[jchw]

> As a result, they would not only be logging DNS records but also the entire unencrypted data transfer.

Note that even if you have the private key for a specific certificate, you still cannot perform a passive MitM attack against servers that use modern TLS using perfect forward secrecy, and active MitM attacks can sometimes be detected by the web server itself. There are different techniques that have cropped up; here's an old doc page about Caddy v1, mainly because it's the one that I remembered first:

https://caddy.its-em.ma/v1/docs/mitm-detection

That said, as others have mentioned, CT logs basically foil direct man-in-the-middle attacks abusing CA certificates. The attack will work, assuming it isn't foiled by HSTS, but it will be detected. For a government surveillance program, this would obviously be a very bad outcome.

The CA system definitely gets some deserved flak for being flawed, however I've personally found myself impressed with how much practical security against attackers the web ecosystem has managed to build up. It also was probably good to get more of it done ahead of time before governments could try to abuse gaps in the system; as it stands now, if we had DoH and ESNI (edit: or, now, ECH, I suppose) deployed widely across the internet, it would probably render this entire government surveillance operation useless.

[tialaramex]

> but it will be detected. For a government surveillance program, this would obviously be a very bad outcome.

For the NSA that's unacceptable, because the Americans specifically don't like people to know who did it, that's even the point of some big known NSA programmes, like that thing where they hack two Cisco routers so that all the stolen data goes from A to B, but via C, and the NSA steal the data again at C, so when A figure out what's happening they blame B...

But for e.g. the Russians it's totally fine. When you send assassins as "tourists" with a patently bogus reason for travel that's not because you're too stupid to do better, it's because that's all you needed for the mission and you don't care who knows it.

[DethNinja]

But you can just issue an identical certificate to an existing website's certificate via the private key, it doesn't even need to enter to CT logs, it will have 100% identical fingerprint to original certificate, no?

You can then intercept everything through the ISP gateway. It would be theoretically possible to fragment the entire internet this way via coordinating with the ISPs.

[jchw]

Nope! That would require the server operator to participate; pwning the CA gives you nothing. CAs that issue private keys for you are banned, to my knowledge, for the type of certificates that browsers trust; if a CA offers this, they'll be kicked out of being trusted by browsers. A CA is only allowed to sign a key via a CSR, and therefore the CA never sees the private key of a certificate.

This has been the standard for a pretty long time, and it of course still works this way with ACME certificate issuance as well. Very neat imo.

[freeflight]

> Nope! That would require the server operator to participate

Or it would require compromising the server [0]

[0] https://www.csoonline.com/article/3137065/shadow-brokers-lea...

[jchw]

Sure, but what I said absolutely stands: compromising the CA doesn't do you any good in practice.

Frankly though, I am going to say it; I think the idea that compromising a ton of web servers to be able to build a better profile of a user's web history is part of this UK government surveillance initiative is simply absurd. Compromising servers is a pretty nasty cat and mouse game, especially if you're up against orgs like Cloudflare, Amazon and Google. In practice, there's just no chance this is their strategy.

(And the game certainly isn't going to get any easier. You can, for example, use a TPM to generate your private keys, and have encryption occur on a TPM device, such that extracting them would require much more challenging exploits than just pwning some servers, meaning you'd need to actively have control over the servers to do anything interesting. It's not purely theory, either, though I do not know who is currently using this approach.)

[PrimeMcFly]

Or just a CDN...much easier if they cooperate.

[1827163]

It could be that the Linux kernel random number generator has been backdoored on all the large cloud computing platforms. They could be even snooping the entropy pool in memory, as the system is operating? You don't know what's really going on in a virtualized environment? Also many BMCs have JTAG access to the CPU, what's the chance that they have implants in the BMCs, knowing how insecure they are?

https://www.asset-intertech.com/resources/blog/2017/12/micro...