Re: The state-level attack on the SSL CA security model

[Crist Clark]

>>> On 3/29/2011 at 12:30 AM, Florian Weimer  wrote:
> * Crist Clark:
> 
>> Any large, well funded national-level intelligence agency
>> almost certainly has keys to a valid CA distributed with
>> any browser or SSL package. It would be trivial for the US
>> Gov't (and by extension, the whole AUSCANNZUKUS intelligence
>> community) to simply form a shell company CA that could get
>> a trusted cert in the distros or enlist a "legit" CA to do
>> their patriotic duty (along with some $$$) and give up a key.
> 
> I think this is far too complicated.  You just add your state PKI to
> the browsers, and the CPS does not require any checks on the Common
> Name, to verify it's actually somehow controlled by the certificate
> holder.  Curiously, such CAs can pass Webtrust audits.
> 
> Now I'm a realist and assume that the bureaucrats involved are just
> too incompetent to write a proper CPS (and the auditors to lazy to
> notice).  Authoring policies and paying attention to detail, should be
> second nature to them, but somehow I doubt that the FPKI (say) issues
> certificates for non-federal entities to help with ongoing FBI
> investigations.  (Same for the German government agencies who actually
> managed to get Mozilla approval for their non-CN-checking CAs.)

I would expect intelligence agencies to not use CA certificates
that are publically associated with a gov't owned or operated CA.
It makes it too easy for the target to figure out they are being
spied on and by whom. To a lesser extent, the same goes for law
enforcement. They could not care less about being discovered after
the fact, but may not want the surveillance target to know they are
being watched.

Here's a Wired Threat Level blog entry, from just about
a year ago, about these commercially available tools for
law enforcement,

  http://www.wired.com/threatlevel/2010/03/packet-forensics/
-- 

Crist Clark
Network Security Specialist, Information Systems
Globalstar
408 933 4387

Re: The state-level attack on the SSL CA security model

[Florian Weimer]

* Crist Clark:

> Any large, well funded national-level intelligence agency
> almost certainly has keys to a valid CA distributed with
> any browser or SSL package. It would be trivial for the US
> Gov't (and by extension, the whole AUSCANNZUKUS intelligence
> community) to simply form a shell company CA that could get
> a trusted cert in the distros or enlist a "legit" CA to do
> their patriotic duty (along with some $$$) and give up a key.

I think this is far too complicated.  You just add your state PKI to
the browsers, and the CPS does not require any checks on the Common
Name, to verify it's actually somehow controlled by the certificate
holder.  Curiously, such CAs can pass Webtrust audits.

Now I'm a realist and assume that the bureaucrats involved are just
too incompetent to write a proper CPS (and the auditors to lazy to
notice).  Authoring policies and paying attention to detail, should be
second nature to them, but somehow I doubt that the FPKI (say) issues
certificates for non-federal entities to help with ongoing FBI
investigations.  (Same for the German government agencies who actually
managed to get Mozilla approval for their non-CN-checking CAs.)

-- 
Florian Weimer
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

Re: The state-level attack on the SSL CA security model

[Crist Clark]

>>> On 3/25/2011 at  2:21 AM, Florian Weimer  wrote:
> * Roland Dobbins:
> 
>> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>>
>>>  Disclosure devalues information.
> 
>> I think this case is different, given the perception of the cert as
>> a 'thing' to be bartered.
> 
> Private keys have been traded openly for years.  For instance, when
> your browser tells you that a web site has been verified by "Equifax"
> (exact phrasing in the UI may vary), it's just not true.  Equifax has
> sold its private key to someone else long ago, and chances are that
> the key material has changed hands a couple of times since.
> 
> I can't see how a practice that is completely acceptable at the root
> certificate level is a danger so significant that state-secret-like
> treatment is called for once end-user certificates are involved.

Any large, well funded national-level intelligence agency
almost certainly has keys to a valid CA distributed with
any browser or SSL package. It would be trivial for the US
Gov't (and by extension, the whole AUSCANNZUKUS intelligence
community) to simply form a shell company CA that could get
a trusted cert in the distros or enlist a "legit" CA to do
their patriotic duty (along with some $$$) and give up a key.

