scary certificate for www.update.microsoft.com

[Peter Fairbrother]

Ian Batten wrote:
> On 18 Jun 2012, at 20:16, Peter Fairbrother wrote:
> 
>> Ben Liddicott wrote:
>>> RSA is not in suite B either.
>> 
>> A big trail of big suppositions follows. There may be nothing in
>> it.
>> 
>> 
>> 
>> Suppose GCQH have made a small theoretical improvement in factoring
>> or breaking RSA, and NSA has built the hardware to do it - maybe
>> enough for 200 1kbit keys per year.
>> 
>> As many sites update their keys twice a year, suppose that NSA has
>> the private keys to 1000 certificates at any time. Say 50 of these
>> are used for spy stuff, and 500 are the keys are used to - unlock
>> the 50 biggest https sites.
> 
> Presumably that's 100, 50, 50 not 1000, 50, 500.

Da. I couldn't decide which set to use, it's all just guesswork. Eg 1000 
gives you (them) some VPNs. and 100 probably doesn't.
> 
>> Now NSA can collect internet traffic because the President lets
>> them, and GCHQ want access to raw internet traffic - after all,
>> it's no good having the keys if you can't access the traffic, it's
>> not usually sent by broadcast radio any more.
> 
> But how would this work in practice?  Google roll their certificate
> over.  

OK I'm dumb, but I don't know what that means.

-- peter F




Unless you can MITM the key immediately (ie, break RSA on
> demand) then you have to somehow make sure that traffic you collect
> is readable using a later factorisation.  You need to hope that the
> website whose certificate you intend to factor doesn't supprt PFS.
> Oh dear: http://www.imperialviolet.org/2011/11/22/forwardsecret.html
>> What better way to collect traffic than a comms bill like the
>> proposed one?
> 
> But the moment there is the slightest suggestion that your hypothesis
> is true, PFS is there to thwart it.  Spending £1.8bn on something to
> which there's a trivial counter-measure might rebound on the people
> asking for the budget.
> 
> ian
>