|
I'm not sure that this is particularly interesting news. For starters, when "the government" wants to spy on you, they generally want to do so in such a way as to not reveal that they are doing so - using their own CA is a big tell that something fishy is going on (yes, only if you have the know-how and inclination to do so, but I'm thinking that this is probably the case for most people trying to keep secrets from the government). No, if they want to hack your SSL comms, they aren't going to do it by using a MITM attack backed by a government-issued root CA, they are going to do it by gaining access to a "neutral" CA (such as Verisign), and obtaining the root certificate's private key. Now you would have a much harder time of figuring out that something has gone wrong, but then, if you're paranoid of the government spying on you, and you are using a CA other than one you own yourself, you've already lost the battle. Trust is a Hard Problem(tm) to solve. Without using Certificate Authorities that you don't personally know, it is difficult to create a sufficiently trusted network. I think the best attempt at a description of such a system that I have seen is in Cory Doctorow's "Little Brother" (http://craphound.com/littlebrother/download/), but even there it seems to me that there were numerous problems for scaling, or even just avoiding invaders. All of which is to say that certificate-based technology couple with CAs that you don't control is not a solution against state-level adversaries. Which in turn makes this entire article fear-mongering rather than a real discovery of a potential threat. In a more cynical mood, I might wonder about the author's motives, was this an attempt to distract away from the fact that the main CAs are not secure against state actors? |
One nit to pick: obtaining Verisign's root CA key isn't enough to decrypt traffic over the wire. That would just allow Uncle Sam to issue fake certs that appear to be from Verisign. I think that savvy users might still notice that their cert looks different now (fingerprint, expiration, other details), and put the pieces together. Maybe you use a CA whose root key hasn't been obtained yet. I highly doubt the NSA or whomever would let a fake but validly signed cert into the wild where it can be captured and used to prove their capabilities once and for all.
They might use such a cert in a controlled environment where they are going to seize the target's system in a few minutes, I suppose. Instead, what they really need is either a way to break 2048-bit RSA (not inconceivable) or a way to get your real cert's private key.
To your point about trust and CAs: I don't think it's truly a matter of trust. Verisign, GlobalSign, Digicert, Entrust, et. al. are all businesses. They are not inherently untrustworthy (nor trustworthy), they do what they must to be profitable and stay in business. It turns out that end user trust is substantially less important to that equation than remaining in compliance with the government of their host country.
I don't know how you solve that problem. The best thing about the early Internet was that, while heavily US-centric, it was often able to fly under the radar of government oversight and, to an extent, the rule of unpleasant laws. That's no longer possible. The Internet is a source of power and money, and now it has to contend with the oversight and regulation of thousands of governments doing what they do.