Anonymous Source Claims Feds Demand Private SSL Keys From Web Services

Lauren Weinstein writes "With further confirmation of the longstanding rumor that the U.S. government (and, we can safely assume, other governments around the world) have been pressuring major Internet firms to provide their 'master' SSL keys for government surveillance purposes, we are rapidly approaching a critical technological crossroad. It is now abundantly clear — as many of us have suspected all along — that governments and surveillance agencies of all stripes — Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications." If this is true it means that SSL/TLS to any Internet service could be useless — the authorities could simply man-in-the-middle anyone. Without knowing who has given keys over, or if anyone has given keys over... The NSA does claim encryption poses a problem for them, but honesty isn't their best attribute. The source claims that major providers at least have resisted (assuming it is happening), but that smaller companies may have folded to the pressure.

Self signed?

[Ubi_NL]

Does this mean a self-signed certificate is more secure than a commercial one?

Re:Self signed?

[MightyMartian]

Yes, providing you can guarantee the security of the private keys, if you're concerned about government(s) spying on your communications, that is definitely the way to go.

For our organization, due to the highly confidential nature of some of our data and communications, I am about to build a machine that will have no network connection whatsoever that will hold the CA and private keys, and will use it to produce public keys for our VPN, mail server, web services and the like. The server will be behind lock and key and locked down with LUKS, and the keys for that will be held in a separate location. Obviously nothing is 100%, but it's going to physical access to the server and to the private keys to compromise the system.

What about non-american CA's?

[Midnight_Falcon]

Many have assumed for a long time that root SSL certificates have been provided by American CA's (GoDaddy, VeriSign, Network Solutions etc), but what about foreign ones? StartSSL is Israel-based, so it can be assumed the Israeli government has the root key. What about SwissSign, based in Switzerland and run by the Swiss Post? :)

Re:"Main-in-the-middle"?

[lgw]

The larger issue IMO is

governments and surveillance agencies of all stripes â" Western, Eastern, democratic, and authoritarian, will pour essentially unlimited funds into efforts to monitor Internet communications.

We haven't had a constitutional amendment in the US for some time now. We need one here. Forget specific technologies and the bizarre precedents that have twisted the 4th to allow this - we need a major reset.

Something like "The government shall not collect or store any information, even publically available information, about the activities of a citizen except upon issuance of a warrant; said warrant shall only issue upon evidence that a specific individual has committed a specific crime."

I casn accept a lower bar for "collecting and storing information" than for "searching" but there must be some bar to clear.

US Military shares your opinion.

[ron_ivi]

The US DoD shares your opinion. https://www.my.af.mil/afp/netstorage/login_page_files/afportal_faqs.html [af.mil] Looks like a self-signed cert not issued by any commercial vendor in the default browser lists.

Think of cold war police states

[DickBreath]

In some cold war police states half the population was employed to spy on the other half. No wonder their economies sucked.

Will this do it?

[Taantric]

If this does not kill off the cloud or at least seriously damage the business model, I think it would be safe to say human apathy has reached critical mass and we deserve everything that is coming in the next 20-30 years.

Re:Self signed?

[Znork]

There's always the Convergence project (based on the previous Perspectives CMU work).

Basically, instead of CA's you have notary servers that track changes to certificates and that you (your browser) contacts to verify that they and you are seeing the same certificates.

That way, if a MITM attack is ongoing it will, if targetting you specifically, probably show a discrepancy between the certificate presented to you and the one presented to them. If targetting the specific website and MITM'ing all connections to it the only demonstration of a problem might be that the site suddenly appears to have a new certificate, but that would still most likely alert site operators who may be surprised to note a change they didn't do.

Re:US Military shares your opinion.

[pixelpusher220]

Couldn't somebody like the EFF or ACLU create a certificate that people could trust? Yes it's a manual thing, but given that the automatic system (was likely previously) and is now utterly untrustworthy, it seems that manual type of update might become necessary until we can get Firefox and other open source OS/apps to add it in automatically?