Me, four days ago, on someone else’s blog talking about reports of the NSA “breaking” encryption and snooping on encrypted connections large-scale on the Internet:
Badtux { 09.10.13 at 1:16 am }
Reading further, the most startling back door requires that the NSA owns one of the key infrastructure providers so they can do massive man-in-the-middle attacks. Hmm, I wonder (Verisign) who that (Verisign) could possible (Verisign) be?
So now Verisignβs business is going to get hammered. Yay, NSA! Managing to do to us what Osama bin Laden never did!
And then two days ago, this news comes out: the US National Security Agency had apparently impersonated Google on at least one occasion to gather data on people.
This is one case where I wish my speculation had proven to be utterly unfounded. SSL is the lynchkey of Internet commerce. If you can’t trust SSL, you can’t trust Internet commerce, period. Unfortunately SSL has one vulnerability that’s impossible to defeat: It relies on certificate authorities to be honest.
Here’s how SSL works. You go to, say, https://www.google.com. See that little green lock up in your address bar? That means it’s a secure encrypted connection and nobody other than Google can see what searches you’re making. Or can they? What does that green lock mean anyhow?
Well: Your web browser asked Google for its public key when you connected to Google (and provided its own public key), then used that public key to encrypt all data destined for Google. If you encrypt something with Google’s public key, only Google can decrypt it. If Google encrypts something with your web browser’s own public key, only your web browser can decrypt it.
But: How do you know you’re actually talking to Google? How do you know you’re not talking to someone impersonating being Google? Well: that is where certificate authorities like VeriSign come in. The key you got from Google is signed by Verisign’s private key and the signed portion says it’s owned by Google. When you decrypt the signature using Verisign’s public key (which is either embedded in the browser or your browser went and fetched a sub-key from Verisign using the Verisign key embedded in your browser), you know two things: a) the Google key was actually signed by Verisign (because Verisign’s public key will only decrypt things signed by Verisign’s private key) and b) Verisign says that the key you got belongs to Google. As long as you trust Verisign to tell the truth, the key belongs to Google.
So what the NSA has done is subvert (b). They’ve somehow gotten Verisign to sign a key that claims to be Google’s key — but it’s not. It actually belongs to the NSA. And the NSA used this key to intercept your traffic to Google, decrypt it, read it, then re-encrypt it using Google’s *real* key and forward it on to Google. The data coming back from Google gets treated the same way.
What this means: You can’t trust that green lock anymore. That green lock is what tells you that your e-commerce transactions on the web are secure, but if the NSA has managed to subvert a certificate authority, almost certainly there’s other certificate authorities that have been similarly subverted by *other* people. Maybe not-so-nice people.
And now you know why Jeff Bezos bought the Washington Post. Because if people quit trusting e-commerce, his multi-billion-dollar share of Amazon.com becomes worthless. Expect a full court press both in the media and in Congress on this one, because this is an economy-breaker if people stop trusting e-commerce worldwide. We’ve already shut down too many ma and pa stores in favor of e-commerce sites on the Internet to go back to the way things used to be… and the NSA seems intent on kicking the legs out from under our economy wholesale, doing to us what the Soviets never managed to do.
We are so fucked…
— Badtux the Waddling Penguin
Until normal, non tech people get the message, this is non news. Once the idea catches on, watch out! I’d like a Church Commission on steroids for this stuff, since this is going to be a real firestorm as business is based on trust relationships, remove the trust, and…
LikeLike
Some ordinary people are starting to get the message, Marcus. They may not understand the details, but “the NSA — and some bad guys, maybe — have subverted that little green lock thingy that secures Internet commerce” definitely gets their attention.
LikeLike
Thank you for being out there, keeping an eye on this for us. I really appreciate your perspective.
LikeLike
[…] has an extremely justified ‘I told you so’ on NSA ‘man-in-the-middle’ intercepts that totally negate the value of the SSL […]
LikeLike
Hiya Badtux! π Been awhile since I commented here (rather than *there*) π
As I’ve said elsewhere, there are very few signing authorities I trust, and none of the commercial ones in the USA. I had to deal with Verisign (here) when I worked at Apple (They use Mac’s mostly, and did use Xserve’s. But that’s another story). I got to know one of the senior sys admins pretty well, and he was troubled back then (2007) about *a few things*. He left a little later because his conscience was bothering him.
It’s really not all that new, but it is much worse now. I guess Verisign ( and others) decided it was just too much work handing over keys in response to court orders, and too much paper work. Easier to let the FBI/NSA/whoever just grab whatever and not bother them. *shrug* π
One of the real threats here isn’t actually the Government. For the most part, they are too incompetent to deal with all this data (as they have proven time and again). The problem is the Contractors. Everything is outsourced. Who’s to say some contractor won’t start harvesting people’s financial data (including bank acc’t key’s, credit card data, etc). and either using it or selling it. It’s happened before all this, this all just makes that more likely to happen.
The bottom line is… People cannot trust the Government, and they definitely cannot trust Corporations (and never could!) The only real way to keep a secret, is make sure nobody else knows. π π
LikeLike