A long, long time ago, on a not so distant blog, I questioned the manner in which we make trust decisions regarding HTTPS enabled web sites.
Yesterday, Sid Stamm and Christopher Soghoian published a very interesting paper that further explores problems with SSL PKI and the trusted CA model. Most recent SSL research has focused on exploiting technical, implementation specific flaws in various pieces of SSL PKI. Stamm and Soghoian instead discuss a much more esoteric threat: various government agencies strong arming trusted Certification Authorities into issuing valid certificates for nefarious purposes.
The authors describe a fictitious attack on Chinese dissidents where the Chinese government coerces a Chinese CA to issue a certificate for US based Google. By detecting a change in the country of origin for the signing CA of the Google certificate, the authors say that an otherwise perfect SSL MITM attack can be detected.
But with all this talk of the Google hack, APT, and various government and defense agencies being successfully attacked themselves, who is to say that the Certification Authorities are immune? Why strong arm a CA, when you can silently issue your own certificate?
Both comments and trackbacks are currently closed.