Heck, it's so easy, private industry sells this as a product
for the law enforcement community. It's an easy recipe,

  1) Go start your own CA (or buying an existing one may be
 easier, as Florian points out).
  2) Get your key put in Windows, Firefox, Opera, etc.
  3) Build an appliance that uses your key to do MIM attacks
 on the fly.
  4) Sell appliance to law enforcement (or anyone else with the
 money, maybe a smaller nation's intelligence apparatus?).
  5) Profit!

Just Google around for commercial products aimed at LI that
have this capability.

Commercial SSL/TLS, i.e. using built-in CAs, offers no
protection against nation-states at the intelligence or law
enforcement level.
-- 

Crist Clark
Network Security Specialist, Information Systems
Globalstar
408 933 4387

Re: The state-level attack on the SSL CA security model

[Ariel Biener]

On 25/03/2011 6:45 PM, valdis.kletni...@vt.edu wrote:

On Fri, 25 Mar 2011 09:19:52 PDT, "Akyol, Bora A" said:

One could argue that you could try something like the facebook model (or
facebook itself). I can see it coming.
Facebook web of trust app ;-)

Gee thanks.  I'm going to have nightmares for *weeks* now... :)

Based on the Facebook model:

1. Friends - people among whom are some I most probably never knew 
before, or some I

 would not even say hello to.
2. Trusted friends - people I actually say hello to

I think you'll need "Highly trusted friends" as a 3rd level :)

And that will hold for about 1 month, until people will start banging on 
your
"inner circle" virtual door, and soon enough your list of trusted and 
highly trusted

friends will start filling up.

What does "trusted" mean in this particular case ?  There is no one list 
of criteria for
being "trust worthy", and some people are more trusting that others. How 
would trustworthyness
be measured anyhow ?  How many people signed your thing, who are also 
trustworthy themselves
(which means that their SIG was also signed by trustworthy people, see 
the vicious circle). And would
people from a certain part of the globe or certain countries be more 
trust worthy based on their
country trustworthyness, or maybe on their culture being more open and 
trusting ?


If this is to become some kind of global meaningful thing, it needs to 
be standardized, so it will
have the same meaning regardless of where this is applied, and it will 
have straightforward means

of "measuring" trust. Is there such a standard in place ?

Just for an example, we have in Israel a CA that is recognized by the 
government - they are allowed
to issue certificates used for signing documents - and signing with 
certs issued by this CA
is admissible in court under the electronic signatures law. The 
government has put up a certain
standard for what a CA needs to do in order to be recognized as 
trustworthy. Only one CA in Israel attained
this status. Does that mean they are trustworthy to you ?  I don't think 
so. So it can't be a local thing,
it needs to be a global thing, and the standard needs to be global and 
accepted as well.


--Ariel

Re: The state-level attack on the SSL CA security model

[Steven Bellovin]

On Mar 26, 2011, at 12:21 12AM, Franck Martin wrote:

> 
> 
> On 3/26/11 15:36 , "Joe Sniderman"  wrote:
> 
>> On 03/25/2011 11:12 PM, Steven Bellovin wrote:
>>> 
>>> On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
>>> 
 One could argue that you could try something like the facebook
 model (or facebook itself). I can see it coming. Facebook web of
 trust app ;-)
 
>>> Except, of course, for the fact that people tend to have hundreds of
>>> "friends", many of whom they don't know at all, and who achieved that
>>> status simply by asking.  You need a much stronger notion of
>>> interaction, to say nothing of what the malware in your "friends'"
>>> computers are doing to simulate such interaction.
>> 
>> Then again there are all the "friend us for a chance to win $prize"
>> gimmicks... not a far jump to "friend us, _with trust bits enabled_ for
>> a chance to win $prize"
>> 
>> Yeah sounds like a wonderful idea. :P
> 
> Wasn't PGP based on a web of trust too?
> 
Yes -- see Valdis' posting on that: 
http://mailman.nanog.org/pipermail/nanog/2011-March/034651.html


--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: The state-level attack on the SSL CA security model

[Franck Martin]

On 3/26/11 15:36 , "Joe Sniderman"  wrote:

