--- On Tue, 3/30/10, Rayservers wrote:

...

Hello,

thank you. there was a small typo in the link you

From: Rayservers Subject: Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates To: "Sarad AV" Cc: cypherpunks@al-qaeda.net, teddks@gmail.com Date: Tuesday, March 30, 2010, 6:58 PM On 03/30/10 07:03, Sarad AV wrote: posted. it is

...

http://web.monkeysphere.info/

some questions.

Monkey sphere says: Everyone who has used a web browser has been

...

you want to connect?" warning message, which occurs when the browser finds the site's certificate unacceptable. But web browser vendors (e.g. Microsoft or Mozilla) should not be responsible for determining whom (or what) the user trusts to certify the authenticity of a website, or

...

user online. The user herself should have the final say, and designation of trust should be done on the basis of human interaction. The Monkeysphere project aims to make that possibility a reality.

will try this out. in the meantime other questions related to browser certificates

1. How do we know which CA's (root/intermediate) have certified a domain xyz.com?

2. How do we know the CA trust chain. i.e. who all are

interrupted by the "Are you sure the identity of another the root CA's and who

...

are the intermediate CA's and which root CA is associated with a given intermediate CA?

3. Can we make the browser notify us if a domain was certified by an intermediate CA?

4. Say domain xyz.com is certified by CA 'A' and CA 'B' whose (root/intermediate) certificates are available in the browser. if i find CA 'B' to be malicious how can i get domain xyz.com certified by CA 'A'?

I have proposed that we strip out ALL outside certificate authorities from an open source browser, and distribute such... and to practice what I preach, I just went into FF and nuked the bunch - and whee, I can connect, verify the cert and login :). The USER - a la monkey sphere - has to decide if she trusts the Certificate Authority - who the hell are they anyway? And to answer my own rhetorical question - those that issue the highest TRUST certificates to licensed scammers a.k.a. the banks. I do not trust a single one of the recommendations of official CAs. If I am forced, like one has to in this world - to visit a bank website, I can figure out how much I distrust them all by

myself. All I want to know is "am I visiting the same site again"... and a "self signed" cert is all I need, "ssh style". And yes, I love the monkeysphere approach which would add meaningful levels of trust to that choice. And no - there is no difference in my trust level if the cert says "self signed" or "fairysign super duper" perhaps the former is better! - at least fairysign cannot go off and bless the MITM - especially of any sites I run!

Yes, that is a good idea. Thanks, Sarad.

The basic error of all these cryptographers is to confound security/encryption with identity. It is a very costly error to make, especially for the people who blindly use such technology, and one that history shall record as the thing that facilitated pervasive surveillance and the thought police [warning you are about to connect to a secure site!] and rampant electronic fraud - the fraud of misrepresentation by sleight of hand that bank liabilities are non-distinguishable from legal tender by the official scammers of this planet - the second layer of circular fraud piled upon the primary circular fraud of legal tender.

It is quite a spectacle really.

Cheers,

---Venkat.

...

Thank you, Sarad.

--- On Thu, 3/25/10, Ted Smith

wrote:

...

...

From: Ted Smith Subject: Re: Fwd: [ PRIVACY Forum ]

...

certificates

...

To: "Sarad AV" , "R.A. Hettinga" Cc: cypherpunks@al-qaeda.net Date: Thursday, March 25, 2010, 10:05 PM More promising (from my point of view) is killing X.509 and replacing it with OpenPGP, which is what www.mokeysphere.info is doing.

"Sarad AV" wrote:

...

Soghoian says they are releasing a Firefox add-on to notify users when a sitebs certificate is issued from an authority in a different country than the last certificate the userbs browser accepted from the site.

If you have any further information on it or any other countermeasures implemented, please do keep us in loop. this attack is upsetting.

Sarad.

--- On Thu, 3/25/10, R.A. Hettinga wrote:

...

From: R.A. Hettinga Subject: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates To: cypherpunks@al-qaeda.net Date: Thursday, March 25, 2010, 2:29 AM Begin forwarded message:

...

From: privacy@vortex.com Date: March 24, 2010 3:53:44 PM AST To: privacy-list@vortex.com Subject: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

----- Forwarded message from Dave Farber

---

...

Date: Wed, 24 Mar 2010 15:34:27 -0400 From: Dave Farber Subject: [IP] Surveillance via bogus

SSL certificates

...

Reply-To: dave@farber.net To: ip

Begin forwarded message:

> From: Matt Blaze > Date: March 24, 2010 3:09:19 PM EDT > To: Dave Farber > Subject: Surveillance via bogus SSL certificates >

> Dave, > > For IP if you'd like. > > Over a decade ago, I observed

...

...

commercial

...

