Anonymous Source Claims Feds Demand Private SSL Keys From Web Services 276
Lauren Weinstein writes "With further confirmation of the longstanding rumor that the U.S. government (and, we can safely assume, other governments around the world) have been pressuring major Internet firms to provide their 'master' SSL keys for government surveillance purposes, we are rapidly approaching a critical technological crossroad. It is now abundantly clear — as many of us have suspected all along — that governments and surveillance agencies of all stripes — Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications."
If this is true it means that SSL/TLS to any Internet service could be useless — the authorities could simply man-in-the-middle anyone. Without knowing who has given keys over, or if anyone has given keys over... The NSA does claim encryption poses a problem for them, but honesty isn't their best attribute. The source claims that major providers at least have resisted (assuming it is happening), but that smaller companies may have folded to the pressure.
A "problem," you say? (Score:3, Insightful)
Of course encryption is a problem for them. It's the same problem Allied intelligence had acting on information that could only be attained because Enigma was broken. [wikipedia.org]
Re:Self signed? (Score:2, Insightful)
In some situations yes, but in those same situations I don't think this news really changes anything (where you set up the cert yourself on one of your own servers for use by yourself, for instance). Otherwise this just means that these certs are slightly less secure because governments have a copy. If you're connecting to a strange server, it may be better to have a signed cert because they're still not quite as easy to come by as a self-signed one.
In any case this doesn't change the old fact that a self-signed cert is at least as good as an unsecured connection and browsers should stop throwing a shit-fit when they run into one.
Re:"Main-in-the-middle"? (Score:5, Insightful)
It's not a "man in the middle" attack. It's the "government on top" attack.
Oh the land of the free ... (Score:2, Insightful)
So the next time the US wants to chastise another country for spying on their citizens, the response is going to be "go away you hypocritical assholes".
America has lost her moral compass, and is quickly turning into a police state.
Papers please comrade.
How is this "confirmation"? (Score:3, Insightful)
>> "The government is definitely demanding SSL keys from providers," said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.
So...some guy said "yes, they're collecting keys." No written evidence, no names. We demand "citation" from people posting backstories of cartoon characters on Wikipedia, so how exactly is this "confirmation" of anything?
Re:Self signed? (Score:5, Insightful)
No. When a CA signs a certificate, they don't get the private key used for decryption. They just assert that a particular public key really does belong to who it says.
If the NSA has Verisign's key, for example, they'd be able to do two things:
The latter is where the man-in-the-middle attack comes in. The NSA can claim to be whoever you're trying to reach, and the certificate will look valid and be trusted by default on any system that trusts Verisign. On the other hand, a self-signed certificate isn't signed by anybody else. The NSA doesn't need anyone else's private keys to make their own and claim to be anyone. The client will see the certificate, ask you if you trust it, and unless you're in the habit of memorizing certificate fingerprints, you won't notice a difference. Once any certificate is trusted (either by default or by your acceptance), your traffic will be sent to (and decrypted by) the certificate holder.
This is actually already a problem. CAs have been compromised, and their stolen credentials have been used to sign certificates claiming to be governments, Microsoft, and other generally-trusted sites. The apparently-trusted certificates are then used to make scams look more legitimate.
Re:Oh the land of the free ... (Score:2, Insightful)
america has been a police state ruled by fear for some time now, your among the most oppressed people in the world but its balanced by ignorance, its taken you guys this long to notice.
Re:How is this "confirmation"? (Score:5, Insightful)
Do you really expect people to say this publicly, when the most likely consequence is imprisonment and a media circus that paints them as evil villains?
Re:Self signed? (Score:4, Insightful)
Re:"Main-in-the-middle"? (Score:5, Insightful)
I chose "the activities of a citizen" as a way to say "what we do, not who we are". Keeping "who we are" records: birth certificates, permits licensing of various kinds, etc, is different in kind from monitoring daily activities. But I'm no lawyer and don't know how to say this better.
Also, why does the government need "census data" beyond a simple headcount? Heck, I'd like to move to an income tax system that's purely a payroll tax (so the government doesn't learn how much any given individual makes, but can still tax our income).
The government collects every bit of information it possibly can, but it's time to start saying "NO! Find a way to do that without spying on us!" It's time for the pendulum to swing the other way.