Today two computer security researchers, Christopher Soghoian and Sid Stamm, released a draft of a forthcoming research paper in which they present evidence that certificate authorities (CAs) may be cooperating with government agencies to help them spy undetected on “secure” encrypted communications. (EFF sometimes advises Soghoian on responsible disclosure issues, including for this paper.) More details and reporting are available at Wired today. The draft paper includes marketing materials from Packet Forensics, an Arizona company, which suggests that government “users have the ability to import a copy of any legitimate keys they obtain (potentially by court order)” into Packet Forensics products in order to impersonate sites and trick users into “a false sense of security afforded by web, e-mail, or VoIP encryption”. This would allow those governments to routinely bypass encryption without breaking it.
Many modern encryption systems, including the SSL/TLS system used for encrypted HTTPS web browsing, rely on a public-key infrastructure (PKI) in which some number of CAs are trusted to vouch for the identity of sites and services. The CA’s role is crucial for detecting and preventing man-in-the-middle attacks where outsiders invisibly impersonate one of the parties to the communication in order to spy on encrypted messages. CAs make a lot of money, and their only job is to make accurate statements about which cryptographic keys are authentic; if they do this job incorrectly — willingly, under compulsion, by accident, or negligently — the security of encrypted communications falls apart, as man-in-the-middle attacks go undetected. These attacks are not technically difficult; surveillance companies like Packet Forensics sell tools to automate the process, while security researchers like Moxie Marlinspike have publicly released tools that do the same. All that’s needed to make the attack seamless is a false certificate. Can one be obtained?
This risk has been the subject of much speculation, but Soghoian and Stamm’s paper is the first time we’ve seen evidence suggesting that CAs can be induced to sign false certificates. The question of CAs’ trustworthiness has been raised repeatedly in the past; researchers recently showed that some CAs continued to use obsolete cryptographic technology, signed certificates without verifying their content, and signed certificates that browsers parsed incorrectly, putting users at risk of undetectable attacks. What’s new today, however, is the indication that some CAs may also knowingly falsify certificates in order to cooperate with government surveillance efforts. Continue reading.