28 Mar
2011
28 Mar
'11
7:47 p.m.
>>> On 3/25/2011 at 2:21 AM, Florian Weimer <fweimer@bfk.de> wrote: > * Roland Dobbins: > >> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote: >> >>> Disclosure devalues information. > >> I think this case is different, given the perception of the cert as >> a 'thing' to be bartered. > > Private keys have been traded openly for years. For instance, when > your browser tells you that a web site has been verified by "Equifax" > (exact phrasing in the UI may vary), it's just not true. Equifax has > sold its private key to someone else long ago, and chances are that > the key material has changed hands a couple of times since. > > I can't see how a practice that is completely acceptable at the root > certificate level is a danger so significant that state-secret-like > treatment is called for once end-user certificates are involved. Any large, well funded national-level intelligence agency almost certainly has keys to a valid CA distributed with any browser or SSL package. It would be trivial for the US Gov't (and by extension, the whole AUSCANNZUKUS intelligence community) to simply form a shell company CA that could get a trusted cert in the distros or enlist a "legit" CA to do their patriotic duty (along with some $$$) and give up a key. Heck, it's so easy, private industry sells this as a product for the law enforcement community. It's an easy recipe, 1) Go start your own CA (or buying an existing one may be easier, as Florian points out). 2) Get your key put in Windows, Firefox, Opera, etc. 3) Build an appliance that uses your key to do MIM attacks on the fly. 4) Sell appliance to law enforcement (or anyone else with the money, maybe a smaller nation's intelligence apparatus?). 5) Profit! Just Google around for commercial products aimed at LI that have this capability. Commercial SSL/TLS, i.e. using built-in CAs, offers no protection against nation-states at the intelligence or law enforcement level. -- Crist Clark Network Security Specialist, Information Systems Globalstar 408 933 4387