EFF casts doubt on security of SSL against eavesdropping

The Electronic Frontier Foundation (EFF) is warning that state agencies are probably able to routinely eavesdrop on SSL-encrypted internet connections. They refer to a draft research paper in which researchers Christopher Soghoian and Sid Stamm summarise the evidence for this supposition and describe a possible defensive strategy.

The two researchers are not able to provide any hard facts. They start by stating that many governments routinely compel companies to cooperate with surveillance measures. In the USA, the statute which allows companies to be compelled to assist with such measures is "remarkably broad". According to the researchers, these statutes have been used to, for example, compel a SatNav manufacturer to activate the built-in microphone in one of its devices in order to record conversations in a vehicle. VeriSign, the largest provider of SSL certificates, is, according to the paper, also involved in outsourcing telecommunications surveillance.

They conclude that government agencies must therefore also be able to compel certification service providers such as VeriSign to issue arbitrary SSL certificates. In many countries, there are government certification authorities (CA) which are stored as trusted root instances in all of the common browsers. Internet Explorer, Firefox, Safari and Chrome blindly trust more than 100 root certificates, including certificates from VeriSign, Deutsche Telekom and network administration agency CNNIC, which is controlled by the Chinese government.

If a web server presents a certificate signed by one of these bodies, the user is informed that the connection is trusted by means of a padlock symbol or a green address bar. But the SSL concept is based on the trustworthiness of CAs. Anyone with a copy of the secret key for a root certificate or a major CA's intermediate certificate can spoof SSL on the fly and eavesdrop on encrypted connections.

Soghoian and Stamm also found a commercial hardware appliance which was able to silently eavesdrop on SSL connections directed through it. In its advertising, the vendor, Packet Forensics, states that the device merely requires a copy of a legitimate certificate key. The company specifically points out that a copy of a key can be obtained via a court order.

The paper quotes Packet Forensics CEO Victor Oppelman as stating that the appliance is already being used by customers in the USA and elsewhere. The product advertising makes the target group for the device absolutely clear, "Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption"

As a possible means of protecting against such attacks, Soghoian and Stamm describe a Firefox add-on which stores certificate information for all SSL websites visited. Each time a site is visited, the add-on compares the current details with the stored details and warns when country of origin of one of the CAs in the certificate path has changed. Changes such as a newly issued certificate due to the expiry of the old certificate do not trigger a warning. The researchers assume a little common sense from users, "Thus, for example, users in China told that their encrypted session to Google Mail is suddenly using a certificate provided by a Chinese CA are quite likely to realise that something is wrong."

Studies have, however, shown that most users simply click past security warnings. Furthermore, as the researchers themselves admit, their proposal would not prevent US citizens from being spied on by US agencies, as US companies dominate the certification market, with many German websites, for example, using VeriSign certificates. Their Firefox add-on, Certlock, which they plan to release shortly, would also offer no protection for other applications such as e-mail or VoIP. (ck)

See also:

• 25C3: MD5 collisions crack CA certificate
• Black Hat: new ways to attack SSL
• Hackers target Extended Validation certificates

(djwm)