SSL Against Governmental Surveillance: Snake Oil?

Dear All,

It occurred to me that SSL might provide *no* security against
governmental surveillance. Because governmental agencies might have
access to ISPs infrastructures and get any sort of certificates from
Certificate Authorities, they can successfully (transparently)
implement Man-In-The-Middle attacks and read (and modify) all the SSL
(HTTPS) traffic.

Can I read your oppinions about this statement?

Kind regards
Ludovic Joly

Re: SSL Against Governmental Surveillance: Snake Oil?

"Ludovic Joly" writes:

>Dear All,

>It occurred to me that SSL might provide *no* security against
>governmental surveillance. Because governmental agencies might have
>access to ISPs infrastructures and get any sort of certificates from
>Certificate Authorities, they can successfully (transparently)
>implement Man-In-The-Middle attacks and read (and modify) all the SSL
>(HTTPS) traffic.

>Can I read your oppinions about this statement?

I'd say that that is essentially correct.

And some US government agency are using similar methods internally
so they can inspect all HTTPS traffic passing through their
firewalls. But that's probaly done using additional
certificates installed on the clients.

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Re: SSL Against Governmental Surveillance: Snake Oil?

In article <43c25193$0$11079$e4fe514c@news.xs4all.nl>, Casper H.S.
Dik wrote:

> "Ludovic Joly" writes:
>
>>Dear All,
>
>>It occurred to me that SSL might provide *no* security against
>>governmental surveillance. Because governmental agencies might have
>>access to ISPs infrastructures and get any sort of certificates
>>from Certificate Authorities, they can successfully (transparently)
>>implement Man-In-The-Middle attacks and read (and modify) all the
>>SSL (HTTPS) traffic.
>
>>Can I read your oppinions about this statement?
>
> I'd say that that is essentially correct.
>
> And some US government agency are using similar methods internally
> so they can inspect all HTTPS traffic passing through their
> firewalls. But that's probaly done using additional
> certificates installed on the clients.

If an organisation implements their own CA for intra-organisation
traffic presumably this problem disappears (but gets replaced with
problems of secure key management instead)?

--
Rob Skedgell
From: address is a spamtrap, Reply-To: is valid.
GnuPG/PGP: 7DA3 1579 C0DD 8748 C05A B984 E2A2 3234 D14B 6DD7

Re: SSL Against Governmental Surveillance: Snake Oil?

Casper H.S. Dik wrote:

>>It occurred to me that SSL might provide *no* security against
>>governmental surveillance. Because governmental agencies might have
>>access to ISPs infrastructures and get any sort of certificates from
>>Certificate Authorities, they can successfully (transparently)
>>implement Man-In-The-Middle attacks and read (and modify) all the SSL
>>(HTTPS) traffic.
>
>
>>Can I read your oppinions about this statement?
>
>
> I'd say that that is essentially correct.
>
> And some US government agency are using similar methods internally
> so they can inspect all HTTPS traffic passing through their
> firewalls. But that's probaly done using additional
> certificates installed on the clients.
>
> Casper

I guess that means you are more secure if you want an SSL site by
rolling your own certificate - signing it yourself. I'm aware of the
problems with that, but I doubt you will find that mentioned on the
Verisign FAQ.

--
Dave K

http://www.southminster-branch-line.org.uk/

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually. The month is
always written in 3 letters (e.g. Jan, not January etc)

Re: SSL Against Governmental Surveillance: Snake Oil?

Ludovic Joly wrote:
> Because governmental agencies might have
> access to ISPs infrastructures

Depends. I doubt NSA has good access to CA:s in South Africa, Finland or
Russia for example. However, it might have access to some CA:s in
somewhere in the world.


> and get any sort of certificates from
> Certificate Authorities,

They could get caught. Well, they are pros so not likely, but sure they
could (and blame it on some hackerX).


> they can successfully (transparently)
> implement Man-In-The-Middle attacks and read (and modify) all the SSL
> (HTTPS) traffic.

Possible. But who trusts SSL/TLS that much to trasmit secret information
over it?

--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.