Security Market Segment LS
Tuesday, 13 April 2010 22:58

PWNed by the Government


It is rapidly getting to the stage that the 'secure' padlock in your browser means nothing.  Get your self a blanket, find a cave; and crawl into it. Don't bring your computer.

Both Matt Blaze and Bruce Schneier have pointed out a HUGE problem with SSL (Secure Socket Layer) certificates and the way in which they are issued.

Putting it simply, most browsers don't care if a supposedly valid certificate is replaced by another (seemingly valid) certificate.

Think man-in-the-middle; think "the Government did it!" (more on that later)

Both Blaze and Schneier are augmenting the research described in a paper by Christopher Sogoian and Sid Stamm which lays out very clear ground for Governments to execute man-in-the-middle attacks upon any SSL connection. 

As Blaze notes, "A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much."

According to the abstract of Sogoian and Stamm's paper, "This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications.

We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks."

In essence, the attack permits a strong-enough authority to compel a Certificate Authority to create a fake certificate.  Once they do, all bets are off.

According to the paper's authors, not only is this a theoretical attack, it has already been implemented in hardware and offered for sale (hopefully) only to Government organisations.

To back up their claims, the authors include marketing material from a company called "Packet Forensics"

Quoting from their brochure, "Packet Forensics' devices are designed to be inserted into and removed from busy networks without causing any noticeable interruption.  Even the failure of a device due to power loss or other factors is mitigated by our hardware bypass fail-safe system.  Once in place, devices have the capability to become a go-between for any TLS or SSL connections in addition to having access to all unprotected traffic.

"This allows you to conditionally intercept web, e-mail, VoIP and other traffic at will, even while it remains protected inside an encrypted tunnel on the wire."

The paper by Sogoian and Stamm offers a browser plug-in to ameliorate the problem; in addition commenters to Schneier's reporting of the problem both support and decry (by different people of course) a tool called Persperctives.

At the moment, this vulnerability seems very difficult to address; especially since it appears to be more political than technical.

In short, you probably can't trust the padlock; especially if you believe there is a Government somewhere in the world that wants to know what you know.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]




Recent Comments