>On 03/25/2011 11:12 PM, Steven Bellovin wrote:
>> 
>> On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
>> 
>>> One could argue that you could try something like the facebook
>>> model (or facebook itself). I can see it coming. Facebook web of
>>> trust app ;-)
>>> 
>> Except, of course, for the fact that people tend to have hundreds of
>> "friends", many of whom they don't know at all, and who achieved that
>> status simply by asking.  You need a much stronger notion of
>> interaction, to say nothing of what the malware in your "friends'"
>> computers are doing to simulate such interaction.
>
>Then again there are all the "friend us for a chance to win $prize"
>gimmicks... not a far jump to "friend us, _with trust bits enabled_ for
>a chance to win $prize"
>
>Yeah sounds like a wonderful idea. :P

Wasn't PGP based on a web of trust too?

Re: The state-level attack on the SSL CA security model

[Joe Sniderman]

On 03/25/2011 11:12 PM, Steven Bellovin wrote:
> 
> On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
> 
>> One could argue that you could try something like the facebook
>> model (or facebook itself). I can see it coming. Facebook web of
>> trust app ;-)
>> 
> Except, of course, for the fact that people tend to have hundreds of
> "friends", many of whom they don't know at all, and who achieved that
> status simply by asking.  You need a much stronger notion of
> interaction, to say nothing of what the malware in your "friends'"
> computers are doing to simulate such interaction.

Then again there are all the "friend us for a chance to win $prize"
gimmicks... not a far jump to "friend us, _with trust bits enabled_ for
a chance to win $prize"

Yeah sounds like a wonderful idea. :P

-- 
Joe Sniderman 

Re: The state-level attack on the SSL CA security model

[Steven Bellovin]

On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:

> One could argue that you could try something like the facebook model (or 
> facebook itself). I can see it coming.
> Facebook web of trust app ;-)
> 
Except, of course, for the fact that people tend to have hundreds of "friends", 
many of whom they don't know at all, and who achieved that status simply by 
asking.  You need a much stronger notion of interaction, to say nothing of what 
the malware in your "friends'" computers are doing to simulate such interaction.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: The state-level attack on the SSL CA security model

[Owen DeLong]

On Mar 24, 2011, at 2:44 PM, George Herbert wrote:

> On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin  wrote:
>> 
>> 
>> - Original Message -
>>> From: "Roland Dobbins" 
>>> To: "nanog group" 
>>> Sent: Friday, 25 March, 2011 9:33:27 AM
>>> Subject: Re: The state-level attack on the SSL CA security model
>>> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>>> 
>>>>  Disclosure devalues information.
>>> 
>>> 
>>> I think this case is different, given the perception of the cert as a
>>> 'thing' to be bartered.
>>> 
>> 
>> Isn't there any law that obliges company to disclose security breaches that 
>> involve consumer data?
> 
> I don't think SSL certs are consumer data, per se.
> 
No, but, a weak SSL cert in use by your company could disclose
consumer data due to its weakness.


Owen

Re: The state-level attack on the SSL CA security model

[Martin Millnert]

On Fri, Mar 25, 2011 at 12:19 PM, Akyol, Bora A  wrote:
> One could argue that you could try something like the facebook model (or 
> facebook itself). I can see it coming.
> Facebook web of trust app ;-)

Indeed not very unreasonable at all, except a) it would be kind of
unfortunate if Facebook would not make the data available under
adequate conditions, b) Facebook can already infer level of
relationships between people based on a whole lot of their other data
(it's kind of what makes them spin).  I agree in seeing it coming
though: "Web-of-trust 2.0".

soBGP takes on a similar approach to securing BGP.  Not a bad idea at
all at first sight, IMHO.
Anyone knows why it died out and why other (perhaps poorer) ideas are
floating around now?

