https - hopefully not too stupid a question

[Peter Fairbrother]

Francis Davey wrote:
> This is the first question I have initiated on this group, so I hope
> it does not seem to be too foolish a query.
> 
> Reading:
> 
> http://fsfe.org/news/2012/news-20120616-01.html
> 
> I wondered to what extent the government could put a framework in
> place to avoid some of these, in particular the use of https. Could
> the government set things up within the UK so that certificates were
> forged so that they were able to intercept https in transit?

Yes, but they would get caught if they did it surreptitiously and often.

Either by certificate comparisons performed by the occasional nerd or 
security company, or by the black boxes at the ISPs - a black box which 
simply acts as a tap on the line would have different traffic 
characteristics, which the ISP would notice, as they measure traffic for 
peering and payment purposes.

There are a couple of other ways they might get caught too.

> Assume that the Bill gives them the legal power to require anyone in
> the UK to do anything in order to facilitate obtaining comms data
> could they use that power to require someone/anyone to issue
> certificates purporting to be for sites (like facebook)? I am not sure
> how easy it is for a state actor to do this in a way that will affect
> ordinary people.

Once caught, the offending certificate could be traced to the issuing 
CA, who would then risk getting excluded from the major browser's 
"trusted CA" lists - death for a CA.




Something perhaps much more interesting, in the Chinese proverbial sense 
of the word,  would be for the gubbmint to obtain the private keys for 
the websites visited. Once they have those they can easily work out the 
session keys used just from looking at traffic, without modifying it 
(unless a DHE SSL/TLS suite [1] is used).

They could demand the keys from the websites, if they have a UK 
presence, under RIPA part 3 (if the keys are dual-purpose, ie used to 
establish the session key as well as for authentication, which they very 
often are) - or perhaps under this new Act under some more general power.

[1] a DHE suite uses Diffie-Hellman to establish an Ephemeral session 
key which cannot be worked out from looking at traffic, or through 
subsequent demands for keys.

Each party creates an ephemeral secret (they generate a random number 
and keep it secret), and the shared secret session key is worked out 
from them using some clever mathematrickery without exposing those 
secrets in transmission. The secrets are then discarded, and the session 
is (should be ) discarded after the session.

There are DH suites which are not ephemeral (the server resuses the same 
secret for all sessions, and does not delete it) - in those cases the 
session keys can be worked out if the secret is made known, by demand or 
otherwise.

> 
> I'm not interested in whether the technically savvy are able to avoid
> such action - let us stipulate for the sake of argument that they are.

For nerds, they might be able to discourage the use of DHE suites ( by 
replacing a small bit of traffic saying "I don't do that DHE suite, try 
this non-DHE one instead" when establishing which suite to use at the 
beginnning of a session.

That also would be found out, but it would take longer and there 
wouldn't be such a big "smoking gun" as in a forged certificate MITM attack.


-- Peter Fairbrother

> 
> Thanks.
>