Re: [cryptography] trustwave admits issuing corporate mitm certs
On 2012-02-28 11:34 PM, The Fungi wrote: Your login was successful, but due to recent security concerns we also require a one-time verification of your personal information. Please now enter the following... * Checking Account Number * Bank Routing Number * ATM Card Number * Card Expiraion Date * CCV Number * Full Name * Billing Address * Social Security Number * Drivers License Number Thank you for your cooperation. Please click here to log out and back in again. [hyperlink to actual impersonated site] Again, I point out that World Of Warcraft, and the rest of the gaming sites, are under massive phishing attack, and phishing really does not work very well, probably because people are used to entering their credentials in an environment that is not a standard web page. By and large, WoW credentials are stolen by installing trojans. We should not be doing authentication in an ordinary web page. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 02/28/2012 10:42 AM, Marsh Ray wrote: By forcing the phishing attack to involve the legitimate site, it does one other thing: it puts the site in a position to require strong mutual authentication. Let me clarify one little detail: web browsers will still send the HTTP request (including form POST data) to a PKI-enabled MitM. The MitM simply doesn't request (or doesn't validate) the client cert in the handshake. The legitimate site only gets to detect the MitM before deciding whether or not to process the request and send a response. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 2012-02-26 15:45:34 -0600 (-0600), Marsh Ray wrote: [...] So if the online banking site required TLS client authentication with smart cards with on-chip RSA, the situation would be much different. A MitM who succeeded in impersonating the site to the user would be unable to replay or forward the user's credentials. In theory, the user could not be socially engineered out of his credentials (short of physically handing over his smart card). [...] Your login was successful, but due to recent security concerns we also require a one-time verification of your personal information. Please now enter the following... * Checking Account Number * Bank Routing Number * ATM Card Number * Card Expiraion Date * CCV Number * Full Name * Billing Address * Social Security Number * Drivers License Number Thank you for your cooperation. Please click here to log out and back in again. [hyperlink to actual impersonated site] So sure, maybe not socially engineered out of his online banking credentials, just possibly everything else the attacker might want in lieu of access to the banking portal itself. Mutual authentication could thwart this if implemented well in a way which was very visible to the user, but also might not if implemented poorly (and it's not like banks are leading the way in well-thought-out authentication technologies, after all). Also working against this is that it's more expensive for banks to step up authentication past the level which government regulators consider to no longer be grossly negligent. Beyond there it's likely cheaper in the long run for banks to refund disputed transactions and replace compromised accounts (or wait for victims to get frustrated and give up/leave in disgust). -- { IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829); WHOIS(STANL3-ARIN); SMTP(fu...@yuggoth.org); FINGER(fu...@yuggoth.org); MUD(kin...@katarsis.mudpy.org:6669); IRC(fu...@irc.yuggoth.org#ccl); } ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 02/28/2012 07:34 AM, The Fungi wrote: Your login was successful, but due to recent security concerns we also require a one-time verification of your personal information. Please now enter the following... Yes, but all of this falls in the category of user authenticates the website. So sure, maybe not socially engineered out of his online banking credentials, Well that counts as progress, right? :-) Another thing it does is allow the website security architecture to eliminate a Trustwave-style MitM on connections to their actual servers. Recall that I said 2/26/2012: The only point here is that banking and other web sites aren't using every tool in the box of supported and available cryptographic protocols. It's a pretty weak claim. On 02/28/2012 07:34 AM, The Fungi wrote: just possibly everything else the attacker might want in lieu of access to the banking portal itself. Mutual authentication could thwart this if implemented well in a way which was very visible to the user, but also might not if implemented poorly (and it's not like banks are leading the way in well-thought-out authentication technologies, after all). Think about an anti-phishing technology like Passmark/Sitekey. Once the user gives their username, the site shows the user's personal image (e.g. a rubber duck, a boat, a car, whatever). The idea is that a simple phishing site won't know the user's personal image and the user is given an opportunity to notice that something is amiss. If the user is alert this will deter simple phishing. (This is a big 'if' of course, and there are some discouraging user studies on it, but let's assume for now it