http://tools.ietf.org/html/draft-white-sobgp-architecture-02

Regards,
Martin

> -Original Message-
> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
> Sent: Friday, March 25, 2011 9:05 AM
> To: Akyol, Bora A
> Cc: Dobbins, Roland; nanog group
> Subject: Re: The state-level attack on the SSL CA security model
>
> On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
>> Is it far fetched to supplement the existing system with a reputation
>> based  model such as PGP? I apologize if this was discussed before.
>
> That would be great, if you could ensure the following:
>
> 1) That Joe Sixpack actually knows enough somebodies who are trustable to 
> sign stuff. (If Joe doesn't know them, then it's not a web of trust, it's 
> just the same old CA).
>
> 2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on 
> occasion scrape unknown signatures off my PGP key on the keyservers, when 
> people I've never heard of before have signed my key "just because somebody 
> they recognized signed it").
>
> The PGP model doesn't work for users who are used to clicking everything they 
> see, whether or not they really should...
>
>
>

Re: The state-level attack on the SSL CA security model

[=JeffH]

Mozilla has now posted a more detailed accounting here..

Comodo Certificate Issue – Follow Up
03.25.11 - 08:39am
http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/


=JeffH

Re: The state-level attack on the SSL CA security model

[Valdis . Kletnieks]

On Fri, 25 Mar 2011 09:19:52 PDT, "Akyol, Bora A" said:
> One could argue that you could try something like the facebook model (or
> facebook itself). I can see it coming.
> Facebook web of trust app ;-)

Gee thanks.  I'm going to have nightmares for *weeks* now... :)


pgpFnAqnnEChi.pgp
Description: PGP signature

RE: The state-level attack on the SSL CA security model

[Akyol, Bora A]

Thanks

The other point I wanted to make is that not every solution is going to work for
every person. If we can improve the current state of things and make life better
for say another 50% of users, that's better than what we have now.
For example in Firefox 4, I could write an extension (if possible) that 
intercepts the
certificate acceptance dialog and instead does a web query to see how many of
my friends and also their friends  accepted the same cert and at least allow me
to decide with more information than I am presented now. And you could argue
that this should also apply to certs signed by CAs that are in the trust store 
of the
web browser too.

Just thinking out loud here.


---
From: Dorn Hetzel [mailto:d...@hetzel.org] 
Sent: Friday, March 25, 2011 9:24 AM
To: Akyol, Bora A
Cc: valdis.kletni...@vt.edu; nanog group
Subject: Re: The state-level attack on the SSL CA security model

Not entirely unreasonable.  A button for "friend" and then one for "trusted 
friend" :)
On Fri, Mar 25, 2011 at 12:19 PM, Akyol, Bora A  wrote:
One could argue that you could try something like the facebook model (or 
facebook itself). I can see it coming.
Facebook web of trust app ;-)



-Original Message-
From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
Sent: Friday, March 25, 2011 9:05 AM
To: Akyol, Bora A
Cc: Dobbins, Roland; nanog group
Subject: Re: The state-level attack on the SSL CA security model
On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
> Is it far fetched to supplement the existing system with a reputation
> based  model such as PGP? I apologize if this was discussed before.

That would be great, if you could ensure the following:

1) That Joe Sixpack actually knows enough somebodies who are trustable to sign 
stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the 
same old CA).

2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion 
scrape unknown signatures off my PGP key on the keyservers, when people I've 
never heard of before have signed my key "just because somebody they recognized 
signed it").

The PGP model doesn't work for users who are used to clicking everything they 
see, whether or not they really should...

Re: The state-level attack on the SSL CA security model

[Dorn Hetzel]

Not entirely unreasonable.  A button for "friend" and then one for "trusted
friend" :)

On Fri, Mar 25, 2011 at 12:19 PM, Akyol, Bora A  wrote:

> One could argue that you could try something like the facebook model (or
> facebook itself). I can see it coming.
> Facebook web of trust app ;-)
>
>
>
> -Original Message-
> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
> Sent: Friday, March 25, 2011 9:05 AM
> To: Akyol, Bora A
> Cc: Dobbins, Roland; nanog group
> Subject: Re: The state-level attack on the SSL CA security model
>
> On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
> > Is it far fetched to supplement the existing system with a reputation
> > based  model such as PGP? I apologize if this was discussed before.
>
> That would be great, if you could ensure the following:
>
> 1) That Joe Sixpack actually knows enough somebodies who are trustable to
> sign stuff. (If Joe doesn't know them, then it's not a web of trust, it's
> just the same old CA).
>
> 2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on
> occasion scrape unknown signatures off my PGP key on the keyservers, when
> people I've never heard of before have signed my key "just because somebody
> they recognized signed it").
>
> The PGP model doesn't work for users who are used to clicking everything
> they see, whether or not they really should...
>
>
>

