Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 8:17 PM, Steven Bellovin wrote: > > On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote: > >> [Jeffrey Walton (2012-02-12 10:57:02 UTC)] >> >>> (1) How can a company actively attack a secure channel and tamper with >>> communications if there are federal laws prohibiting it? >> >> IANAL, as they say, but I guess they are acting under the presumption >> that any communication originating in the company's own is the >> company's own communication, and so they can do anything they please >> with it. It could be argued that the notion of "tampering" with your >> own communications doesn't make sense, and so there is no breach of >> federal law. >> >> I am not defending the above interpretation, nor am I saying for sure >> that it holds water. But I think it is a reasonable guess, at least >> that that the company's lawyers will use arguments along those lines >> (abeit argued in more legalese terms) if they had to defend this >> practice. > > > Although I'm not a lawyer, I've worked with a number of lawyers on the > wiretap act, and have been studying it for close to 20 years. I do not > see any criminal violation. > > 18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices > if "design of such device renders it primarily useful for the purpose of > the surreptitious interception of wire, oral, or electronic communications". > Is a private key or certificate a "device"? Not as I read 18 USC 2510(5) > (http://www.law.cornell.edu/uscode/text/18/2510). Paragraph (12) of that > section would seem to say that intra-company wires aren't covered. But > a better explanation of that can be found in Ruel Torres Hernandez, "ECPA > and online computer privacy", Federal Communications Law Journal, 41(1):17–41, > November 1988. He not only concluded that the ECPA did not bar a company > from monitoring his own devices, he quoted a participant in the law's > drafting process as saying that that was by intent. California law bars > employers from monitoring employee phone calls, but in 1991 a court there > explicitly ruled that monitoring email was permissible -- or rather, that > it wasn't barred by a statute that only spoke of phone calls. I looked at the cited cases. As a layman, I'm not contesting the fact that an employer has a right to monitor its employees, and I understand why some of the plaintiff positions were undefensible in civil court. I'm talking about violation of US Code and criminal cases. Remember, a lot of these corporations wanted harsh regulations for folks breaking into their [insecure] networks. Obviously, they don't want to eat their own dog food. But some of this stuff is sufficiently broad so that their actions are criminal despite their intentions or desires. Whether they like or or not (or agree or disagree), they were only authorized to transmit traffic. Here, I speak of the communications between two parties - A and B. When they peeled away SSL/TLS, they exceeded their authorization. Even if party A agreed to be monitored, I doubt party B also agreed 'a priori,' especially if party B did not reside on the same corporate network. Hence a criminal violation of federal code. Anyway, that's how I learned to interpret these things when studying for my LSATs (the LSATs were an annoying logic game of contrived scenarios). And I know LSAT study guides and practice tests are a far cry from the real world, where an afternoon of golf can fix a lot of problems. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Duplicate primes in lots of RSA moduli
On 02/14/2012 09:02 PM, Jon Callas wrote: If you implement something like the Certificate Transparency, you have an authenticated database of authoritative data to replicate the oracle with. How important is it that the data be authenticated/authoritative in this case? Waving my hand and making software magically appear, I'd combine Certificate Transparency and such an oracle be combined, and compute the status of the key as part of the certificate logs and proofs. CAs are sort of taking a beating in the public view these days. Such a service could be the kind of thing they either use as a QoS differentiator, or something they collaborate on as an industry to help build some public trust. I bet there are some graduate students looking for nice, limited-scope summer internship projects...but it may be bigger scope than that. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Duplicate primes in lots of RSA moduli
On 14 Feb, 2012, at 5:58 PM, Steven Bellovin wrote: > The practical import is unclear, since there's (as far as is known) no > way to predict or control who has a bad key. > > To me, the interesting question is how to distribute the results. That > is, how can you safely tell people "you have a bad key", without letting > bad guys probe your oracle. I suspect that the right way to do it is to > require someone to sign a hash of a random challenge, thereby proving > ownership of the private key, before you'll tell them if the > corresponding public key is in your database. Yeah, but if you're a bad guy, you can download the EFF's SSL Observatory and just construct your own oracle. It's a lot like rainbow tables in that once you learn the utility of the trick, you just replicate the results. If you implement something like the Certificate Transparency, you have an authenticated database of authoritative data to replicate the oracle with. Waving my hand and making software magically appear, I'd combine Certificate Transparency and such an oracle be combined, and compute the status of the key as part of the certificate logs and proofs. Jon ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Duplicate primes in lots of RSA moduli
On Feb 14, 2012, at 7:50 14PM, Michael Nelson wrote: > Paper by Lenstra, Hughes, Augier, Bos, Kleinjung, and Wachter finds that two > out of every one thousand RSA moduli that they collected from the web offer > no security. An astonishing number of generated pairs of primes have a prime > in common. Once again, it shows the importance of proper randomness (my > remark). > > http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?_r=1&hp > > > The paper: > > http://eprint.iacr.org/2012/064.pdf The practical import is unclear, since there's (as far as is known) no way to predict or control who has a bad key. To me, the interesting question is how to distribute the results. That is, how can you safely tell people "you have a bad key", without letting bad guys probe your oracle. I suspect that the right way to do it is to require someone to sign a hash of a random challenge, thereby proving ownership of the private key, before you'll tell them if the corresponding public key is in your database. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
If this conversation on the death penalty gets taken offline, take me along for the ride but it just doesn't seem germane to crypto so I'm holding my tongue. --dan ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 2012-02-15 7:57 AM, Ralph Holz wrote: You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. James A. Donald: Singapore has approximately one hundredth to one thousandth the crime rate of western democracies - near zero rapes, and dramatically fewer murders. Not only is their lower class law abiding, their bankers and bureaucrats, unlike ours are also law abiding. From which it is evident that the death penalty *does* deter, both for institutions and individuals. Ralph Holz May I, just for reasons of comparison, have the same numbers for the US, especially the states with a death penalty, and the UK and/or DE? Although several US states theoretically have the death penalty pro forma, no US states have the death penalty in actual practice, nor have they had the death penalty to any extent likely to deter anyone throughout most of the twentieth century. Even prisoners that get sick of jail and demand execution are apt to be old men before they get it. For a valid comparison, need to compare the US today with the US in 1910, or the US today with Singapore today, or Saudi Arabia today, or China today. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Duplicate primes in lots of RSA moduli
Paper by Lenstra, Hughes, Augier, Bos, Kleinjung, and Wachter finds that two out of every one thousand RSA moduli that they collected from the web offer no security. An astonishing number of generated pairs of primes have a prime in common. Once again, it shows the importance of proper randomness (my remark). http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?_r=1&hp The paper: http://eprint.iacr.org/2012/064.pdf Mike ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
[Ralph Holz (2012-02-14 21:57:17 UTC)] > > From which it is evident that the death penalty *does* deter, both for > > institutions and individuals. > > May I, just for reasons of comparison, have the same numbers for the US, > especially the states with a death penalty, and the UK and/or DE? Gentlemen, While I admit I agree with one of you *much* more than with the other, I am not going to disclose which in this forum. May I suggest you take this discussion elsewhere, before it gets out of hand? - Harald ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, >> You kno, I can't help but think of the resemblance to the real world >> death penalty for humans - AFAICT it does not seem to deter criminals. > > Singapore has approximately one hundredth to one thousandth the crime > rate of western democracies - near zero rapes, and dramatically fewer > murders. Not only is their lower class law abiding, their bankers and > bureaucrats, unlike ours are also law abiding. > > From which it is evident that the death penalty *does* deter, both for > institutions and individuals. May I, just for reasons of comparison, have the same numbers for the US, especially the states with a death penalty, and the UK and/or DE? Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 2012-02-14 8:40 PM, Ralph Holz wrote: issuing a death sentence to a CA who has disclosed is counter-productive. It will drive the others deeper into hiding. You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. Singapore has approximately one hundredth to one thousandth the crime rate of western democracies - near zero rapes, and dramatically fewer murders. Not only is their lower class law abiding, their bankers and bureaucrats, unlike ours are also law abiding. From which it is evident that the death penalty *does* deter, both for institutions and individuals. In the lead up to the great financial crisis, the Singaporean government told financial institutions that they should refrain from excessive maturity transformation, that institutions that were broke would not be bailed out, (the death penalty for institutions) and that people who misrepresented their institutions exposure would be punished. (Imprisonment and possibly flogging for people mismanaging financial institutions, or corruptly regulating them) Guess how Singapore did when the crisis broke. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, >> BTW, what we do not address is an attacker sending us many forged chains >> and/or traces. We don't want clients have to register with our server >> and obtain an identity. That's a sore point. > > Aren't the certs of interest those that chain to a well-known root? > So they could be validated, and those that don't could be efficiently > discarded. At that point, the attacker is reduced to effectively doing > an SSL DoS on you which is likely to grow old quickly. Yes, the certs are the lesser problem. The problem is that hunting tasks can be pulled by anyone from the server and results sent back. This is still not too bad DoS-wise, but it allows to send forged traceroute results. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 02/14/2012 02:56 PM, Ralph Holz wrote: BTW, what we do not address is an attacker sending us many forged chains and/or traces. We don't want clients have to register with our server and obtain an identity. That's a sore point. Aren't the certs of interest those that chain to a well-known root? So they could be validated, and those that don't could be efficiently discarded. At that point, the attacker is reduced to effectively doing an SSL DoS on you which is likely to grow old quickly. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, >> As Crossbear's assessment is not something everyday users will >> understand, we ourselves view Crossbear as the tool that, e.g., a >> travelling security afficionado/hacker/interested person might want to >> use, but not your average guy. Our goal is to find out how many Mitm >> actually happen, and how, and where. That's why Crossbear has this >> second component, the hunting tasks. > > Interesting -- will this work, in the case of authorized MITM of the > network the client's on? The second SSL connection will always fail, > since the MITM device will MITM it. Perhaps there should be an option > to retrieve results separately and later? Yes, things start to become difficult when the middle-box goes and actively meddles with the messages the client sends to the server. That sure is a dedicated attacker now that is also built to defeat Crossbear. We have the CB server's cert hard-coded in the client, so we can encrypt to the server and check its signatures, too, and be sure who's talking to the client. If the attacker starts to drop CB server messages, our first reaction is to warn the user that there might be foul play and that he's now unprotected. Unfortunately, there's no way to distinguish deleted messages from network outage or similar faults. So, yes, we have thought about extending Crossbear to a) store the results and try to send them later (should work for mobile devices) or b) try and switch to other channels. We're not quite sure about the latter as the question is really how much power your attacker has. Use the user's mail client and create a mail, anonymous FTP, WebDAV - OK. Maybe a Tor hidden service for the extreme cases? None of these is built-in so far. BTW, what we do not address is an attacker sending us many forged chains and/or traces. We don't want clients have to register with our server and obtain an identity. That's a sore point. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Tue, Feb 14, 2012 at 09:35:45PM +0100, Ralph Holz wrote: > > As Crossbear's assessment is not something everyday users will > understand, we ourselves view Crossbear as the tool that, e.g., a > travelling security afficionado/hacker/interested person might want to > use, but not your average guy. Our goal is to find out how many Mitm > actually happen, and how, and where. That's why Crossbear has this > second component, the hunting tasks. Interesting -- will this work, in the case of authorized MITM of the network the client's on? The second SSL connection will always fail, since the MITM device will MITM it. Perhaps there should be an option to retrieve results separately and later? Thor ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, >> Following your argument, in fact, we should have a large DB with Mitm >> certs and incidents already. We don't - but not because CAs would