Secure website?… maybe not


Richard Moore

Bcc: contributors

Law Enforcement Appliance Subverts SSL


That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.

“If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.

The company in question is known as Packet Forensics, which advertised its new man-in-the-middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington, D.C., wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.

According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will.” And, “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

Packet Forensics doesn’t advertise the product on its website, and when contacted by, asked how we found out about it. Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance.

“The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it,” Saulino said. “Our target community is the law enforcement community.”

Blaze described the vulnerability as an exploitation of the architecture of how SSL is used to encrypt web traffic, rather than an attack on the encryption itself. SSL, which is known to many as HTTPS, enables browsers to talk to servers using high-grade encryption, so that no one between the browser and a company’s server can eavesdrop on the data. Normal HTTP traffic can be read by anyone in between — your ISP, a wiretap at your ISP, or in the case of an unencrypted Wi-Fi connection, by anyone using a simple packet-sniffing tool.

In addition to encrypting the traffic, SSL authenticates that your browser is talking to the website you think it is. To that end, browser makers trust a large number of Certificate Authorities — companies that promise to check a website operator’s credentials and ownership before issuing a certificate. A basic certificate costs less than $50 today, and it sits on a website’s server, guaranteeing that the website is actually owned by Bank of America. Browser makers have accredited more than 100 Certificate Authorities from around the world, so any certificate issued by any one of those companies is accepted as valid.

To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.

Technologists at the Electronic Frontier Foundation, who are working on a proposal to fix this whole problem, say hackers can use similar techniques to steal your money or your passwords. In that case, attackers are more likely to trick a Certificate Authority into issuing a certificate, a point driven home last year when two security researchers demonstrated how they could get certificates for any domain on the internet simply by using a special character in a domain name.

“It is not hard to do these attacks,” said Seth Schoen, an EFF staff technologist. “There is software that is being published for free among security enthusiasts and underground that automate this.”

China, which is known for spying on dissidents and Tibetan activists, could use such an attack to go after users of supposedly secure services, including some Virtual Private Networks, which are commonly used to tunnel past China’s firewall censorship. All they’d need to do is convince a Certificate Authority to issue a fake certificate. When Mozilla added a Chinese company, China Internet Network Information Center, as a trusted Certificate Authority in Firefox this year, it set off a firestorm of debate, sparked by concerns that the Chinese government could convince the company to issue fake certificates to aid government surveillance.

In all, Mozilla’s Firefox has its own list of 144 root authorities. Other browsers rely on a list supplied by the operating system manufacturers, which comes to 264 for Microsoft and 166 for Apple. Those root authorities can also certify secondary authorities, who can certify still more — all of which are equally trusted by the browser.

The list of trusted root authorities includes the United Arab Emirates-based Etilisat, a company that was caught last summer secretly uploading spyware onto 100,000 customers’ BlackBerries.

Soghoian says fake certificates would be a perfect mechanism for countries hoping to steal intellectual property from visiting business travelers. The researcher published a paper on the risks (.pdf) Wednesday, and promises he will soon release a Firefox add-on to notify users when a site’s certificate is issued from an authority in a different country than the last certificate the user’s browser accepted from the site.

EFF’s Schoen, along with fellow staff technologist Peter Eckersley and security expert Chris Palmer, want to take the solution further, using information from around the net so browsers can eventually tell a user with certainty when they are being attacked by someone using a fake certificate. Currently, browsers warn users when they encounter a certificate that doesn’t belong to a site, but many people simply click through the multiple warnings.

“The basic point is that in the status quo there is no double check and no accountability,” Schoen said. “So if Certificate Authorities are doing things that they shouldn’t, no one would know, no one would observe it. We think at the very least there needs to be a double check.”

EFF suggests a regime that relies on a second level of independent notaries to certify each certificate, or an automated mechanism to use anonymous Tor exit nodes to make sure the same certificate is being served from various locations on the internet — in case a user’s local ISP has been compromised, either by a criminal or a government agency using something like Packet Forensics’ appliance.

One of the most interesting questions raised by Packet Forensics’ product is how often do governments use such technology and do Certificate Authorities comply? Christine Jones, the general counsel for Go Daddy — one of the net’s largest issuers of SSL certificates — says her company has never gotten such a request from a government in her eight years at the company. 

“I’ve read studies and heard speeches in academic circles that theorize that concept, but we never would issue a ‘fake’ SSL certificate,” Jones said, arguing that would violate the SSL auditing standards and put them at risk of losing their certification. “Theoretically it would work, but the thing is we get requests from law enforcement every day, and in entire time we have been doing this, we have never had a single instance where law enforcement asked us to do something inappropriate.”

VeriSign, the net’s largest Certiicate Authority, echoes GoDaddy.

“Verisign has never issued a fake SSL certificate, and to do so would be against our policies,” said vice president Tim Callan.

Matt Blaze notes that domestic law enforcement can get many records, such as a person’s Amazon purchases, with a simple subpoena, while getting a fake SSL certificate would certainly involve a much higher burden of proof and technical hassles for the same data.

Intelligence agencies would find fake certificates more useful, he adds. If the NSA got a fake certificate for Gmail — which now uses SSL as the default for e-mail sessions in their entirety (not just their logins) — they could install one of Packet Forensics’ boxes surreptitiously at an ISP in, for example, Afghanistan, in order to read all the customer’s Gmail messages. Such an attack, though, could be detected with a little digging, and the NSA would never know if they’d been found out.

Despite the vulnerabilities, experts are pushing more sites to join Gmail in wrapping their entire sessions in SSL.

“I still lock my doors even though I know how to pick the lock,” Blaze said.

Update 15:55 Pacific: The story was updated with comment from Verisign.

Image: Detail from Packet Forensics brochure.

See Also: