoft and 166 for Apple. Those root authorities can also certify secondary authorities, who can certify still more — all of which are equally trusted by the browser.
The list of trusted root authorities includes the United Arab Emirates-based Etilisat, a company that was caught last summer secretly uploading spyware onto 100,000 customers’ BlackBerries.
Soghoian says fake certificates would be a perfect mechanism for countries hoping to steal intellectual property from visiting business travelers. The researcher published a paper on the risks (.pdf) Wednesday, and promises he will soon release a Firefox add-on to notify users when a site’s certificate is issued from an authority in a different country than the last certificate the user’s browser accepted from the site.
EFF’s Schoen, along with fellow staff technologist Peter Eckersley and security expert Chris Palmer, want to take the solution further, using information from around the net so browsers can eventually tell a user with certainty when they are being attacked by someone using a fake certificate. Currently, browsers warn users when they encounter a certificate that doesn’t belong to a site, but many people simply click through the multiple warnings.
“The basic point is that in the status quo there is no double check and no accountability,” Schoen said. “So if Certificate Authorities are doing things that they shouldn’t, no one would know, no one would observe it. We think at the very least there needs to be a double check.”
EFF suggests a regime that relies on a second level of independent notaries to certify each certificate, or an automated mechanism to use anonymous Tor exit nodes to make sure the same certificate is being served from various locations on the internet — in case a user’s local ISP has been compromised, either by a criminal or a government agency using something like Packet Forensics’ appliance.
One of the most interesting questions raised by Packet Forensics’ product is how often do governments use such technology and do Certificate Authorities comply? Christine Jones, the general counsel for Go Daddy — one of the net’s largest issuers of SSL certificates — says her company has never gotten such a request from a government in her eight years at the company.
“I’ve read studies and heard speeches in academic circles that theorize that concept, but we never would issue a ‘fake’ SSL certificate,” Jones said, arguing that would violate the SSL auditing standards and put them at risk of losing their certification. “Theoretically it would work, but the thing is we get requests from law enforcement every day, and in entire time we have been doing this, we have never had a single instance where law enforcement asked us to do something inappropriate.”
VeriSign, the net’s largest Certiicate Authority, echoes GoDaddy.
“Verisign has never issued a fake SSL certificate, and to do so would be against our policies,” said vice president Tim Callan.
Matt Blaze notes that domestic law enforcement can get many records, such as a person’s Amazon purchases, with a simple subpoena, while getting a fake SSL certificate would certainly involve a much higher burden of proof and technical hassles for the same data.
Intelligence agencies would find fake certificates more useful, he adds. If the NSA got a fake certificate for Gmail — which now uses SSL as the default for e-mail sessions in their entirety (not just their logins) — they could install one of Packet Forensics’ boxes surreptitiously at an ISP in, for example, Afghanistan, in order to read all the customer’s Gmail messages. Such an attack, though, could be detected with a little digging, and the NSA would never know if they’d been found out.
Despite the vulnerabilities, experts are pushing more sites to join Gmail in wrapping their entire sessions in SSL.
“I still lock my doors even though I know how to pick the lock,” Blaze said.
Update 15:55 Pacific: The story was updated with comment from Verisign.
Image: Detail from Packet Forensics brochure.
See Also:
- Vulnerabilities Allow Attacker to Impersonate Any Website
- Google Turns on Gmail Encryption to Protect Wi-Fi Users
- Boarding Pass Hacker Not Prosecuted
- Outspoken Privacy Advocate Joins FTC
- DefCon: ‘Credit Hackers’ Win the Credit Card Game … Legally
- Whistle-Blower Outs NSA Spy Room
- Wiretap Whistle-Blower’s Account
- Slideshow: Crashing the Wiretapper’s Ball
- Inside DCSNet, the FBI’s Nationwide Eavesdropping Network
If communications are no longer secure, then it’s naive to think only the good guys have this capability. Until this is secured, Internet banking and commerce have to be considered insecure. While I had been doing the majority of my banking and shopping online, that has now stopped until protocols are updated to prevent this attack.
There are other networking companies that sell firewall devices that do this same thing, but at a different level (at your place of work, per se). It doesn’t mean it couldn’t be used the other way around though.
This could even be done with a simple Linux box and either Apache httpd or nginx. Both have SSL proxying capabilities. It just comes down to how well you could fake the certificate or if you, as law ‘enforcement’, can obtain one from the CA.
In reponse to the previous commenter, it’s naive to think that any communications are truly secure. Unless you control end-to-end the private keys, the network the packets travel over, the devices used to access the information, and are able to trust the humans communicating on each end haven’t themselves been compromised, then there’s always potential for your communications to be subverted. Encryption, like locks on a door, just slows people down, it’s not an absolute deterrent.
The key here is that you have to obtain a ‘fake’ SSL cert for this to work. That is not something CAs will want to give you since it undermines their entire business and trust model. It’s not an attack on SSL itself and it does not mean that your browsing is suddenly insecure.
The key here is that you have to obtain a ‘fake’ SSL cert for this to work. That is not something CAs will want to give you since it undermines their entire business and trust model
From the article:
“Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or…”
Operative phrase being “court order.”
Is there anyone in the world that software companies WON’T sell out? Does anyone think computers are a good thing?
Well actually I have no problem with the Feds looking at my clients SSl.
We went SSL because of packet insertion; the bastards were sticking javascript adds into the business applications we write.
How do you tell the end user that they have an ISP that is sh*t level?
You don’t; you tell them that for security purposes they will have to buy a secure server.
As long as the Feds don’t start inserting spam (I am looking at your ‘You wouldn’t download a Ford Truck bullsh*t) then I don’t have a problem with this.
Oh, by the way.
You can get a fake (test) cert.
It will probably work.
Microsoft, Mozilla corp and others have set the bar very low or SSL CAs. Since no authentication is required as far as Microsoft is concerned it is pretty safe to bet that there are a bazillion crappy SSL certs out there. So here’s some use cases to worry about:
1 If you are using a browser from an enterprise managed computer it is safe to say that if you don’t understand this argument down to the bit level that they can read all your browser (and email) traffic - even over SSL to google; this is because they can spin up their own CA + shove it in your browser/register/email proggy + issue a certificate to gmail.com off their own (enterprise) CA and you will thing you are securely connected to google… btw google will also think so. [short version: SSL means nothing from a computer someone else has administrative access to. Corollary -> SSL means nothing if your computer has *ever* been compromised by virus/malware etc.]
2 It is highly unlikely that VeriSign would issue a gmail.com cert to the FBI (though they do process FBI phone record requests given a court order). It is more likely a small CA would go along for fear of legal costs associated with defending themselves.
3 It is entirely possible that one of the dozens of CAs your browser trusts off the shelf _is_ a federally managed Spook(tm) CA in the first place - no need to hassle VeriSign, GoDaddy nor the rest.
4 You can’t really copy a public-key out of a cert and used it for anything but its intended purpose (well you could print it out and use it as a book jacket but that’s not what I mean).
5 You can’t really hide from the US Fed today if you don’t know how to use tools like nss (mozilla’s crypto toolset) or openssl (another open source crypto toolset) or at least RSA’s RSAREF free crypto toolset. I would worry more about water conservation if you are not evil. If you are evil - fsck-off.
6 This packet sniffer does not readily enable anything that isn’t trivially implemented using any computer with tcpdump, ethercap, a decent firewall stack etc. The hard part is getting the cert. Getting the cert isn’t that hard if you can defeat the authentication of a CA; most of the CAs Microsoft and Mozilla trust on your behalf offer very low price + very low authentication products.
7 I assume Opera is in the same legue as MS and MF but I’m too lazy to look. Safari has 164 roots on my system and I don’t add roots that I don’t manage myself.
8 Unlike the author of the article I know enough to understand that this vulnerability has existed since the second large commercial CA went into business (Thawte) and got worse with each new one added. At 150+ I would say that SSL is good for protecting you from your ISP but not a bad guy with a modicum of skills… unless you are super conservative in how you use your computer.
9 Keep in mind that the credit card company eats the cost of fraudulent transactions, at least in the US. I’ve yet to hear of a case where they even ask for the $50 that MC/VISA hold you liable for.
10 Peace out and remember CAs are business looking for profits and the right to not be shut down in their operating countries -> they don’t care about screwing you if they think it won’t hit the press. Anything VeriSign gets caught doing gets mondo press so they probably play it clean. Probably.
#1 threat to enforcement of law: law enforcement.
>> then it’s naive to think only the good guys have this capability.
.
I’d say it’s naive to call law enforcement the “good guys.”
This can be done already with a laptop and a copy of ettercap, no extra hardware needed. As stated in the article you need to fake the SSL Certificate without much difficulty, however the user will be alerted that the cert is “self-signed” and any security savvy user will GTFO immediately.
“Users have the ability to import a copy of any legitimate key they obtain (potentially by court order).”
That SSL key is property of whoever owns the domain, any information gathered using a spoofed cert would be obtained illegally and could not be used in court. In order for a copy of the real key to be obtained the domain owner would have to agree to hand it over, it is their property.
At work we use a web monitoring/filtering proxy called WebMarshal, which has had this capability for years.
As the IT geek, I turned it off, mainly because I couldn’t work out how to make it work.
I trust the little lock in my browser about as much as I trust Dick Cheney.
Unbelievable…. You can bet each there’s a CA handing out certs to each gov’t and that the criminals have already exploited it.
The problem with Google’s “Don’t be evil” is the Roman Catholic Church invented most of the definition of evil, mainly designed to enhance their own political and financial position. And the evil of ignorance prolongs this.
So who’s definition of “evil” do we accept? Law enforcement? Representative legislatures that do not represent?
Therefore, anyone not in agreement with the ignorant masses is inherently evil?
History has much to say about this. Prepare for moral void.
Wow. If the US government started using this, they could potiently loose cases where they used this to get someone since I believe this falls under entrapment. even if they have a court order approved to make this work, do we honestly believe that the law enforcement wouldn’t over step their authority and use it to trap other people. It’s a security issue that really needs fixed.
Did anyone read the “Patriot Act”? Of course the spokeperson for a Certificate Authority is going to say they would never issue a fake certificate. If they admit it, they would immediately be jailed for treason!
Good thing the Patriot Act will allow The Law to use something like this without even needing a warrant. Where were the Tea Baggers when that shit was passed?
This is not new. SSL and almost every (if not every) key-based authentication and encryption scheme is vulnerable if someone is able to listen in on the start of the transaction.
Wiretapping conventions? There are such things?