...

certificate authorities

...

> protect you from anyone from whom

...

...

are

...

...

...

> That turns out to be wrong; they don't even do

unwilling to take money. that.

...

> > Chris Soghoian and Sid Stamm

...

...

...

...

...

> simple "appliance"-type box, marketed to law enforcement and > intelligence agencies in the US and elsewhere,

today that describes a that uses bogus

...

> certificates issued by *any* cooperative certificate authority to act as > a "man-in-the-middle" for encrypted web

paper traffic.

...

...

...

> > Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf > > What I found most interesting (and surprising) is that this sort of > surveillance is widespread enough to support fairly mature, turnkey > commercial products.B B It carries some significant disadvantages for > law enforcement -- most

Surveillance via bogus SSL that they published a particularly it

...

...

...

...

potentially can be

...

> detected. > > I briefly discuss the implications of

can be this kind of

...

...

surveillance at http://www.crypto.com/blog/spycerts/

...

> > Also, Wired has a story here: http://www.wired.com/threatlevel/2010/03/packet-forensics/ > > > -matt > > >

---

...

...

...

...

...

Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com

----- End forwarded message -----

---

...

...

...

privacy mailing list http://lists.vortex.com/mailman/listinfo/privacy

-- Sent from my Android phone with K-9. Please excuse lack of OpenPGP signature and brevity.

--- On Sat, 4/3/10, Dave Howe  wrote:

> From: Dave Howe 
> Subject: Re: Fwd: [ PRIVACY Forum ]  Surveillance via bogus SSL      certificates
> To: "Email List - Cypherpunks" 
> Date: Saturday, April 3, 2010, 4:19 PM
> Rayservers wrote:
> > I have proposed that we strip out ALL outside
> certificate authorities from an
> > open source browser, and distribute such... and to
> practice what I preach, I
> > just went into FF and nuked the bunch - and whee, I
> can connect, verify the cert
> > and login :). The USER - a la monkey sphere - has to
> decide if she trusts the
> > Certificate Authority - who the hell are they anyway?
> And to answer my own
> > rhetorical question - those that issue the highest
> TRUST certificates to
> > licensed scammers a.k.a. the banks. I do not trust a
> single one of the
> > recommendations of official CAs. If I am forced, like
> one has to in this world -
> > to visit a bank website, I can figure out how much I
> distrust them all by
> > myself. All I want to know is "am I visiting the same
> site again"... and a "self
> > signed" cert is all I need, "ssh style". And yes, I
> love the monkeysphere
> > approach which would add meaningful levels of trust to
> that choice. And no -
> > there is no difference in my trust level if the cert
> says "self signed" or
> > "fairysign super duper" perhaps the former is better!
> - at least fairysign
> > cannot go off and bless the MITM - especially of any
> sites I run!
> 
> Its a nice theory, but doesn't cover first-visit scenarios,
> nor the
> yearly rekey grind of giving CAs (large amounts of) money
> for the
> results of a fairly easy math problem.


The first visit scenario is definitely an issue. that brings it to the other question - why cannot CA's issue certificates to sites say like 10 years or 20 years and get the corresponding money for that. Most certificates issued by CA's usually have 2-3 years validity. Incase of a significant mathematical breakthrough the CA should provide an alternate secure certifying mechanism if the breakthrough occurred within the service period (10/20 years). The question is why do popular https sites not go for certificates that expire in 10/20 years if it helps security?



Another question, this one is specific to gmail - which the entire session is on https.

when i click a pdf in my gmail to be opened with google docs, the certificate is signed by google(used a third part browser plugin to check this). that is fine, however my browser never alerts me as a potential untrusted certificate and if want to add it as an exception. does that mean google is an intermediate CA or what does that mean?


Thank you,
Sarad AV



> 
> What I would prefer is some parallel system where person
> 'x', who I
> trust, may or may not have visited site 'y', and may or may
> not have
> signed the then certificate, the signature for which (with
> its date of
> providence) is then stored *on the site* for me to access
> though a
> well-known url. That way, I can look with suspicion at
> sites which do
> not have such a certificate, investigate myself if they are
> serving the
> certificate I am expecting to see (and how do I do that? I
> have tried in
> the past phoning companies to obtain their website public
> key for
> independent verification; most don't know what one is, a
> few have even
> said they can't disclose that as it is *priviledged
> information*....)
> 
> But, who do I trust for that, who do *you* trust for that,
> and will
> those people be wiling to give up a significant slice of
> time every year
> revisiting websites after their certificates are renewed,
> and facing the
> same hurdles I did (the complete ignorance of most
> companies as to how
> their websites' certificate works and unwillingness to
> supply an
> accurate fingerprint over the phone).