RE: The state-level attack on the SSL CA security model

[Akyol, Bora A]

One could argue that you could try something like the facebook model (or 
facebook itself). I can see it coming.
Facebook web of trust app ;-)

 

-Original Message-
From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] 
Sent: Friday, March 25, 2011 9:05 AM
To: Akyol, Bora A
Cc: Dobbins, Roland; nanog group
Subject: Re: The state-level attack on the SSL CA security model

On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
> Is it far fetched to supplement the existing system with a reputation 
> based  model such as PGP? I apologize if this was discussed before.

That would be great, if you could ensure the following:

1) That Joe Sixpack actually knows enough somebodies who are trustable to sign 
stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the 
same old CA).

2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion 
scrape unknown signatures off my PGP key on the keyservers, when people I've 
never heard of before have signed my key "just because somebody they recognized 
signed it").

The PGP model doesn't work for users who are used to clicking everything they 
see, whether or not they really should...

Re: The state-level attack on the SSL CA security model

[Valdis . Kletnieks]

On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
> Is it far fetched to supplement the existing system with a reputation based
>  model such as PGP? I apologize if this was discussed before.

That would be great, if you could ensure the following:

1) That Joe Sixpack actually knows enough somebodies who are trustable to sign
stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the
same old CA).

2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion
scrape unknown signatures off my PGP key on the keyservers, when people I've
never heard of before have signed my key "just because somebody they recognized
signed it").

The PGP model doesn't work for users who are used to clicking everything they
see, whether or not they really should...



pgpJKWkT52Pqx.pgp
Description: PGP signature

RE: The state-level attack on the SSL CA security model

[Akyol, Bora A]

What other choice does the public have? By locking them into the current trust 
model (for good or bad), the community has created this mess.

Is it far fetched to supplement the existing system with a reputation based 
model such as PGP? I apologize if this was discussed before.


-Original Message-
From: Dobbins, Roland [mailto:rdobb...@arbor.net] 
Sent: Thursday, March 24, 2011 3:28 AM
To: nanog group
Subject: Re: The state-level attack on the SSL CA security model

...
Unfortunately, the general public neither know, understand, or care about such 
things.  They happily click 'I Understand the Risks' or whatever the button 
says in their browsers of choice to accept self-signed certificates all the 
time.

...

Re: The state-level attack on the SSL CA security model

[Dobbins, Roland]

On Mar 25, 2011, at 5:21 PM, Florian Weimer wrote:

> I can't see how a practice that is completely acceptable at the root 
> certificate level is a danger so significant that state-secret-like
> treatment is called for once end-user certificates are involved.

Again, I don't know enough about what happened to form an opinion one way or 
another.  I'm just setting forth some reasons which spring to mind for not 
announcing this immediately, that's all.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: The state-level attack on the SSL CA security model

[Joakim Aronius]

* George Herbert (george.herb...@gmail.com) wrote:
> Back on original point - if the *actual effective* model of browser
> security is browsers with an internal revoked cert list - then there's
> a case to be made that a pre-announcement in private to the browser
> vendors, enough time for them to spin patches, and then widespread
> public discussion is the most responsible model approach.  The public
> knowing before their browser knows how to handle the bad cert isn't
> helpful, unless you can effectively tell people how to get their
> browser to actually go verify every cert.
>

No. In the case of a remote exploitable hole in the client OS I agree, then the 
user can do nothing and will benefit if there is a patch before the knowledge 
of the problem is spread. But in this case it is a security hole in the server 
side. IF users are informed they can avoid using the service and thus avoid the 
risk. (And if the risk is to be on the wrong end of a stick, at least I would 
appreciate a warning.)

So what about a general warning that secure communication with site X, Y and Z 
could be compromised? Maybe even a big warning on the sites themself to give a 
warning before you login? (It could be removed by a 'man in the middle', but it 
would spread the word.)

I wonder why that didn't happen..

/J

Re: The state-level attack on the SSL CA security model

[Florian Weimer]

* Roland Dobbins:

> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>
>>  Disclosure devalues information.

> I think this case is different, given the perception of the cert as
> a 'thing' to be bartered.

Private keys have been traded openly for years.  For instance, when
your browser tells you that a web site has been verified by "Equifax"
(exact phrasing in the UI may vary), it's just not true.  Equifax has
sold its private key to someone else long ago, and chances are that
the key material has changed hands a couple of times since.

I can't see how a practice that is completely acceptable at the root
certificate level is a danger so significant that state-secret-like
treatment is called for once end-user certificates are involved.

-- 
Florian Weimer
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

Re: The state-level attack on the SSL CA security model

[Danny O'Brien]

On Thu, Mar 24, 2011 at 7:09 AM, Harald Koch  wrote:
> On 3/23/2011 11:05 PM, Martin Millnert wrote:
>>
>> To my surprise, I did not see a mention in this community of the
>> latest proof of the complete failure of the SSL CA model to actually
>> do what it is supposed to: provide security, rather than a false sense
>> of security.
>
> This story strikes me as a success - the certs were revoked immediately, and
> it took a surprisingly short amount of time for security fixes to appear all
> over the place.
>
>>  In some places, failure of internet security means people die
>
> Those people know that using highly visible services like gmail and skype is
> asking to be exposed...

This is definitively not true. There is no evidence of the active use
of these services (or circumvention systems to reach them) being used
as evidence or an indication that a particular target should be
detained, threatened or punished, in Iran in particular and actually
globally. I say this, because such evidence would actually reinforce
some security recommendations that I and other human rights groups
have made, so I'm always on the look out for it.

On the other hand, both gmail and Skype are used by many individuals
on the assumption that they are more secure than the alternatives
(non-SSL protected webmail or those with servers in local
jurisdictions; unencrypted instant messaging clients). You can argue
about whether these tools *are* more protective, but you certainly
can't say that these high-risk groups use them on the understanding
they can expect the same level of knowledge or retribution by their
adversaries than if these systems were openly surveillable.

A security breach like this makes the details of specific
communications readable, which also places people who do *not* use
these tools at far more risk also.

I'm personally not yet convinced that the attackers in this case were
the Iranian state; that's something that is incredibly hard to
ascertain, and I'm surprised Comodo were so quick to draw this
conclusion. Even if these attacks came from Iran, that could be for
false flag reasons, plus as others have pointed out, criminals have as
much interest in obtaining these certificates as the Iranian state --
although factions within the Iranian government could certainly be
potential clients. Other states might have an interest too. Just
because you have an organisation with CA authority within the reach of
a government doesn't mean you'd want to use those signing powers when
dealing with dissidents.

The arguments on NANOG about why non-disclosure in this case might
have been a good idea I think contribute to the debate.

Nonetheless, I'd strongly urge anyone not to assume that activists and
journalists at physical risk in states like Iran assume that risk by
using specific tools, or that major (if temporary) failures in the PKI
structure don't put them and their colleagues at far greater risk.

Best,

d.

Danny O'Brien,
Committee to Protect Journalists
https://cpj.org/internet

>
> --
> Harald
>
>
>
>

Re: The state-level attack on the SSL CA security model

[George Herbert]

On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin  wrote:
>
>
> - Original Message -
>> From: "Roland Dobbins" 
>> To: "nanog group" 
>> Sent: Friday, 25 March, 2011 9:33:27 AM
>> Subject: Re: The state-level attack on the SSL CA security model
>> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>>
>> >  Disclosure devalues information.
>>
>>
>> I think this case is different, given the perception of the cert as a
>> 'thing' to be bartered.
>>
>
> Isn't there any law that obliges company to disclose security breaches that 
> involve consumer data?

I don't think SSL certs are consumer data, per se.

Back on original point - if the *actual effective* model of browser
security is browsers with an internal revoked cert list - then there's
a case to be made that a pre-announcement in private to the browser
vendors, enough time for them to spin patches, and then widespread
public discussion is the most responsible model approach.  The public
knowing before their browser knows how to handle the bad cert isn't
helpful, unless you can effectively tell people how to get their
browser to actually go verify every cert.