not >> have issued Mitm certs for Sub-CAs, surely? >> >> No, CAs would try to hide the fact that they have issued certs that are >> good for Mitm a corporate network. Some big CAs -- to big too fail even, >> maybe, and what about them? -- have not yet publicly stated that they >> have never issued such certs. I think giving them a chance at amnesty is >> a better strategy. > That penalizes CAs who choose to operate ethically and within the > bounds of contractual agreements. Just sayin Well, it's a point one can make. The question is whether pulling someone's root would help the ethical guys so much more, however, or whether having operated un-ethically has given the others so much of an advantage. On the whole, the net gain in security seems better with Marsh's proposal. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, > In both cases, Crossbear will detect a MITM device, yes? But in one > case, the device is authorized to sign for the entities it's signing > certificates for, and in the other, it's not. > > This does not in any way diminish the usefulness of Crossbear as a tool > for detecting MITM devices. But what's interesting about what happens > in these two cases is that it's _whether the user is being deceived_ > that differs. Crossbear can't know that -- the user has to supply the > knowledge of whether there is, in fact, an authorized MITM in place. Ah, I see where you're going with this. Crossbear signals its findings to the client browser, via a separate SSL connection (the CB server cert is hard-coded into the Crossbear client). The assessment comes complete with a view of what others are seeing, including a view we obtain by asking Convergence. The suspicious chain is sent to our database for human analysis. As Crossbear's assessment is not something everyday users will understand, we ourselves view Crossbear as the tool that, e.g., a travelling security afficionado/hacker/interested person might want to use, but not your average guy. Our goal is to find out how many Mitm actually happen, and how, and where. That's why Crossbear has this second component, the hunting tasks. BTW: Crossbear's assessment still leaves some potential for false positives: there are plenty of server farms out there that use more than one (valid) chain. If a new but valid one pops up, no system can know it at first. That's where all these notary-based systems get in trouble when they cache (and they have to, at least on the global scale, like Convergence). > And that is precisely what is wrong with what Trustwave did: they tried > to make it look like there was no MITM in place instead of an unauthorized > one, where in this case "authorized" means "the administrator of the client > node positively agreed to have that node's traffic MITMed". Yes, fully agreed. But I still think pulling their root would have given the wrong incentive to CAs. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Tue, Feb 14, 2012 at 9:51 AM, Ralph Holz wrote: > Hi, > >> Well I am not sure how they can hope to go very far underground. Any and >> all users on their internal network could easily detect and anonymously >> report the mitm cert for some public web site with out any significant risk >> of it being tracked back to them. Game over. So removal of one CA from a >> major browser like mozilla would pretty much end this practice if it is >> true >> that any CAs other than trustwave actually did this... > > If all users used a tool like Crossbear that does automatic reporting, > yes. But tools like that are a recent development (and so is > Convergence, even though it was predated by Perspectives). > > More importantly, however, how capable do you judge users to be? How > wide-spread do you expect such tools to become? Most users wouldn't know > what to look for in the beginning, and they would much less care. > > Following your argument, in fact, we should have a large DB with Mitm > certs and incidents already. We don't - but not because CAs would not > have issued Mitm certs for Sub-CAs, surely? > > No, CAs would try to hide the fact that they have issued certs that are > good for Mitm a corporate network. Some big CAs -- to big too fail even, > maybe, and what about them? -- have not yet publicly stated that they > have never issued such certs. I think giving them a chance at amnesty is > a better strategy. That penalizes CAs who choose to operate ethically and within the bounds of contractual agreements. Just sayin Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Tue, Feb 14, 2012 at 09:13:11PM +0100, Ralph Holz wrote: > > > It is not so hard really to see the conceptual difference between the two > > cases. But to tools like Crossbear, they basically look the same. > > Why? Crossbear sends the full certificate chain it sees to the CB > server, where it is compared with the full chain that the CB server sees > (plus a few more servers, too, actually, that it can ask). Convergence, > AFAICT, does the same. If you're inside the corporate network, the > certificate chain in the SSL handshake cannot be the same, and