Wednesday, March 24, 2010
My latest paper, co-authored with Sid Stamm, is now online:
Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL (this link downloads the PDF)
This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications. We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.
The first paragraph describing the threat:
A pro-democracy dissident in China connects to a secure web forum hosted on servers outside the country. Relying on the training she received from foreign human rights groups, she makes certain to look for the SSL encryption lock icon in her web browser, and only after determining that the connection is secure does she enter her login credentials and then begin to upload materials to be shared with her colleagues. However, unknown to the activist, the Chinese government is able to covertly intercept SSL encrypted connections. Agents from the state security apparatus soon arrive at her residence, leading to her arrest, detention and violent interrogation. While this scenario is fictitious, the vulnerability is not.
We are hoping to release the CertLock browser add-on described in the paper in the next few weeks. In the mean time, we welcome any feedback on our paper.
In general, the SSL/Certificate Authority system is horribly broken, and it needs to be fixed. However, broken SSL is still better than no SSL -- which is why the big name email providers, social networks and any other site that handles sensitive data needs to step up and protect their users.