-- 
-george william herbert
george.herb...@gmail.com

Re: The state-level attack on the SSL CA security model

[Franck Martin]

- Original Message -
> From: "Roland Dobbins" 
> To: "nanog group" 
> Sent: Friday, 25 March, 2011 9:33:27 AM
> Subject: Re: The state-level attack on the SSL CA security model
> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
> 
> >  Disclosure devalues information.
> 
> 
> I think this case is different, given the perception of the cert as a
> 'thing' to be bartered.
> 

Isn't there any law that obliges company to disclose security breaches that 
involve consumer data?

Re: The state-level attack on the SSL CA security model

[Dobbins, Roland]

On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:

>  Disclosure devalues information.


I think this case is different, given the perception of the cert as a 'thing' 
to be bartered.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: The state-level attack on the SSL CA security model

[Brian Keefer]

On Mar 24, 2011, at 7:09 AM, Harald Koch wrote:

> On 3/23/2011 11:05 PM, Martin Millnert wrote:
>> To my surprise, I did not see a mention in this community of the
>> latest proof of the complete failure of the SSL CA model to actually
>> do what it is supposed to: provide security, rather than a false sense
>> of security.
> 
> This story strikes me as a success - the certs were revoked immediately, and 
> it took a surprisingly short amount of time for security fixes to appear all 
> over the place.
> 
> 
> -- 
> Harald

I'd hardly call the fact that it required manual blacklist patches to every 
browser a "success".  SSL is a failure if real revocation requires creating a 
patch for browsers and relying on users to install it.

--
bk

Re: The state-level attack on the SSL CA security model

[Richard Barnes]

Which is especially funny since Comodo is citing the fact that they've
had no OCSP requests for the bad certs as evidence that they haven't
been used.

--Richard



On Thu, Mar 24, 2011 at 10:53 AM, Tony Finch  wrote:
> Harald Koch  wrote:
>>
>> This story strikes me as a success - the certs were revoked immediately, and
>> it took a surprisingly short amount of time for security fixes to appear all
>> over the place.
>
> It would have been much easier if certificate revocation actually worked
> properly.
>
> http://www.imperialviolet.org/2011/03/18/revocation.html
>
> Tony.
> --
> f.anthony.n.finch    http://dotat.at/
> Viking, North Utsire, South Utsire: Westerly veering northerly, 4 or 5,
> occasionally 6 at first. Moderate or rough. Occasional rain. Moderate or good,
> occasionally poor at first.
>
>

Re: The state-level attack on the SSL CA security model

[Christopher Morrow]

On Thu, Mar 24, 2011 at 6:19 AM, Joakim Aronius  wrote:
> IF the speculations about a specific nation is true then there is a risk that 
> people there run real (like physical) risks by using e.g. yahoo the last few 
> days. They would have appreciated being informed.
>>

if speculation is true, then all bets are off, and telling anyone
isn't necessarily going to help those under the thumb of the
speculated attacker

just sayin!

(also, vote now, vote often for dane-wg to get it's work done...
dns-sec secured key fingerprints for ssl certs)

Re: The state-level attack on the SSL CA security model

[Dan White]

On 24/03/11 10:09 -0400, Harald Koch wrote:

On 3/23/2011 11:05 PM, Martin Millnert wrote:

To my surprise, I did not see a mention in this community of the
latest proof of the complete failure of the SSL CA model to actually
do what it is supposed to: provide security, rather than a false sense
of security.


This story strikes me as a success - the certs were revoked 
immediately, and it took a surprisingly short amount of time for 
security fixes to appear all over the place.


The point is that the 'short amount of time' should have been zero (from
the time of the update of the CRL) which would have allowed an immediate
announcement of the revocation to the public, with sufficient details for
the public to make educated decisions about their internet usage.

But because the CRL publication did not facilitate that, due to whatever
deficiency there existed in the procotol or in browser implementations,
announcement had to be delayed, providing a small group of attackers a
larger window than necessary to compromise information.

--
Dan White

Re: The state-level attack on the SSL CA security model

[Tony Finch]

Harald Koch  wrote:
>
> This story strikes me as a success - the certs were revoked immediately, and
> it took a surprisingly short amount of time for security fixes to appear all
> over the place.