both > systems will detect them. In both cases, Crossbear will detect a MITM device, yes? But in one case, the device is authorized to sign for the entities it's signing certificates for, and in the other, it's not. This does not in any way diminish the usefulness of Crossbear as a tool for detecting MITM devices. But what's interesting about what happens in these two cases is that it's _whether the user is being deceived_ that differs. Crossbear can't know that -- the user has to supply the knowledge of whether there is, in fact, an authorized MITM in place. And that is precisely what is wrong with what Trustwave did: they tried to make it look like there was no MITM in place instead of an unauthorized one, where in this case "authorized" means "the administrator of the client node positively agreed to have that node's traffic MITMed". Thor ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, > Pardon my ignorance. Just tried to Google these, and cannot find them. > Could you give links? Crossbear (disclaimer - it's our own): https://pki.net.in.tum.de/taxonomy/term/3 Slides: https://pki.net.in.tum.de/node/4 Github: https://github.com/crossbear/Crossbear We will submit the XPI to the Mozilla Add-On Store soon (code is fixed according to their feedback; now we need to get the new server up, and install the CA-signed cert Mozilla requires us to have). Moxie's Convergence: http://convergence.io/ Best regards, Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, >> If all users used a tool like Crossbear that does automatic reporting, >> yes. > > Not really -- and this I think goes to the root of why what was done here > is so evil. [... many correct things omitted, sorry ...] > It is not so hard really to see the conceptual difference between the two > cases. But to tools like Crossbear, they basically look the same. Why? Crossbear sends the full certificate chain it sees to the CB server, where it is compared with the full chain that the CB server sees (plus a few more servers, too, actually, that it can ask). Convergence, AFAICT, does the same. If you're inside the corporate network, the certificate chain in the SSL handshake cannot be the same, and both systems will detect them. Where Crossbear goes further is that it will now start requesting traceroutes from participating systems to find out where in the network the Mitm is. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Tue, Feb 14, 2012 at 03:51:16PM +0100, Ralph Holz wrote: > Hi, > > > Well I am not sure how they can hope to go very far underground. Any and > > all users on their internal network could easily detect and anonymously > > report the mitm cert for some public web site with out any significant risk > > of it being tracked back to them. Game over. So removal of one CA from a > > major browser like mozilla would pretty much end this practice if it is > > true > > that any CAs other than trustwave actually did this... > > If all users used a tool like Crossbear that does automatic reporting, > yes. Not really -- and this I think goes to the root of why what was done here is so evil. It is common practice on many networks in certain industries to deploy SSL MITM devices which terminate, decrypt, examine, and reencrypt all traffic. However, the usual way to do this is to generate a new CA certificate for the MITM device and load it into all the systems expected to be connected to the network in question as a trusted root. In this case, the owner of the network has chosen, by policy, to not allow devices to perform SSL unless they trust the network's own CA, and that CA has an effective policy which expressly allows it to facilitate MITM of SSL traffic. I do not find this unreasonable for certain environments, and if users choose to bring their private devices onto those networks, they have to take a positive step to facilitate this examination of their traffic -- they have to install the MITM CA's certificate as a trusted root. But what Trustwave did is very, very different. They sold a sub-root that seems almost tailor-made to deceive users into thinking that MITM was *not* taking place. After all, if the intent were not to deceive the network's users, the usual solution (where the client node's administrator must accept the MITM device's CA) would have sufficed. If the intent was not (primarily) to deceive but rather to allow MITM device deployment with less administrative hassle, I can say only these things: A) It might be easier for me to get petty cash for my legitimate business purposes by mugging people in the street than by filling out corporate paperwork but that does not make it OK to mug people in the street. B) If we are to believe Trustwave's claims about how they secured and audited the device on which this CA's keys were stored, is it really plausible that this was done for ease of administration, compared to the "standard" solution? It is not so hard really to see the conceptual difference between the two cases. But to tools like Crossbear, they basically look the same. Bad, bad, bad. Thor P.S. If one really wanted to know what CAs were in the business of selling these, one might try using any leverage one had handy to press the manufacturers of the MITM devices, who very likely know because their support or engineering personnel will have seen it in the field. I can think of some pretty simple ways Mozilla could seek to obtain this information from the device manufacturers, if Mozilla wanted to play hardball. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Feb 14, 2012, at 1:16 23PM, Jon Callas wrote: > > On Feb 14, 2012, at 7:42 AM, ianG wrote: > >> On 14/02/12 21:40 PM, Ralph Holz wrote: >>> Ian, >>> >>> Actually, we thought about asking Mozilla directly and in public: how >>> many such CAs are known to them? >> >> It appears their thoughts were "none." >> >> Of course there have been many claims in the past. But the Mozilla CA desk >> is frequently surrounded by buzzing small black helicopters so it all >> becomes noise. > > I've asked about this, too, and the *documented* evidence of this happening > is exactly that -- zero. > > I believe it happens. People I trust have told me, whispered in my ear, and > assured me that someone they know has told them about it, but there's > documented evidence of it zero times. > > I'd accept a screen shot of a cert display or other things as evidence, > myself, despite those being quite forgeable, at this point. > > Their thoughts of it being none are reasonably agnostic on it. > > Those who have evidence need to start sharing. > A related question... Sub-CAs for a single company are obviously not a problem. Thus, if a major CA were to issue WhizzBangWidgets a CA cert capable of issuing certificates for anything in *.WhizzBangWidgets.com, it would be seen as entirely proper. The issue is whether or not that sub-CA can issue certificates for, say, google.com. The restriction is enforced by the Name Constraints field in the CA's cert. However, this is seldom-enough seen that I have no idea if it's actually usable. So -- do major cert-accepting programs examine and honor this field, and do it correctly? I know that OpenSSL has some code to support it; does it work? What about Firefox's? The certificate-handling code in various versions of Windows? Of MacOS? --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 2/14/12 9:51 AM, Ralph Holz wrote: If all users used a tool like Crossbear that does automatic reporting, yes. But tools like that are a recent development (and so is Convergence, even though it was predated by Perspectives). Pardon my ignorance. Just tried to Google these, and cannot find them. Could you give links? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On Feb 14, 2012, at 7:42 AM, ianG wrote: > On 14/02/12 21:40 PM, Ralph Holz wrote: >> Ian, >> >> Actually, we thought about asking Mozilla directly and in public: how >> many such CAs are known to them? > > It appears their thoughts were "none." > > Of course there have been many claims in the past. But the Mozilla CA desk > is frequently surrounded by buzzing small black helicopters so it all becomes > noise. I've asked about this, too, and the *documented* evidence of this happening is exactly that -- zero. I believe it happens. People I trust have told me, whispered in my ear, and assured me that someone they know has told them about it, but there's documented evidence of it zero times. I'd accept a screen shot of a cert display or other things as evidence, myself, despite those being quite forgeable, at this point. Their thoughts of it being none are reasonably agnostic on it. Those who have evidence need to start sharing. Jon ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
On 14/02/12 21:40 PM, Ralph Holz wrote: Ian, Actually, we thought about asking Mozilla directly and in public: how many such CAs are known to them? It appears their thoughts were "none." Of course there have been many claims in the past. But the Mozilla CA desk is frequently surrounded by buzzing small black helicopters so it all becomes noise. I'd have thought that some would have disclosed themselves to Mozilla after the communication of the past few weeks. Your mail makes it seem as if that was not the case, or not to a satisfying degree. Sigh. One of the things that went very wrong with Mozilla is that the CAs started private non-disclosable discussions. Of course, this led to a lot of manipulation, and basically we have no idea what things have happened behind the covers. It's now the case that the open forum has very little influence and CAs in private & confidential conversations have most or practically all of the influence. So even if they have disclosed it in the last few weeks, we are likely never to know. Which means that Mozilla's decision will be announced in a vacuum. Nobody will be happy. Which makes me support Marsh Ray's one-strike proposal even more strongly: issuing a death sentence to a CA who has disclosed is counter-productive. It will drive the others deeper into hiding. You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. The only real power Mozilla has is to strike them off the root list. It's only been done when the decision was easy for other reasons. I agree that this is the most interesting and challenging thing to hit Mozilla in a while. Coz of the whole trust and reliance thing; users put a lot of their trust in Mozilla. iang Ralph On 02/14/2012 03:31 AM, ianG wrote: Hi all, Kathleen at Mozilla has reported that she is having trouble dealing with Trustwave question because she doesn't know how many other CAs have issued sub-roots that do MITMs. Zero, one, a few or many? I've sent a private email out to those who might have had some direct exposure. If there are any others that might have some info, feel free to provide evidence to kwil...