[LACNIC/Seguridad] The Spy in the Middle: Are SSL certificates even more broken than we thought?

[Fernando Gont]

The Spy in the Middle
Are SSL certificates even more broken than we thought?
(http://www.crypto.com/blog/spycerts/)

A decade ago, I observed that commercial certificate authorities protect
you from anyone from whom they are unwilling to take money. That turns
out to be wrong; they don't even do that much.

SSL certificates are the primary mechanism for ensuring that secure web
sites -- those displaying that reassuring "padlock" icon in the address
bar -- really are who they purport to be. In order for your browser to
display the padlock icon, a web site must first present a "certificate",
digitally signed by a trusted "root" authority, that attests to its
identity and encryption keys.

Unfortunately, through a confluence of sloppy design, naked commercial
maneuvering, and bad user interfaces, today's web browsers have evolved
to accept certificates issued by a surprisingly large number of root
authorities, from tiny, obscure businesses to various national
governments. And a certificate from any one of them is usually
sufficient to bless any web connection as being "secure".

What this means is that an eavesdropper who can obtain fake certificates
from any certificate authority can successfully impersonate every
encrypted web site someone might visit. Most browsers will happily (and
silently) accept new certificates from any valid authority, even for web
sites for which certificates had already been obtained. An eavesdropper
with fake certificates and access to a target's internet connection can
thus quietly interpose itself as a "man-in-the-middle", observing and
recording all encrypted web traffic traffic, with the user none the wiser.

But how much of a threat is this in practice? Are there really
eavesdroppers out there -- be they criminals, spies, or law enforcement
agencies -- using bogus certificates to intercept encrypted web traffic?
Or is this merely idle speculation, of only theoretical concern?

A paper published today by Chris Soghoian and Sid Stamm [1] suggests
that the threat may be far more practical than previously thought. They
found turnkey surveillance products, marketed and sold to law
enforcement and intelligence agencies in the US and foreign countries,
designed to collect encrypted SSL traffic based on forged "look-alike"
certificates obtained from cooperative certificate authorities. The
products (apparently available only to government agencies) appear
sophisticated, mature, and mass-produced, suggesting that "certified
man-in-the-middle" web surveillance is at least commonplace and
widespread enough to support an active vendor community. Wired's Ryan
Singel reports in depth here.

It's worth pointing out that, from the perspective of a law enforcement
or intelligence agency, this sort of surveillance is far from ideal. A
central requirement for most government wiretapping (mandated, for
example, in the CALEA standards for telephone interception) is that
surveillance be undetectable. But issuing a bogus web certificate
carries with it the risk of detection by the target, either in real-time
or after the fact, especially if it's for a web site already visited.
Although current browsers don't ordinarily detect unusual or
suspiciously changed certificates, there's no fundamental reason they
couldn't (and the Soghoian/Stamm paper proposes a Firefox plugin to do
just that). In any case, there's no reliable way for the wiretapper to
know in advance whether the target will be alerted by a browser that
scrutinizes new certificates.

Also, it's not clear how web interception would be particularly useful
for many of the most common law enforcement investigative scenarios. If
a suspect is buying books or making hotel reservations online, it's
usually a simple (and legally relatively uncomplicated) matter to just
ask the vendor about the transaction, no wiretapping required. This
suggests that these products may be aimed less at law enforcement than
at national intelligence agencies, who might be reluctant (or unable) to
obtain overt cooperation from web site operators (who may be located
abroad).

Whether this kind of surveillance is currently widespread or not,
Soghoian and Stamm's paper underscores the deeply flawed mess that the
web certificate model has become. It's time to design something better.

[1] http://files.cloudprivacy.net/ssl-mitm.pdf

Fuente: Matt Blaze's Blog (http://www.crypto.com/blog/spycerts/)
-- 
Fernando Gont
e-mail: fernando en gont.com.ar || fgont en acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1