It would have been much easier if certificate revocation actually worked
properly.

http://www.imperialviolet.org/2011/03/18/revocation.html

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Viking, North Utsire, South Utsire: Westerly veering northerly, 4 or 5,
occasionally 6 at first. Moderate or rough. Occasional rain. Moderate or good,
occasionally poor at first.

Re: The state-level attack on the SSL CA security model

[Leif Nixon]

Harald Koch  writes:

> On 3/23/2011 11:05 PM, Martin Millnert wrote:
>> To my surprise, I did not see a mention in this community of the
>> latest proof of the complete failure of the SSL CA model to actually
>> do what it is supposed to: provide security, rather than a false sense
>> of security.
>
> This story strikes me as a success - the certs were revoked
> immediately, and it took a surprisingly short amount of time for
> security fixes to appear all over the place.

But revocation doesn't work, and people don't install updates, so this
is only a *theoretical* success.

-- 
Leif Nixon - Security officer
National Supercomputer Centre - Swedish National Infrastructure for Computing
Nordic Data Grid Facility - European Grid Infrastructure

Re: The state-level attack on the SSL CA security model

[Harald Koch]

On 3/23/2011 11:05 PM, Martin Millnert wrote:

To my surprise, I did not see a mention in this community of the
latest proof of the complete failure of the SSL CA model to actually
do what it is supposed to: provide security, rather than a false sense
of security.


This story strikes me as a success - the certs were revoked immediately, 
and it took a surprisingly short amount of time for security fixes to 
appear all over the place.


>  In some places, failure of internet security means people die

Those people know that using highly visible services like gmail and 
skype is asking to be exposed...


--
Harald

Re: The state-level attack on the SSL CA security model

[Florian Weimer]

* Roland Dobbins:

> A wider swathe of interested parties would know of their existence,
> and their existence would be officially confirmed, which would make
> them more valuable.

This is at odds with what happens in other contexts.  Disclosure
devalues information.

-- 
Florian Weimer
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

Re: The state-level attack on the SSL CA security model

[Dobbins, Roland]

On Mar 24, 2011, at 6:19 PM, Joakim Aronius wrote:

> Surely the value of stolen certs are higher if the public do not know that 
> they exist.


A wider swathe of interested parties would know of their existence, and their 
existence would be officially confirmed, which would make them more valuable.

Unfortunately, the general public neither know, understand, or care about such 
things.  They happily click 'I Understand the Risks' or whatever the button 
says in their browsers of choice to accept self-signed certificates all the 
time.

I don't know enough details of what actually transpired to have an actual 
opinion on the Comodo situation one way or another; but I can see both sides of 
the argument.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: The state-level attack on the SSL CA security model

[Joakim Aronius]

* Dobbins, Roland (rdobb...@arbor.net) wrote:
> 
> On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:
> 
> > Announcing this high and loud even before fixes were available would not 
> > have exposed more users to threats, but less.
> 
> 
> An argument against doing this prior to fixes being available is that 
> miscreants who didn't know about this previously would be alerted to the 
> possibility of using one of these certs (assuming they could get their hands 
> on one) in conjunction with name resolution manipulation.

The fix here is to delete the compromised UID and revoke the certs, thats done 
immediately, then inform the public, no reason to wait after that. IF the 
speculations about a specific nation is true then there is a risk that people 
there run real (like physical) risks by using e.g. yahoo the last few days. 
They would have appreciated being informed.
> 
> Note that announcing this prior to fixes would've dramatically increased the 
> resale value of these certificates in the underground economy, making them 
> much more attractive/lucrative.
Why? Surely the value of stolen certs are higher if the public do not know that 
they exist.

/Joakim

Re: The state-level attack on the SSL CA security model

[Dobbins, Roland]

On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:

> Announcing this high and loud even before fixes were available would not have 
> exposed more users to threats, but less.


An argument against doing this prior to fixes being available is that 
miscreants who didn't know about this previously would be alerted to the 
possibility of using one of these certs (assuming they could get their hands on 
one) in conjunction with name resolution manipulation.

Note that announcing this prior to fixes would've dramatically increased the 
resale value of these certificates in the underground economy, making them much 
more attractive/lucrative.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde