Unauthorized SSL certificates put everyone at risk

HTTPS Questionmark screenshot Google warns of unauthorized TLS certificates trusted by almost all OSes Ars Technica

“In the latest security lapse involving the Internet's widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well."

The existing SSL certificate authority structure is fatally flawed. Its integrity relies on a huge number of primary and secondary certificate authorities to follow the rules and only issue certificates to the valid owners of websites. Of course many of these certificate authorities are in places where they can be pressured or forced to issue certificates to other entities for other purposes, like surveillance.

In February we saw SuperFish installing it’s own certificate on every computer where it was installed.

In January we saw Gogo Inflight simply self signing certificates, generating errors which were widely ignored.

In July 2014 an Indian certificate authority was caught creating fake certificates for Google services.

In April 2013 Firefox black listed a certificate authority for this kind of thing.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Protect your security from ISPs stripping email encryption

Cricket Engineers at Golden Frog recently discovered that Cricket wireless was automatically disabling their email encryption.

It is not at all clear why they were doing this, but we do know how. When an email client attempts to make a secure connection to a server, it sends a STARTTLS command. If the server never sees the STARTTLS, then it assumes you just wanted an insecure connection.

The ISP can easily modify the data stream to remove the request, causing your computer to connect without any encryption. According to the standard, the user is supposed to get a warning about this, but in practice almost all software just fails silently.

The best way to protect yourself against this attack is to encrypt your email end to end. You can use SMIME, which is built into most email clients, or GPG. GPG can be stronger, but it is harder to use, and easy to misuse. Either will significantly improve your security.

The next step is to use a VPN like Anonymizer.com to protect you against your ISP. It will also protect you against anyone else in the path between your computer and your VPN service. Unfortunately between them and the destination server, you are still vulnerable to any hostile ISPs.



Some other articles on this attack: Arstechnica, & The Washington Post

Also read:

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on FacebookTwitter, and Google+.

Holder is wrong - backdoors and security can not coexist.

Eric Holder In the article below Attorney General Eric Holder said "“It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy”

This is simply not true, and harkens back to the discredited arguments made by the FBI in the 1990’s about the Clipper Chip. It is hard enough to make secure computing systems, and we are not very good at it as all the breaches demonstrate. Intentionally introducing a vulnerability, which is the essential nature of back door or law enforcement access, is madness. If there is a back door, then keys exist, and can be compromised or reverse engineered. It is an added complexity to the system, which is almost certain to introduce other vulnerabilities. Its use would not be restricted to the US. Once it exists every government will demand access.

Social media and the cloud have tilted the balance of power absurdly towards law enforcement. This argument that they must retain access to encrypted cell phones is fatuous.

Holder urges tech companies to leave device backdoors open for police - The Washington Post

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Apple can't decrypt your phone

IPhone lock screen iOS8 Since it was introduced, Apple has had the ability to decrypt the contents if iPhones and other iOS devices when asked to do so (with a warrant).

Apple recently announced that with iOS 8 Apple will no longer be able to do so. Predictably, there has been a roar of outrage from many in law enforcement. [[Insert my usual rant about how recent trends in technology have been massively in favor of law enforcement here]].

This is really about much more than keeping out law enforcement, and I applaud Apple for (finally) taking this step. They have realized what was for Anonymizer a foundational truth. If data is stored and available, it will get out. If Apple has the ability to decrypt phones, then the keys are available within Apple. They could be taken, compromised, compelled, or simply brute forced by opponents unknown. This is why Anonymizer has never kept data on user activity.

Only by ensuring that they can not do so can Apple provide actual security to it customers against the full range of threats, potentially least of which is US law enforcement.


Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me onFacebookTwitter, and Google+.

If you don't admit you won't decrypt

Broken Disk The Massachusetts High Court recently ruled that a suspect can be compelled to decrypt disks, files, and devices which have been seized by law enforcement. The crux of the question before the court was whether compelling the password for decryption is forbidden by the Fifth Amendment protection against self incrimination.

The analogy one most often sees is to being compelled to provide the combination to a safe, the contents of which are subject to a search warrant. That is well settled law, you can be compelled to do so.

The court said:

We now conclude that the answer to the reported question is, "Yes, where the defendant's compelled decryption would not communicate facts of a testimonial nature to the Commonwealth beyond what the defendant already had admitted to investigators." Accordingly, we reverse the judge's denial of the Commonwealth's motion to compel decryption.

In this case, there was nothing testimonial about decrypting the files because the defendant has already admitted to owning the computers and devices, and to being able to decrypt them.

The much more interesting situation will come in a case where the defendants say they never had, or have forgotten, the password. One can not be compelled to do something impossible, but generally the proof of the impossibility falls on the defendant. In this case one would have to prove a negative. How could you prove that you don’t have the password? The only thing that can be proved is that you do, and that only by doing so.

This ruling is only binding in the sate of Massachusetts, but is likely to be influential in cases in other areas.

Massachusetts High Court Permits Compelled Decryption of Seized Digital Evidence | The National Law Review

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Update: It looks like I am wrong about providing the combination to a safe being settled law. Thanks Joey Ortega for setting me straight.

More thoughts on TrueCrypt, with archives, from GRC

Truecrypt flurry icon by flakshack d4jjwdo

GRC's | TrueCrypt, the final release, archive

Steve Gibson shares recent messages exchanges with some of the developers of TrueCrypt. These further suggest a boring explanation of the shutdown, as opposed to more nefarious explanations.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Do you need to replace TrueCrypt immediately?

Truecrypt flurry icon by flakshack d4jjwdo

For years, TrueCrypt has been the gold standard open source whole disk encryption solution. Now there is a disturbing announcement on the TrueCrypt website. Right at the top it says "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”.

The rest of the page has been changed to a notice that development on TrueCrypt stopped this May, and directions for migrating from TrueCrypt to BitLocker, the disk encryption tool built in to Windows. Of course, this is of little help to anyone using TrueCrypt on Mac or Linux. It is still possible to download TrueCrypt from the site, but the code now will not create new vaults, and warns users to migrate to a new platform.

There are certainly alternatives, but this is a real shock. On Mac, one could always use the built in FileVault tool. Linux users may have a harder time finding a good replacement. 

The big question is, what the heck is actually going on here. This is all far too cryptic, with no where near enough actual information to draw intelligent conclusions.

A recent independent audit of TrueCrypt discovered “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”

There are a number of theories about what is going on ranging from credulous to paranoid.

  • Like Lavabit, they received a National Security Letter requiring compromise of the code. This is their way of resisting without violating the gag order.
  • They have been taken over by the government, and they are trying to force everyone to move to a less secure / more compromised solution.
  • There really is a gigantic hole in the code. Releasing a fix would tell attackers the exact nature of the vulnerability, which most people would take a very long time to address. Having everyone migrate is the safest solution.
  • Some personal conflict within the TrueCrypt developers is leading to a “take my ball and go home” action.
  • The developers only cared about protecting windows users with XP or earlier, which did not have the built in disk encryption. Now that XP support has ended, they don’t feel it is valuable any more. This is suggested by the full wording of the announcement.
  • The website or one of the developer’s computers was compromised, and this is a hack / hoax.

The whole thing is really odd, and it is not yet obvious what the best course of action might be.

The safest option appears to be to remove TrueCrypt, and replace it with some other solution, either one that is built in to the OS, or from a third party.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Australians, you need to start taking ownership of your own encryption

Australia computer mouseAttorney General's new war on encrypted web services - Security - Technology - News - iTnews.com.au Australia’s Attorney-General’s department is proposing that all providers of Internet services ensure that they can decrypt user communications when so ordered. Any services where the provider has the keys will obviously be able to do this.

Australians may want to start to start taking steps to protect themselves now.

End to end encryption is your friend. At least that way, you need to be informed and compelled if they want access to your data.

Another important step is to get your “in the clear” communications into another jurisdiction using a VPN service like Anonymizer Universal.

Finally, let your voice be heard on this issue by reaching out to your members of parliament.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Can you be forced to decrypt your files?

Declan McCullagh at CNET writes about the most recent skirmish over whether a person can be forced to decrypt their encrypted files.

In this case, Jeffery Feldman is suspected of having almost 20 terabytes of encrypted child pornography. Evidence of use of eMule, a peer to peer file sharing tool, showed filenames suggestive of such content. Child porn makes for some of the worst case law because it is such an emotionally charged issue.

A judge had ordered Mr. Feldman to decrypt the hard drive, or furnish the pass phrase, by today. After an emergency motion, he has been given more time while the challenge to the order is processed.

The challenge is over whether being compelled to decrypt data is equivalent to forced testimony against one's self, which is forbidden by the Fifth Amendment. The prosecution position is that an encryption key is similar to a key to a safe, which may be compelled. Some prior cases have come down on the side of forcing the decryption, but not all.

If it was plausible that the suspect might not know how to decrypt the file, that would make things even more interesting. For now, the moral of the story is that you can't rely on the Fifth Amendment to protect you from contempt of court charges in the United States if you try to protect your encrypted data. Outside the US, your mileage may vary.

Google upgrades SSL Certs to 2048 bit

Yesterday Google announced that it was updating its certificates to use 2048 bit public key encryption, replacing the previous 1024 bit RSA keys.

I have always found the short keys used by websites somewhat shocking. I recall back in the early 1990's discussion about whether 1024 bits was good enough for PGP keys. Personally, I liked to go to 4096 bits although it was not really officially supported.

The fact that, 20 years later, only a fraction of websites have moved up to 2048 bits is incredible to me.

Just as a note, you often see key strengths described in bit length with RSA being 1024 or 2048 bits, and AES being 128 or 256 bits.

This might lead one to assume that RSA is much stronger that AES, but the opposite is true (at these key lengths). The problem is that the two systems are attacked in very different ways. AES is attacked by a brute force search through all possible keys until the right one is found. If the key is 256 bits long, then you need to try, on average, half of the 2^256 keys. That is about 10^77 keys (a whole lot). This attack is basically impossible for any computer that we can imagine being built, in any amount of time relevant to the human species (let alone any individual human).

By comparison, RSA is broken by factoring a 1024 or 2048 bit number in the key into its two prime factors. While very hard, it is not like brute force. It is generally thought that 1024 bit RSA is about as hard to crack as 80 bit symmetric encryption. Not all that hard. 

Blacklisting SSL Certificate Authorities

The Register has an article on Firefox black listing an SSL Certificate authority.

Certificates and certificate authorities are the underpinnings of our secure web infrastructure.

When you see the lock on your browser, it means that the session is encrypted and the site has presented a valid site certificate (so it is who it claims to be).

That site certificate is signed by one of many certificate authorities.

I see 86 certificate issuing authorities in my Firefox now.

Many of those certificate authorities have multiple signing certificates.

Additionally the certificate authorities can delegate to subordinate certificate authorities to sign site certificates.

Any certificate signed by any of these authorities or subordinate authorities is recognized as valid.

These entities are located all over the world, many under the control of oppressive governments (however you define that).

Certificate authorities can create certificates to enable man in the middle attacks, by signing keys purporting to be for a given website, but actually created and held by some other entity.

There are plugins like certificate patrol for Firefox that will tell you when a site you have visited before changes certificates or certificate authorities. Unfortunately this happens fairly frequently for legitimate reasons, such as when renewing certificates every year or few years.

Some certificate authorities are known or suspected to be working with various law enforcement entities to create false certificate for surveillance.

Here is how it works:

The government has certificate authority create a new certificate for a website.

The government then intercepts all sessions to that site with a server (at national level routers for example).

The server uses real site certificate to communicate with the real website securely.

The server uses the new fake certificate to communicate with user securely.

The server then has access to everything in the clear as it shuttles data between the two secure connections..

It can read and/or modify anything in the data stream.


Firefox is removing TeliaSonera’s certificate authority from the list in Firefox for this reason. Going forward no certificate issued by them will be recognized as valid. This will impact a large number of legitimate websites that have contracted with TeliaSonera, as well as preventing the fake certificates.

There is a lot of controversy about this. What is appropriate cooperation with law enforcement vs. supporting and enabling dictators.

In any case, this is a failure of the protocol. If the browser shows a certificate as valid when it has not come from the real website, then there has been a security failure.

The SSL key infrastructure is showing its age. It was “good enough” when there were only one or two certificate authorities and the certificates were not actually protecting anything of great importance. Now everyone relies heavily on the security of the web. Unfortunately, while it is broken, it is very hard to replace.

In the short term, installing a certificate checker like certificate patrol is probably a good idea, despite the number of false positives you will see.

In the longer term, there is a really hard problem to solve.

Nokia does a man in the middle attack on your secure mobile browsing

Gigaom reports on a major security issue at Nokia, first announced in the "Treasure Hunt" blog.

Their Asha and Lumia phones come with something they call the "Xpress Browser". To improve the browser experience, the web traffic is proxies and cached. That is a fairly common and accepted practice.

Where Nokia has stepped into questionable territory is when it does this for secure web traffic (URLs starting with HTTPS://). Ordinarily it is impossible to cache secure web pages because the encryption key is unique and used only for a single session, and is negotiated directly between the browser and the target website. If it was cached no one would be able to read the cached data.

Nokia is doing a "man in the middle attack" on the user's secure browser traffic. Nokia does this by having all web traffic sent to their proxy servers. The proxy then impersonate the intended website to the phone, and set up a new secure connection between the proxy and the real website.

Ordinarily this would generate security alerts because the proxy would not have the real website's cryptographic Certificate. Nokia gets around this by creating new certificates which are signed by a certificate authority they control and which is pre-installed and automatically trusted by the phone.

So, you try to go to Gmail. The proxy intercepts that connection, and gives you a fake Gmail certificate signed by the Nokia certificate authority. Your phone trusts that so everything goes smoothly. The proxy then securely connects to Gmail using the real certificate. Nokia can cache the data, and the user gets a faster experience.

All good right?

The fly in the ointment is that Nokia now has access to all of your secure browser traffic in the clear, including email, banking, etc.

They claim that they don't look at this information, and I think that is probably true. The problem is that you can't really rely on that. What if Nokia gets a subpoena? What about hackers? What about accidental storage or logging?

This is a significant breaking of the HTTPS security model without any warning to end users.

FBI: Anonymity implies terrorist

The FBI in conjunction with the Bureau of Justice Assistance and Joint Regional Intelligence Center have produced a number of fliers to help the public identify possible terrorists. While some of the points have merit, it is very likely that this will generate an extremely high proportion of false alerts based on perfectly reasonable and legal behaviors.

A big red flag for me were the fliers for cyber cafes and electronics stores. These suggest that the use of privacy protecting services, like Anonymizer, should be deemed suspicious. They also call out Encryption, VoIP, and communicating through video games.

In almost all of the fliers they suggest that wanting to pay cash (legal tender for all debts public and private) is suspicious.

Thanks to Public Intelligence for pulling together PDFs of the documents.

Internet Cafe flier.

Electronics Store flier.

Matt Blaze: Wiretapping and Cryptography Today

Matt Blaze analyzes why the widespread use of cryptography has had almsost no impact on our practical ability to do wiretaps and gather information under legitimate court orders. Not too technical and absolutely worth a read.

Matt Blaze: Wiretapping and Cryptography Today:

Excellent EFF post on failures of Cryptography regulation

The EFF has an excellent article on eight reasons why government regulation of cryptography is a bad idea. The short answer is: the bad guys can easily get it and use it anyway, and it will make security for the rest of us much worse (not including the big brother surveillance  and constitutional issues).

Breach in the trust of the global public key infrastructure

In a recent post on Privacy Digest, and an article in the NYTimes, there is a discussion of some major and well known vulnerabilities in the global public key infrastructure (PKI) and some examples of exploitations of that vulnerability.

The issue is with the proliferation of certificate authorities on the Internet, and the low level of oversight on their policies.

Using the web as an example, here is how it works. Embedded in every browser is a list of "certificate authorities". These are companies that are deemed trustworthy to issue and sign website certificates. Website certificates are what allows websites to be authenticated by your browser and enables SSL based secure connections (e.g. to your bank).

These certificate authorities may also be able to delegate their certificate signing authorities to other secondary certificate authority organizations. The list of primary certificate authorities in your browser is long (I count 43 in my copy of Firefox), and who knows how many secondary certificate authorities may be out there. These certificate authorities exist all over the world, and any of them can issue a certificate that your browser will accept as valid.

A malevolent certificate authority could issue certificates to allow them to impersonate any secure website.

The articles talk specifically about a secondary certificate authority called Etisalat, located in the UAE. They created a certificate which allowed them to sign code which would be accepted as valid and authorized by BlackBerry cell phones. They then created and distributed software to about 100,000 users which enabled government surveillance of the devices. RIM, the maker of BlackBerry, was able to detect and patch this introduced back door.

Etisalat could create certificates to allow the UAE to intercept and read all secure web traffic traveling over networks within that country.

It is likely that there are many other certificate authorities that are similarly willing to compromise the security of the PKI for various ends. To date, no action has been taken against Etisalat. The EFF is calling for Verizon to revoke Etisalat's ability to issue certificates (Verizon is the primary authority that delegated to Etisalat as the secondary).

Security of BlackBerry in question

There has been a lot of media coverage of the threats of Saudi Arabia and the UAE to shut down BlackBerry connectivity in their countries unless RIM (the maker of BlackBerry) introduces a back door so they can monitor communications. I have been following this story closely, but wanted to wait until I had all the facts before blogging about it. At this point I don't think I am going to get the whole story. The statements I am seeing are absolutely contradictory and the whole thing is getting really fishy.

UAE/SA say that they need to be able to access BlackBerry communications, but they can't.

RIM says that their technology makes interception impossible because the communications are encrypted end to end between the BES server (located at the users place of business) and the handset. RIM claims not to have access to the decryption keys.

Third parties claim that RIM has arrangements with other countries (including the US and Russia) which allows such access.

RIM responds that this is false and that they don't have this ability.

It looks like RIM and UAE/SA will come to an agreement while both continue to claim that they have not compromised their positions.

The moral of this story is that you should not trust security you can not fully analyze yourself. Anonymizer Universal uses strongly encrypted L2TP VPN technology to secure your information so even if your telecommunications provider is cooperating with surveillance they still can't read the contents of your messages.

Unfortunately Anonymizer Universal does not support BlackBerry yet, but iPhone, Windows, and Mac users are protected.

Cypherpunk retrospective at 20th anniversary CFP conference

This year the "Computers Freedom and Privacy" (CFP) conference is taking place in San Jose from June 15-18. This year is the 20th anniversary of the conference which helped shape my thinking about Internet Privacy and introduced me to many of the key players in this space.

Around the same time in 1992 an email mailing list started called "Cypherpunks". Members were devoted discussions of Internet freedom and to creating and distributing privacy and security tools. Best known of these are the various flavors of Anonymous Remailers following the original anon.penen.fi.

This seems like a good time to stop and take stock of what has been achieved, lost, and abandoned in the evolution of privacy and anonymity on the Internet. I have organized a panel at CFP of some of the key Cypherpunks from the early days to talk about those early days, and share their vision and insight about where we are and where we should / are likely to end up.

I hope I will see many of you there.