works.) But the phishing site can relay the username to the actual bank and then show the image to the user. Heck, the phishing site could be mostly just a proxy to the legit site. So, at best, this system in its current form converts an offline attack to an online attack. However, the online phishing attack may be more difficult for other reasons. The legitimate site now gets to see a source IP and other parameters of the attacker's connection. This metadata can feed logging, alerting, and other fraud detection systems. By forcing the phishing attack to involve the legitimate site, it does one other thing: it puts the site in a position to require strong mutual authentication. TLS client certs could thus reliably defeat the active variant of phishing a Passmark/Sitekey-like system. Also working against this is that it's more expensive for banks to step up authentication past the level which government regulators consider to no longer be grossly negligent. Beyond there it's likely cheaper in the long run for banks to refund disputed transactions and replace compromised accounts (or wait for victims to get frustrated and give up/leave in disgust). I think that was certainly true just a few years ago. But today I see a sincere and growing interest by financial institutions in improving real security for their online users. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray ma...@extendedsubset.com wrote: ... Still it might be worth pointing that if Wells Fargo really wanted to forbid a Trustwave network-level MitM, SSL/TLS provides the capability to enforce that policy at the protocol level. They could configure their web app to require a client cert (either installed in the browser or from a smart card). many years ago at $my_old_telco_employer they supported web based call monitoring. they required a client side cert purchased from verisign specifically for the purpose. we had pages of documentation detailing how to generate the request, and add the cert into your browser. this was the first and only time i had ever used client certificates from a CA vendor in such a manner. mutual authentication... what a concept. is it really that rare? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Mon, Feb 27, 2012 at 6:08 PM, coderman coder...@gmail.com wrote: On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray ma...@extendedsubset.com wrote: ... Still it might be worth pointing that if Wells Fargo really wanted to forbid a Trustwave network-level MitM, SSL/TLS provides the capability to enforce that policy at the protocol level. They could configure their web app to require a client cert (either installed in the browser or from a smart card). many years ago at $my_old_telco_employer they supported web based call monitoring. they required a client side cert purchased from verisign specifically for the purpose. we had pages of documentation detailing how to generate the request, and add the cert into your browser. this was the first and only time i had ever used client certificates from a CA vendor in such a manner. mutual authentication... what a concept. is it really that rare? Very rare for residential consumers; not quite as rare for B2B transactions. For instance, we reguarly use if for B2B web services and require it when ILECs or CLECs are retrieving CPNI data. YMMV depending on your telco. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents. -- Nathaniel Borenstein ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray ma...@extendedsubset.com wrote: Still it might be worth pointing that if Wells Fargo really wanted to forbid a Trustwave network-level MitM, SSL/TLS provides the capability to enforce that policy at the protocol level. They could configure their web app to require a client cert (either installed in the browser or from a smart card). Maybe though you meant this specific type of non-malicious MiTM and the problem is we don't have a name for that right now. If you meant all MiTM though, your solution only only stops attackers who wants to make it look like you're interacting with the real site, not one who merely wishes to steal your data. In that case they don't have to talk to the real wells-fargo website :) This is exactly why some people are pushing so hard for protocols that get exclusion including things like CA-Pinning in Chrome, CAA, etc... - Andy ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 02/26/2012 09:34 AM, Andy Steingruebl wrote: On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray ma...@extendedsubset.com mailto:ma...