https - hopefully not too stupid a question

Ben Laurie ben at links.org
Mon Jun 18 05:04:58 BST 2012


On Sun, Jun 17, 2012 at 2:57 PM, Peter Fairbrother
<zenadsl6186 at zen.co.uk> wrote:
> Francis Davey wrote:
>>
>> This is the first question I have initiated on this group, so I hope
>> it does not seem to be too foolish a query.
>>
>> Reading:
>>
>> http://fsfe.org/news/2012/news-20120616-01.html
>>
>> I wondered to what extent the government could put a framework in
>> place to avoid some of these, in particular the use of https. Could
>> the government set things up within the UK so that certificates were
>> forged so that they were able to intercept https in transit?
>
>
> Yes, but they would get caught if they did it surreptitiously and often.
>
> Either by certificate comparisons performed by the occasional nerd or
> security company, or by the black boxes at the ISPs - a black box which
> simply acts as a tap on the line would have different traffic
> characteristics, which the ISP would notice, as they measure traffic for
> peering and payment purposes.
>
> There are a couple of other ways they might get caught too.
>
>
>> Assume that the Bill gives them the legal power to require anyone in
>> the UK to do anything in order to facilitate obtaining comms data
>> could they use that power to require someone/anyone to issue
>> certificates purporting to be for sites (like facebook)? I am not sure
>> how easy it is for a state actor to do this in a way that will affect
>> ordinary people.
>
>
> Once caught, the offending certificate could be traced to the issuing CA,
> who would then risk getting excluded from the major browser's "trusted CA"
> lists - death for a CA.
>
>
>
>
> Something perhaps much more interesting, in the Chinese proverbial sense of
> the word,  would be for the gubbmint to obtain the private keys for the
> websites visited. Once they have those they can easily work out the session
> keys used just from looking at traffic, without modifying it (unless a DHE
> SSL/TLS suite [1] is used).
>
> They could demand the keys from the websites, if they have a UK presence,
> under RIPA part 3 (if the keys are dual-purpose, ie used to establish the
> session key as well as for authentication, which they very often are) - or
> perhaps under this new Act under some more general power.
>
> [1] a DHE suite uses Diffie-Hellman to establish an Ephemeral session key
> which cannot be worked out from looking at traffic, or through subsequent
> demands for keys.
>
> Each party creates an ephemeral secret (they generate a random number and
> keep it secret), and the shared secret session key is worked out from them
> using some clever mathematrickery without exposing those secrets in
> transmission. The secrets are then discarded, and the session is (should be
> ) discarded after the session.
>
> There are DH suites which are not ephemeral (the server resuses the same
> secret for all sessions, and does not delete it) - in those cases the
> session keys can be worked out if the secret is made known, by demand or
> otherwise.
>
>
>>
>> I'm not interested in whether the technically savvy are able to avoid
>> such action - let us stipulate for the sake of argument that they are.
>
>
> For nerds, they might be able to discourage the use of DHE suites ( by
> replacing a small bit of traffic saying "I don't do that DHE suite, try this
> non-DHE one instead" when establishing which suite to use at the beginnning
> of a session.

If they can do that, then they might as well just mitm the whole
session, which DHE will not defend against.

>
> That also would be found out, but it would take longer and there wouldn't be
> such a big "smoking gun" as in a forged certificate MITM attack.
>
>
> -- Peter Fairbrother
>
>>
>> Thanks.
>>
>
>



More information about the ukcrypto mailing list