[DethNinja]

In my opinion, most of the governments must have obtained access to numerous Certificate Authority private keys by now. As a result, they would not only be logging DNS records but also the entire unencrypted data transfer.

I think lesson to be learned here is that centralized systems such as the internet, due to CAs (including Cloudflare) and ISPs, are unsuitable for private communications.

It is so sad that so many people won't experience late 1980s and early 1990s era of the internet, which was devoid of extensive surveillance and censorship.

Hopefully, humanity will somehow figure out a superior, decentralized communications platform to ensure privacy. However, the current internet offers no such guarantees.

My recommendation at this stage is to assume that government and supranational organizations control the entirety of the internet and act accordingly as if internet had no privacy.

[Deathmax]

> In my opinion, most of the governments must have obtained access to numerous Certificate Authority private keys by now. As a result, they would not only be logging DNS records but also the entire unencrypted data transfer.

Certificate Transparency ensures that having control over a Certificate Authority's private keys doesn't allow for undetectable MITM attacks since both Chrome [1] and Apple (Safari) [2] will not trust certificates that have not been submitted to CT logs and stamped as such. If a government attempts to issue a trusted certificate using a CA they control, it will be logged. You can't passively decrypt TLS connections with just access to a CA's private keys since those aren't the keys involved in communication, or even the server's private key due to forward secrecy (assuming modern TLS configs).

[1]: https://groups.google.com/a/chromium.org/g/ct-policy/c/wHILi...

[2]: https://support.apple.com/en-gb/HT205280

[vlod]

For those interested in CTLogs [0].

FTL:

>Firefox does not currently check or require the use of CT logs for sites that users visit.

Uggh... Anyone know why? Seems sensible to check.

[0]: https://developer.mozilla.org/en-US/docs/Web/Security/Certif...

[GauntletWizard]

Checking certificates requires that either a) The user have a complete set of CT Logs to check against or b) The user makes a request of a third-party server to verify the certificate. "a" is disk space and download uneconomical, "b" is a privacy concern. Mozilla has decided that it's value is not worth the privacy risk of yet. Time will tell if that's the correct answer; Chrome and Safari are likely enough to keep the CAs honest.

[Deathmax]

From what I understand, checking that a certificate has been submitted to CT logs should not have privacy implications, only trust in a set of CT logs and their public keys to be able to verify Signed Certificate Timestamps (SCTs). SCTs can be distributed in one of 3 ways:

1. Embedded in the certificate itself - no communication with a third-party

2. Distributed via TLS extension - no communication with a third-party

3. OCSP stapling - the server is the party that initiates a connection with the CA, the client doesn't touch the CA

You only need the complete set of CT logs if you want to verify the logs have not been tampered with.

[GauntletWizard]

Lipstick on a pig. OCSP Stapling is a complicated and convoluted override for certificate lifetimes that should never be used and isn't in practice. All three are just different chains to the same CA organizations (in practice), which could just as easily maintain two sets of CT logs.

I should get around to making an "Evil-CA" software that explicitly maintains those two logs.

[samwillis]

If they had compromised root keys, then they still need to MITM the connection in order to provide a fake certificate. This would be detectable, and there has been no evidence of it happening, so I'm sceptical its happened in any significant way. If it was widespread, and not just very targeted, we would know about it.

A government agency using a root key, and getting spotted, would be disastrous for everyone, themselves included. So, if they do have them, and I think you are probably right to assume they do, they would only use them as a last resort in incredibly extreme cases. It would not surprise me if they have have them but have never used them.

[tailspin2019]

> ... they still need to MITM the connection ... and there has been no evidence of it happening

Because the parent you're replying to seems to be talking about any/all governments rather than just the UK, and I'm guessing your statement here was 'scoped' to the UK only - I think it's important to point out that this absolutely HAS happened on multiple occasions outside of the UK.

https://en.greatfire.org/blog/2013/jan/china-github-and-man-...

https://www.eff.org/deeplinks/2011/05/syrian-man-middle-agai...

https://www.eff.org/deeplinks/2011/08/iranian-man-middle-att...

[tialaramex]

Only one of those links, the Iranian one, dated 12 years ago, is about a case where there was MITM with a bogus but valid certificate. The Chinese and Syrian cases are just straight MITM, a somewhat knowledgeable teenager could do that, and to the extent it'd work you should focus on things that's solve for the "knowledgeable teenager" case not the "What if state actors with unlimited resources target me?" case.

Twelve years ago is a different era, no Blessed Methods, no Certificate Transparency, pinning was new, which is why they got caught.

[jjoonathan]

Yes, and they don't need to decrypt everything because of how good metadata is. Remember: we kill people based on metadata.

[jchw]

> As a result, they would not only be logging DNS records but also the entire unencrypted data transfer.

Note that even if you have the private key for a specific certificate, you still cannot perform a passive MitM attack against servers that use modern TLS using perfect forward secrecy, and active MitM attacks can sometimes be detected by the web server itself. There are different techniques that have cropped up; here's an old doc page about Caddy v1, mainly because it's the one that I remembered first:

https://caddy.its-em.ma/v1/docs/mitm-detection

That said, as others have mentioned, CT logs basically foil direct man-in-the-middle attacks abusing CA certificates. The attack will work, assuming it isn't foiled by HSTS, but it will be detected. For a government surveillance program, this would obviously be a very bad outcome.

The CA system definitely gets some deserved flak for being flawed, however I've personally found myself impressed with how much practical security against attackers the web ecosystem has managed to build up. It also was probably good to get more of it done ahead of time before governments could try to abuse gaps in the system; as it stands now, if we had DoH and ESNI (edit: or, now, ECH, I suppose) deployed widely across the internet, it would probably render this entire government surveillance operation useless.

[tialaramex]

> but it will be detected. For a government surveillance program, this would obviously be a very bad outcome.

For the NSA that's unacceptable, because the Americans specifically don't like people to know who did it, that's even the point of some big known NSA programmes, like that thing where they hack two Cisco routers so that all the stolen data goes from A to B, but via C, and the NSA steal the data again at C, so when A figure out what's happening they blame B...

But for e.g. the Russians it's totally fine. When you send assassins as "tourists" with a patently bogus reason for travel that's not because you're too stupid to do better, it's because that's all you needed for the mission and you don't care who knows it.

[DethNinja]

But you can just issue an identical certificate to an existing website's certificate via the private key, it doesn't even need to enter to CT logs, it will have 100% identical fingerprint to original certificate, no?

You can then intercept everything through the ISP gateway. It would be theoretically possible to fragment the entire internet this way via coordinating with the ISPs.

[jchw]

Nope! That would require the server operator to participate; pwning the CA gives you nothing. CAs that issue private keys for you are banned, to my knowledge, for the type of certificates that browsers trust; if a CA offers this, they'll be kicked out of being trusted by browsers. A CA is only allowed to sign a key via a CSR, and therefore the CA never sees the private key of a certificate.

This has been the standard for a pretty long time, and it of course still works this way with ACME certificate issuance as well. Very neat imo.

[freeflight]

> Nope! That would require the server operator to participate

Or it would require compromising the server [0]

[0] https://www.csoonline.com/article/3137065/shadow-brokers-lea...

[jchw]

Sure, but what I said absolutely stands: compromising the CA doesn't do you any good in practice.

Frankly though, I am going to say it; I think the idea that compromising a ton of web servers to be able to build a better profile of a user's web history is part of this UK government surveillance initiative is simply absurd. Compromising servers is a pretty nasty cat and mouse game, especially if you're up against orgs like Cloudflare, Amazon and Google. In practice, there's just no chance this is their strategy.

(And the game certainly isn't going to get any easier. You can, for example, use a TPM to generate your private keys, and have encryption occur on a TPM device, such that extracting them would require much more challenging exploits than just pwning some servers, meaning you'd need to actively have control over the servers to do anything interesting. It's not purely theory, either, though I do not know who is currently using this approach.)

[PrimeMcFly]

Or just a CDN...much easier if they cooperate.

[1827163]

It could be that the Linux kernel random number generator has been backdoored on all the large cloud computing platforms. They could be even snooping the entropy pool in memory, as the system is operating? You don't know what's really going on in a virtualized environment? Also many BMCs have JTAG access to the CPU, what's the chance that they have implants in the BMCs, knowing how insecure they are?

https://www.asset-intertech.com/resources/blog/2017/12/micro...

[Melatonic]

Or the major DNS providers are just providing the government with the data without the need to MITM the connection.

Major ISP's definitely I feel like would do this. And most people are leaving DNS as default to their ISP (especially on mobile)

[blitzar]

> Major ISP's definitely I feel like would do this

Its litterally the law, they will comply with the law.

[edandersen]

No need for that, just a D notice on Cloudflare and half the internet is decrypted.

[rafale]

Random thought: they can't use the intercepted communication against you in court because it would reveal their capability. But they can use it in an indirect way to target you.

[tremere]

> It is so sad that so many people won't experience late 1980s and early 1990s era of the internet, which was devoid of extensive surveillance and censorship.

Was it though?

[kneebonian]

Check out Freenet my friend. It is exactly like the internet of the 90's in almost every way, with all the good and bad that entails.

[1827163]

Not happy with any overlay network in this day and age, I have a feeling they have all been compromised. One wrong click and the Thought Police will be at your door. Or at least the chilling effect of not knowing whether it's compromised or not is bad enough that it prevents truly free exploration of the network.

We need a one way system such as satellite data broadcasting, which has more than enough bandwidth for a Web 1.0 experience. I had an entire Usenet feed by satellite many many years ago, and it was totally anonymous because it's receive only. We now only have https://blocksat.info/ but hardly anybody uses it.