Rayservers wrote:

It is an issue similar to the issue of trust when you walk into a bazaar - a free market with *many* of two kinds of people: *buyers* and *sellers*.

Indeed, and many get scammed, then find the peddler they bought their "bargain" from isn't there the next day when they return.

By requiring everyone to have an "identity" card from the Queen of England** herself, it just makes the Queen more equal than anyone else. Soon, you cannot do business selling tomatoes grown in your backyard without a special license from the Queen - to ensure that you only used "approved" seeds... and on it goes.

Its certainly getting that way now. My local butchers are unable to make their own sausages - because the requirements for documenting and providing the ingredients for each "product" apply to that, and it is not economically viable to go though that process when they can instead buy a standard "mix" from a supplier, add a specified weight of specified meats, and then use the supplier's pre-certified documentation and ingredients list. Does that protect us against rogue food providers? possibly. Does it stop my (formerly award winning) butcher from selling me a superior product instead of the standardized one? yes, it does.

Grow up people - you have to do the work of learning to trust - all by yourself.

On the internet, nobody knows you are a dog. On your website, nobody can tell if you are or aren't really BigBank, BigBoxShifter, or BigManufacturer; there is therefore a market for certifying this, and the current climate (where you get to choose in a competitive market which lizard you select, but must select a lizard) is a viable approach; however, its plainly biassed in favour of the current incumbents, who have a vested interest in keeping prices high and consolidating against outsiders. A distributed model would be good, but even leaving aside key distribution issues for your trusted recommenders, it means that you are basing your own trust decision on two things - one, that the person certifying the site is himself trustworthy, and two, that the process was not compromised (if I wished to establish a scam site, and a distributed model was in place, the first few transactions would be *amazingly* honest and I would take pains to get those first few certifications well established... then fight tooth and nail to hang on to them and prevent any revocation being posted, no matter how many other people I scammed based on the mistaken trust assertion made by the early visitors.)

You better learn quick that trusting your friends is better than trusting the Queen of England herself - for neither you nor I know the Queen, and it seems she is a prisoner of certain people.

Or could be badly advised as to the trustworthyness of some of her couriers - because she herself doesn't know if a particular supplicant is honest and trustworthy, so must rely on others to assert that to her. But in essence, even if you have a lot of trustworthy friends, whose online community of interest is similar to yours, you are going to have to be first visitor to at least some of the sites - and the trust decision is then going to have to be made by you based on something other than the distributed network.

If, on the first visit, you are using a poisoned DNS system, or on a compromised operating system, then foo on you. The future will have neither, except at the option of the losers who wish to be losers.

The future will *always* have lusers. It's in the nature of the system - spam and phishing scams would not exist if there wasn't a profitable minority who believe that yes, there *is* a Nigerian out there who wishes to give them 6 million dollars, and all he needs is their bank details... that 90%+ of all email is now of this type just shows there is a profit to be made from the gullible being gullible. All attempts to "do something" about this will not make the gullible any safer, but will restrict what *you* can do without the permission of the state. Laws are, for the most part, to force the law abiding to not do things the scofflaws will ignore anyhow, even if the law abiding previously had a legitimate reason to do so.

that's the link if anyone doesnt prefer to follow the shortened url. http://www.theregister.co.uk/2010/04/06/mysterious_mozilla_apple_certificate... like Mr. Brennen says, this is very bad. i also wonder what the browser policy for major browsers are when a root CA company is acquired by another company. Is trust automatically transfered to the new company? Will the browser keep or revoke these certificates? Sarad. --- On Wed, 4/7/10, V. Alex Brennen wrote:

From: V. Alex Brennen Subject: Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates To: cypherpunks@al-qaeda.net Date: Wednesday, April 7, 2010, 7:37 AM Aside from a man in the middle attack, it's highly possible that browser developers are not doing a very good job of managing and auditing the root ca certificates that they ship included with the browser releases. Further, it's possible that CA's aren't doing a good job of keeping track of what certificates they submit to browser developers.

Take a look at this discussion:

http://bit.ly/a7b04A

After reading that discussion, I'd be much less surprised to hear that a bogus root ca certificate, even one that fraudulently identified its source as a major trusted ca, was included in a series of browser releases from at least one of the major developers.

- VAB

my bad.i meant disable/remove the certificate from the browser and not 'revoke' as such. Also curious, what is the browser's audit mechanism of the CA? what safeguards do the audit provide end users like us from malicious CA's and how is the audit carried out? Is a non disclosure agreement signed between the browser and the CA? Doesn't the following attack model also work. Say we have rouge intermediate CA X(trusted by the bowser) itself issuing a certificate to BankofA.com. Note: BankofA.com never requested this certificate from CA X. BankofA has its legitimate certificate issued by (say for example Verisign). Now, say that is possible to carry out a MITM attack at the end user (bank's client) ISP. When the end user opens BankofA.com on the browser, with the MITM in place - the fake certificate issued by CA X will be presented to the end user. The end user's browser trusts CA X and no red flags are raised. If any monetary transactions are carried out, all the money can be funneled out. Thank you, Sarad AV

From: Peter Gutmann Subject: Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates To: alexbrennen@gmail.com, jtrjtrjtr2001@yahoo.com Cc: cypherpunks@al-qaeda.net Date: Saturday, April 10, 2010, 5:14 AM Sarad AV writes:

...

i also wonder what the browser policy for major browsers are when a root CA company is acquired by another company. Is trust automatically transfered to the new company?

Yes. When your CA goes bankrupt its only significant asset is often the root CA cert(s) it owns, which get onsold to the highest bidder by the receivers. This has occurred numerous times in the past, and some roots have been onsold multiple times, since it's both a means of monetising the CA's remaining assets and (usually) the cheapest way for a new CA to get their own cert.

...

Will the browser keep or revoke these certificates?

Keep.

(I'm not sure whether the browser vendor will even know if it's been on-sold, or how the vendor is supposed to know unless the new owner volunteers the information. Also you can't really "revoke" a root, and the browser vendors certainly can't do it, the best they can do is disable/remove it in the next release).

Peter.

Sarad AV wrote:

The first visit scenario is definitely an issue. that brings it to the other question - why cannot CA's issue certificates to sites say like 10 years or 20 years and get the corresponding money for that.

They can. There is the revocation issue (once a certificate passes its validity date, they no longer need to store a revocation for it if it was revoked; for one and two year certificates that is only one or two years, but if it were longer than that the CRL would be correspondingly larger. certificates can *specify* where the CRL is, giving a mechanism to assign a different URL to each year's offerings, but surprisingly, many of the older CAs don't use it and rely on the browser having hard-coded data for the CRL. I think it is more that most sites don't want to pay that sort of cash up front for their cert - with the current crop of EV certificates exceeding #400/year, a 10 year cert would be in excess of #4K, and a 20 year 9K or more. even with a discount, that's a *lot* of upfront cost for a business. Another factor is that prices for normal certificates have been steadily declining, year on year, for some time now - even given that money *now* is worth more than money this time next year, if the cert is going to be cheaper next year in absolute terms, you would be ill advised to to buy too many years up front at the higher price. EV is another good example of a factor; it didn't exist a few years ago, now it is a "must have" for big name sites. What will the next big thing be five years from now, and would it mean discarding your expensive 10 year certificate for the new and more secure "we really really check you are who you claim to be, this time, honest" Super EV that is then considered a requirement? Finally, will you still be called the same thing ten years from now? companies change, their branding (and corporate image) changes, they merge and split; you may not wish to have five more years as www.superwidget.com if you no longer make widgets, and your company name has changed to megagadget...

Most certificates issued by CA's usually have 2-3 years validity.

still a lot of one year certs out there - bigger sites may find the trouble of renewal on what is only a small difference in price an issue, and thus go with a longer certificate, but the default for most purchases is the One year cert. But regardless - the whole pricing structure of the CA market is commercial - certificates exist *only* to make money for commercial CAs; any actual security benefit is a side effect.

Incase of a significant mathematical breakthrough the CA should provide an alternate secure certifying mechanism if the breakthrough occurred within the service period (10/20 years). The question is why do popular https sites not go for certificates that expire in 10/20 years if it helps security?

Because it doesn't. the vast majority of browsers don't report a certificate that has changed since your last visit - because they don't keep a copy of the certificate to verify against. Those that do have been specifically modified for that purpose by their users - as is detailed in this thread, pretty much - and suffer from the first visit problem because there is no mechanism to say "if it is a cert I don't have, verify it against the CA, tell me which CA it is (and if that seems a sane choice) and then store a copy so next time I have my own standard to refer to". There is also no mechanism to chain from a trusted certificate that is due to expire (or already has) to a new, not yet verified one. But then, there is no commercial incentive for either of these features, as browsers are happy to support the commercial CA model, and certainly the commercial CAs don't want anyone to leave the hierarchical "CA as god" model.

Another question, this one is specific to gmail - which the entire session is on https.

when i click a pdf in my gmail to be opened with google docs, the certificate is signed by google(used a third part browser plugin to check this). that is fine, however my browser never alerts me as a potential untrusted certificate and if want to add it as an exception. does that mean google is an intermediate CA or what does that mean?

You should be able to check the certificate chain on the object and see. I haven't tried this (and given its 1am I am not going to now, but I may do so when I get time :)