@extendedsubset.com wrote: Still it might be worth pointing that if Wells Fargo really wanted to forbid a Trustwave network-level MitM, SSL/TLS provides the capability to enforce that policy at the protocol level. They could configure their web app to require a client cert (either installed in the browser or from a smart card). Maybe though you meant this specific type of non-malicious MiTM and the problem is we don't have a name for that right now. If you meant all MiTM though, I think I meant to say Trustwave-like, but yes I did mean all MitM because I was thinking about the network protocol level at which there's no distinction between malicious and non-malicious impersonation. your solution only only stops attackers who wants to make it look like you're interacting with the real site, not one who merely wishes to steal your data. In that case they don't have to talk to the real wells-fargo website :) So there are several issues here, and they all have to be right for everybody to obtain that elusive security. I believe you're referring to a phishing attack, where the bad guy impersonates the site to the user generally in order to trick the user into disclosing their login credentials. A. The site must authenticate the user. This nearly always revolves around a password (with sometimes a few other factors thrown in for good measure). The password is something the user is expected to keep totally secret, except when he is required, on demand. to transmit it securely to the legitmate site. Which means in order for this authentication to be secure ... B. The user must reliably authenticate the site. This is quite a challenge for anyone, let alone the non-expert user. The identity the user has in mind is something like The Wells Fargo website where I access my online banking, if the user hovers the mouse in Firefox, what they see in the absence of an attacker is: You are connected to wellsfargo.com which is run by (unknown) Verified by: VeriSign Trust Network [lock icon] Your connection to this website is encrypted to prevent eavesdropping. [More information...] Website Identity Website: www.wellsfargo.com Owner: This website does not supply ownership information. Verified by VeriSign Trust Network [blah blah] Technical Details Connection Encrypted: High-grade Encryption (RC4, 128 bit keys) [blah blah] It is therefore very unlikely that anyone read this page as it traveled across the network. What they see in the presence of an attacker is: You are connected to wel1sfargo.com which is run by (unknown) Verified by: IntegriTrust Trust Network [lock icon] Your connection to this website is encrypted to prevent eavesdropping. [More information...] Website Identity Website: www.wel1sfargo.com Owner: This website does not supply ownership information. Verified by IntegriTrust Trust Network [blah blah] Technical Details Connection Encrypted: High-grade Encryption (RC4, 128 bit keys) [blah blah] It is therefore very unlikely that anyone read this page as it traveled across the network. Obviously this is going to be a challenge. (Hint: look closely at the ells in 'wells'). At first glance, this issue would appear to be a problem at a higher level than TLS can help with, because TLS just authenticates short strings (like hostnames) against x509 certificates. Assuming the username/password box on their home page does what it says, Wells Fargo is not authenticating their user to modern cryptographic standards. Instead they are using plaintext passwords, which are forwardable, replayable, low-entropy credentials. In fact, the security of the system the bank deployed relies on the bank customers to perform the cryptographic authentication! How messed up is that? So this raises another principle: C. The site-to-user authentication and user-to-site authentications should be cryptographically bound to provide true mututal authentication rather than two independent bidirectional authentications. With mutual authentication, the legitimate site that issued the client credentials has the ability to prove the absence of a MitM. Bidirectional authentication tends to have failure modes that true mutual authentication does not and phishing for passwords is probably a good example. So if the online banking site required TLS client authentication with smart cards with on-chip RSA, the situation would be much different. A MitM who succeeded in impersonating the site to the user would be unable to replay or forward the user's credentials. In theory, the user could not be socially engineered out of his credentials (short of physically handing over his smart card). Now of course client certs and smart cards don't solve every problem and certainly more than one once-starry-eyed organization ends up wishing they'd never heard of them (*cough* DigiNotar
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, 12 Feb 2012, Jeffrey Walton wrote: (2) Did the other end of the SSL/TLS tunnel also agree to be monitored? Ding! Yes, that is the key - and was the key the first time we visited this subject a few months ago. When all is said and done, and Jane Doe cube peasant signs away her life, and the browsers all look the other way and every CA is doing it ... after all of that, does Wells Fargo actually consent to your bullshit Fortune 30,000 firm monitoring their online banking ? I'll bet not. How about eftps.gov ? How about dmv.ca.gov ? There are two sides to an SSL transaction ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 02/25/2012 05:55 PM, John Case wrote: When all is said and done, and Jane Doe cube peasant signs away her life, and the browsers all look the other way and every CA is doing it ... after all of that, does Wells Fargo actually consent to your bullshit Fortune 30,000 firm monitoring their online banking ? I'll bet not. How about eftps.gov ? How about dmv.ca.gov ? There are two sides to an SSL transaction ... I agree with that sentiment. Still it might be worth pointing that if Wells Fargo really wanted to forbid a Trustwave network-level MitM, SSL/TLS provides the capability to enforce that policy at the protocol level. They could configure their web app to require a client cert (either installed in the browser or from a smart card). Would it be free? No. Would it work in every situation on every weird device anyone ever wanted to use? No. Would it protect from malware on the client system? No. Would it be less convenient for everyone? Yes. But there are some pretty large deployments out there, which proves that it is at least possible. B2b and embedded protocols use client certs all the time. If they were more widely used, they would certainly get easier to deploy. So if there are actually effective ways that a web site could disable Trustwave-style MitM, and the site elects not to deploy them for reasons that are essentially just cost and convenience, someone might make the argument that it represents tacit approval. I don't think I would try to make that argument in the current web environment today. But maybe we'll see it being made by someone at some point in the future? - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
Mozilla has issued a statement about MITM certs: https://blog.mozilla.com/security/2012/02/17/message-to-certificate-authorities-about-subordinate-cas/ (Ack: Paul Hoffman posted this link to g+) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Wed, Feb 15, 2012 at 12:49 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 8:17 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote: [Jeffrey Walton noloa...@gmail.com (2012-02-12 10:57:02 UTC)] (1) How can a company actively attack a secure channel and tamper with communications if there are federal laws prohibiting it? IANAL, as they say, but I guess they are acting under the presumption that any communication originating in the company's own is the company's own communication, and so they can do anything they please with it. It could be argued that the notion of tampering with your own communications doesn't make sense, and so there is no breach of federal law. I am not defending the above interpretation, nor am I saying for sure that it holds water. But I think it is a reasonable guess, at least that that the company's lawyers will use arguments along those lines (abeit argued in more legalese terms) if they had to defend this practice. Although I'm not a lawyer, I've worked with a number of lawyers on the wiretap act, and have been studying it for close to 20 years. I do not see any criminal violation. Nor do I. If anything, I think this would be a civil matter. 18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices if design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications. Is a private key or certificate a device? Not as I read 18 USC 2510(5) (http://www.law.cornell.edu/uscode/text/18/2510). Paragraph (12) of that section would seem to say that intra-company wires aren't covered. But a better explanation of that can be found in Ruel Torres Hernandez, ECPA and online computer privacy, Federal Communications Law Journal, 41(1):17–41, November 1988. He not only concluded that the ECPA did not bar a company from monitoring his own devices, he quoted a participant in the law's drafting process as saying that that was by intent. California law bars employers from monitoring employee phone calls, but in 1991 a court there explicitly ruled that monitoring email was permissible -- or rather, that it wasn't barred by a statute that only spoke of phone calls. I looked at the cited cases. As a layman, I'm not contesting the fact that an employer has a right to monitor its employees, and I understand why some of the plaintiff positions were undefensible in civil court. I'm talking about violation of US Code and criminal cases. Remember, a lot of these corporations wanted harsh regulations for folks breaking into their [insecure] networks. Obviously, they don't want to eat their own dog food. But some of this stuff is sufficiently broad so that their actions are criminal despite their intentions or desires. I'd agree that their actions are immoral / unethical, but that doesn't make their actions criminal, especially if their users consent to monitoring of all company computer and network usage. And, the AUPs that I've seen at all the companies that I've worked for as both employee and contractor all make you sign those...otherwise, you won't be collecting a pay check. If the company did not inform the employees that they were being monitored, then _perhaps_ a criminal case might be made based on illegal wire tap statutes, but I do not not have enough knowledge to judge that. As they say, IANAL. Whether they like or or not (or agree or disagree), they were only authorized to transmit traffic. Perhaps, if you are talking about someone who is merely acting in the role of provider / carrier of services, but I thought this discussion was about employee / employer relationships. Maybe I'm misunderstanding something that you are trying to communicate. Here, I speak of the communications between two parties - A and B. When they peeled away SSL/TLS, they exceeded their