@mozilla.com or to me if you want it suitably anonymised. If possible, the name of the CA, and the approximate circumstance. Also how convinced you are that it was a cert issued without the knowledge of the owner. Or any information really... Obviously we all want to know who and how many ... but right now is not the time to repeat demands for full disclosure. Right now, vendors need to decide whether they are dropping CAs or not. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, On 02/14/2012 04:20 PM, Adam Back wrote: > My point is this - say you are the CEO of a CA. Do you want to bet > your entire company on no one ever detecting nor reporting the MITM > sub-CA that you issued? I wouldnt do it. All it takes is one savy > or curious guy in a 10,000 person company. > > Consequently if there are any other CAs that have done this, they now > know mozilla and presumably other browsers are on to them and they > need to revoke any mitm sub-CA certs and stop doing it or they risk > their CA going bankrupt like with diginotar. Yes, I got that. I just think it's not how a normal CEO would react if TrustWave had been kicked out *after* confessing what they'd done. If that confession had been met with punishment, CAs would have had only an incentive to hide, but not to make further confessions. That's why I said I like Marsh's proposal: incentives are now to make up for past mistakes, *and* take precautions they are not repeated. That's a net gain in security for everyone, and that's why I was against kicking out TrustWave. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
My point is this - say you are the CEO of a CA. Do you want to bet your entire company on no one ever detecting nor reporting the MITM sub-CA that you issued? I wouldnt do it. All it takes is one savy or curious guy in a 10,000 person company. Consequently if there are any other CAs that have done this, they now know mozilla and presumably other browsers are on to them and they need to revoke any mitm sub-CA certs and stop doing it or they risk their CA going bankrupt like with diginotar. Adam On Tue, Feb 14, 2012 at 03:51:16PM +0100, Ralph Holz wrote: If all users used a tool like Crossbear that does automatic reporting, yes. But tools like that are a recent development (and so is Convergence, even though it was predated by Perspectives). More importantly, however, how capable do you judge users to be? How wide-spread do you expect such tools to become? Most users wouldn't know what to look for in the beginning, and they would much less care. Following your argument, in fact, we should have a large DB with Mitm certs and incidents already. We don't - but not because CAs would not have issued Mitm certs for Sub-CAs, surely? No, CAs would try to hide the fact that they have issued certs that are good for Mitm a corporate network. Some big CAs -- to big too fail even, maybe, and what about them? -- have not yet publicly stated that they have never issued such certs. I think giving them a chance at amnesty is a better strategy. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Hi, > Well I am not sure how they can hope to go very far underground. Any and > all users on their internal network could easily detect and anonymously > report the mitm cert for some public web site with out any significant risk > of it being tracked back to them. Game over. So removal of one CA from a > major browser like mozilla would pretty much end this practice if it is > true > that any CAs other than trustwave actually did this... If all users used a tool like Crossbear that does automatic reporting, yes. But tools like that are a recent development (and so is Convergence, even though it was predated by Perspectives). More importantly, however, how capable do you judge users to be? How wide-spread do you expect such tools to become? Most users wouldn't know what to look for in the beginning, and they would much less care. Following your argument, in fact, we should have a large DB with Mitm certs and incidents already. We don't - but not because CAs would not have issued Mitm certs for Sub-CAs, surely? No, CAs would try to hide the fact that they have issued certs that are good for Mitm a corporate network. Some big CAs -- to big too fail even, maybe, and what about them? -- have not yet publicly stated that they have never issued such certs. I think giving them a chance at amnesty is a better strategy. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Well I am not sure how they can hope to go very far underground. Any and all users on their internal network could easily detect and anonymously report the mitm cert for some public web site with out any significant risk of it being tracked back to them. Game over. So removal of one CA from a major browser like mozilla would pretty much end this practice if it is true that any CAs other than trustwave actually did this... Adam On Tue, Feb 14, 2012 at 11:40:06AM +0100, Ralph Holz wrote: Ian, Actually, we thought about asking Mozilla directly and in public: how many such CAs are known to them? I'd have thought that some would have disclosed themselves to Mozilla after the communication of the past few weeks. Your mail makes it seem as if that was not the case, or not to a satisfying degree. Which makes me support Marsh Ray's one-strike proposal even more strongly: issuing a death sentence to a CA who has disclosed is counter-productive. It will drive the others deeper into hiding. You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. Ralph On 02/14/2012 03:31 AM, ianG wrote: Hi all, Kathleen at Mozilla has reported that she is having trouble dealing with Trustwave question because she doesn't know how many other CAs have issued sub-roots that do MITMs. Zero, one, a few or many? I've sent a private email out to those who might have had some direct exposure. If there are any others that might have some info, feel free to provide evidence to kwil...@mozilla.com or to me if you want it suitably anonymised. If possible, the name of the CA, and the approximate circumstance. Also how convinced you are that it was a cert issued without the knowledge of the owner. Or any information really... Obviously we all want to know who and how many ... but right now is not the time to repeat demands for full disclosure. Right now, vendors need to decide whether they are dropping CAs or not. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 2/13/12 3:43 PM, d...@geer.org wrote: Two refs, one confirmed, one hearsay 1. J. Beeson, CISO, GE Capital has a standard stump speech, "I don't buy your shoes, why should I buy your computer?" 2. Sec. Napolitano is said to have bought the iPad she is regularly seen with using her own money. The latter is actually a fairly long-standing practice in Congress, going back to the '90s. My member was probably the first carrying around her own (Mac) laptop. Because of various ethics rules, to use the same device for campaign and office and personal, she was required to buy it herself. Because of the lack of cooperation between providers, it gave folks some headaches -- offices were required to contract out the IT to one of several approved 3rd parties, yet the House administration ran the internal network itself, and campaign was an entirely different entity. Essentially, each office was operated as a separate corporation. (This was before widespread shared WiFi.) Once it became obvious the Republicans in control were intercepting email carried over the administrative network between offices, everything had to run over VPN. But after they worked it out, it became fairly standard, at least on the Democratic side of the aisle. Cell phones, on the other hand, never quite managed. She had to carry two all the time, one for campaign and personal and one for official business. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
Ian, Actually, we thought about asking Mozilla directly and in public: how many such CAs are known to them? I'd have thought that some would have disclosed themselves to Mozilla after the communication of the past few weeks. Your mail makes it seem as if that was not the case, or not to a satisfying degree. Which makes me support Marsh Ray's one-strike proposal even more strongly: issuing a death sentence to a CA who has disclosed is counter-productive. It will drive the others deeper into hiding. You kno, I can't help but think of the resemblance to the real world death penalty for humans - AFAICT it does not seem to deter criminals. Ralph On 02/14/2012 03:31 AM, ianG wrote: > Hi all, > > Kathleen at Mozilla has reported that she is having trouble dealing with > Trustwave question because she doesn't know how many other CAs have > issued sub-roots that do MITMs. > > Zero, one, a few or many? > > I've sent a private email out to those who might have had some direct > exposure. If there are any others that might have some info, feel free > to provide evidence to kwil...@mozilla.com or to me if you want it > suitably anonymised. > > If possible, the name of the CA, and the approximate circumstance. Also > how convinced you are that it was a cert issued without the knowledge of > the owner. Or any information really... > > Obviously we all want to know who and how many ... but right now is not > the time to repeat demands for full disclosure. Right now, vendors need > to decide whether they are dropping CAs or not. > > iang > ___ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
