Re: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance

Yoav Nir <> Wed, 24 March 2010 23:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8E6E63A6924; Wed, 24 Mar 2010 16:25:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.083
X-Spam-Status: No, score=-0.083 tagged_above=-999 required=5 tests=[AWL=-0.214, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id q+oyNbVBCv-t; Wed, 24 Mar 2010 16:25:47 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2503B3A67A2; Wed, 24 Mar 2010 16:20:48 -0700 (PDT)
Received: from ( []) by (8.12.10+Sun/8.12.10) with ESMTP id o2ONL8sd003435; Thu, 25 Mar 2010 01:21:08 +0200 (IST)
X-CheckPoint: {4BAA9D9F-0-1211DC2-2FFFF}
Received: from ([]) by ([]) with mapi; Thu, 25 Mar 2010 01:21:29 +0200
From: Yoav Nir <>
To: " Group" <>
Date: Thu, 25 Mar 2010 01:21:07 +0200
Thread-Topic: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance
Thread-Index: AcrLqLu6lu1zI3sNSvqvDCpdSYPpnQ==
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>, =JeffH <>
Subject: Re: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Mar 2010 23:25:50 -0000

Oh, where do I start.

1. This is not a new attack. If you can get a CA to issue a bad certificate, you can then use that certificate to impersonate the legitimate web site. Government co-ercion does not make this a new attack, and the results are no different from a CA employee being coerced or bribed by criminals.

2. Section 5 is entitled "evidence", and then goes on to present the evidence: a marketing brochure and something someone told him at a booth in a trade show.

3. Section 6 is ominously entitled "Some CAs Already Participate In Surveillance". I read that expecting more of a smoking gun than that guy in a trade show from section 5. Instead, we go straight to naming names, in section 6.1, "Verisign". Naming and shaming the biggest commercial CA? No. More like innuendo. The section begins with a description of Verisign's business dealings with telecoms and government, with the implication that they're "in bed" with the evil governments. So is the evidence coming next. No, and I'll quote:
  We have no evidence to suggest that the CA unit
  within VeriSign has ever been compelled by the US
  government to produce a certicate for use by in-
  telligence agencies. Likewise, we have no evidence
  to suggest that VeriSign has ever broken any laws,
  or improperly disclosed consumers' private data to
  government agencies.

4. Lastly there's the solution, which is entirely based on countries. If your Chinese bank all of a sudden has an American certificate, the browser kvetches. But the prominence of Verisign actually defeats this defense. A lot of companies from various countries buy certificates from Verisign, either through a local Verisign affiliate, or from Verisign US through a US branch or sales office.  Even my own company does that ( )  This also does not solve the problem, only localizes it. If the government in Elbonia wants a certificate for anything, they will lean on the local branch of Verisign (or just bribe an employee) and get a certificate that chains back to Verisign (US). And criminals will do the same.

On Mar 24, 2010, at 2:08 PM, =JeffH wrote:

> Abstract
> This paper introduces a new attack, the
> compelled certificate creation attack, in which
> government agencies compel a certificate au-
> thority to issue false SSL certificates that are
> then used by intelligence agencies to covertly
> intercept and hijack individuals' secure Web-
> based communications. We reveal alarming ev-
> idence that suggests that this attack is in ac-
> tive use. Finally, we introduce a lightweight
> browser add-on that detects and thwarts such
> attacks.
> ------- Forwarded Message
> Date:    Wed, 24 Mar 2010 15:34:27 -0400
> From:    Dave Farber <>
> To:      "ip" <>
> Subject: [IP] Surveillance via bogus SSL certificates
> Begin forwarded message:
>> From: Matt Blaze <>
>> Date: March 24, 2010 3:09:19 PM EDT
>> To: Dave Farber <>
>> Subject: Surveillance via bogus SSL certificates
>> Dave,
>> For IP if you'd like.
>> Over a decade ago, I observed that commercial certificate
>> authorities protect you from anyone from whom they are unwilling to
>> take money.  That turns out to be wrong; they don't even do that.
>> Chris Soghoian and Sid Stamm published a paper today that describes
>> a simple "appliance"-type box, marketed to law enforcement and
>> intelligence agencies in the US and elsewhere, that uses bogus
>> certificates issued by *any* cooperative certificate authority to
>> act as a "man-in-the-middle" for encrypted web traffic.
>> Their paper is available at
>> What I found most interesting (and surprising) is that this sort of
>> surveillance is widespread enough to support fairly mature, turnkey
>> commercial products.    It carries some significant disadvantages
>> for law enforcement -- most particularly it can be potentially can
>> be detected.
>> I briefly discuss the implications of this kind of surveillance at http://www
>> Also, Wired has a story here:
> - -forensics/
>> -matt
> - -------------------------------------------
> Archives:
> RSS Feed:
> Powered by Listbox:
> ------- End of Forwarded Message
> _______________________________________________
> TLS mailing list
> Scanned by Check Point Total Security Gateway.