authorization. Even if party A agreed to be monitored, I doubt party B also agreed 'a priori,' especially if party B did not reside on the same corporate network. Hence a criminal violation of federal code. In some states, both parties do not need to be informed that they are being monitored...only one of the parties needs to be aware. However, regardless of that, I don't see how this is any different in principle if a company decided to install a keystroke logger on your company PC and take a constant video of your screen? Is that illegal? Probably not if the employees consent to it. How about if I monitor your network traffic by decrypting your SSL connection at your PC's endpoint by some SSL DLL that would leak the SSL master key and record that and the SSL keystream to some central server? Again, I think that would only be illegal if employees did not consent to monitoring. That said, I do think that companies may be in trial from a civil suit perspective, especially if it had been widely known that
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 2/13/12 3:43 PM, d...@geer.org wrote: Two refs, one confirmed, one hearsay 1. J. Beeson, CISO, GE Capital has a standard stump speech, I don't buy your shoes, why should I buy your computer? 2. Sec. Napolitano is said to have bought the iPad she is regularly seen with using her own money. The latter is actually a fairly long-standing practice in Congress, going back to the '90s. My member was probably the first carrying around her own (Mac) laptop. Because of various ethics rules, to use the same device for campaign and office and personal, she was required to buy it herself. Because of the lack of cooperation between providers, it gave folks some headaches -- offices were required to contract out the IT to one of several approved 3rd parties, yet the House administration ran the internal network itself, and campaign was an entirely different entity. Essentially, each office was operated as a separate corporation. (This was before widespread shared WiFi.) Once it became obvious the Republicans in control were intercepting email carried over the administrative network between offices, everything had to run over VPN. But after they worked it out, it became fairly standard, at least on the Democratic side of the aisle. Cell phones, on the other hand, never quite managed. She had to carry two all the time, one for campaign and personal and one for official business. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 8:17 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote: [Jeffrey Walton noloa...@gmail.com (2012-02-12 10:57:02 UTC)] (1) How can a company actively attack a secure channel and tamper with communications if there are federal laws prohibiting it? IANAL, as they say, but I guess they are acting under the presumption that any communication originating in the company's own is the company's own communication, and so they can do anything they please with it. It could be argued that the notion of tampering with your own communications doesn't make sense, and so there is no breach of federal law. I am not defending the above interpretation, nor am I saying for sure that it holds water. But I think it is a reasonable guess, at least that that the company's lawyers will use arguments along those lines (abeit argued in more legalese terms) if they had to defend this practice. Although I'm not a lawyer, I've worked with a number of lawyers on the wiretap act, and have been studying it for close to 20 years. I do not see any criminal violation. 18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices if design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications. Is a private key or certificate a device? Not as I read 18 USC 2510(5) (http://www.law.cornell.edu/uscode/text/18/2510). Paragraph (12) of that section would seem to say that intra-company wires aren't covered. But a better explanation of that can be found in Ruel Torres Hernandez, ECPA and online computer privacy, Federal Communications Law Journal, 41(1):17–41, November 1988. He not only concluded that the ECPA did not bar a company from monitoring his own devices, he quoted a participant in the law's drafting process as saying that that was by intent. California law bars employers from monitoring employee phone calls, but in 1991 a court there explicitly ruled that monitoring email was permissible -- or rather, that it wasn't barred by a statute that only spoke of phone calls. I looked at the cited cases. As a layman, I'm not contesting the fact that an employer has a right to monitor its employees, and I understand why some of the plaintiff positions were undefensible in civil court. I'm talking about violation of US Code and criminal cases. Remember, a lot of these corporations wanted harsh regulations for folks breaking into their [insecure] networks. Obviously, they don't want to eat their own dog food. But some of this stuff is sufficiently broad so that their actions are criminal despite their intentions or desires. Whether they like or or not (or agree or disagree), they were only authorized to transmit traffic. Here, I speak of the communications between two parties - A and B. When they peeled away SSL/TLS, they exceeded their authorization. Even if party A agreed to be monitored, I doubt party B also agreed 'a priori,' especially if party B did not reside on the same corporate network. Hence a criminal violation of federal code. Anyway, that's how I learned to interpret these things when studying for my LSATs (the LSATs were an annoying logic game of contrived scenarios). And I know LSAT study guides and practice tests are a far cry from the real world, where an afternoon of golf can fix a lot of problems. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
