[Wikimedia-l] prism and certificate authorities, snooping https

rupert THURNER rupert.thurner at gmail.com
Sat Jun 15 21:48:44 UTC 2013


i saw on the wmf statement on meta that https everywhere should calm
people. thats a good start already. 3 years ago the EFF (electronic
frontier foundation) warned about https. Soghoian and Stamm write
about especially about certificate authorities (CA):

       [...] Microsoft’s Root Certificate Program includes he
governments of Austria, Brazil, [...], the United States and Uruguay.
[...] each of these states has the power to facilitate attacks on
encryption anywhere in the world — not just in its territory or
Internet domain.
     “Packet Forensics’ devices are designed to be inserted-into and
removed-from busy networks without causing any noticeable interruption
[. . . ] This allows you to conditionally intercept web, e-mail, VoIP
and other traffic at-will, even while it remains protected inside an
encrypted tunnel on the wire. Using ‘man-in-the-middle’ to intercept
TLS or SSL is essentially an at-tack against the underlying
Diffie-Hellman cryptographic key agreement protocol [. . . ] To use
our product in this scenario, [government] users have the ability to
import a copy of any legitimate key they obtain (potentially by court
order) or they can generate ‘look-alike’ keys designed to give the
subject a false sense of confidence in its authenticity.”
     Individuals living in countries with laws that protect their
privacy from unreasonable invasion have good reason to avoid trusting
foreign governments (or foreign companies) to protect their private
data. This is because individuals often receive the greatest legal
protection from their own governments, and little to none from other
countries. For example, US law strictly regulates the ability of the
US government to collect information on US persons. However, the
government can freely spy on foreigners around the world, as long as
the surveillance is performed outside the US.

the conclusion is also interesting:
   when a company that uses a certificate authority located in a
country different than the one in which it holds user data, it
needlessly exposes users’ data to the compelled disclosure by an
additional government.

so, by getting the certificates from digicert, the traffic can easier
be snooped by the u.s. government. and only u.s. citizens are
protected by u.s. law. this gives a lot of trust :)

* https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl
* http://files.cloudprivacy.net/ssl-mitm.pdf


More information about the Wikimedia-l mailing list