While I'm not a lawyer and my opinion is in noway authoritive I do not believe there is any violation. They ay be an accessory to a potential crime but they themselves did not do the tapping. Now on the other hand those companies that did the tapping should be OK for as long as they are clear with the employees that they cannot expect privacy, which usually is the case. Usually this is in the paperwork you sing when you start working there in the section privacy policy. KTT On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 4:04 AM, Adam Back a...@cypherspace.org wrote: So it happened, per recent discussion on this list, it seems that at least one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 mozilla is threatening to remove the CA from their browser. Trustwave says they have/will revoke all these sub-CAs and will not issue any more. They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. So says the US Attorney General in New Jersey when he charged Wiseguys Tickets with gaming the TicketMaster systems [1,2]. If the Attorney General is to be believed, Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). Jeff [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov mailli...@krassi.biz wrote: While I'm not a lawyer and my opinion is in noway authoritive I do not believe there is any violation. They ay be an accessory to a potential crime but they themselves did not do the tapping. Now on the other hand those companies that did the tapping should be OK for as long as they are clear with the employees that they cannot expect privacy, which usually is the case. Usually this is in the paperwork you sing when you start working there in the section privacy policy. Two questions: (1) How can a company actively attack a secure channel and tamper with communications if there are federal laws prohibiting it? It seems to me they can only take the role of passive adversaries and still comply with US law, (2) Did the other end of the SSL/TLS tunnel also agree to be monitored? Jeff On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 4:04 AM, Adam Back a...@cypherspace.org wrote: So it happened, per recent discussion on this list, it seems that at least one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 mozilla is threatening to remove the CA from their browser. Trustwave says they have/will revoke all these sub-CAs and will not issue any more. They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. So says the US Attorney General in New Jersey when he charged Wiseguys Tickets with gaming the TicketMaster systems [1,2]. If the Attorney General is to be believed, Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). Jeff [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov mailli...@krassi.biz wrote: While I'm not a lawyer and my opinion is in noway authoritive I do not believe there is any violation. They ay be an accessory to a potential crime but they themselves did not do the tapping. I think its a bit broader than an accessory since they knoew what the company wanted to do. Trustwave was onsite and set the system up - they were clearly a co-conspirator. They even bragged about how ethical it was because they used an HSM. Jeff On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 4:04 AM, Adam Back a...@cypherspace.org wrote: So it happened, per recent discussion on this list, it seems that at least one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 mozilla is threatening to remove the CA from their browser. Trustwave says they have/will revoke all these sub-CAs and will not issue any more. They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. So says the US Attorney General in New Jersey when he charged Wiseguys Tickets with gaming the TicketMaster systems [1,2]. If the Attorney General is to be believed, Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). Jeff [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
Again, I'm not a lawyer but if somebody legally purchases a gun from you for a legitimate purpose and then abuse it your are not liable (US context here). The same way if somebody purchases this cert to monitor their employees for data exfiltration (perfectly good reason, if specified in the privacy policy), thus they are being totally legal. You have no way of knowing if they abuse the certificate to tap their neighbors for example. No on the USC items that were mentioned. They are about exceeding access, etc. They would not be exceeding access if it is in the privacy policy that they can monitor you for X activity. Best, Krassimir On Sun, Feb 12, 2012 at 3:09 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov mailli...@krassi.biz wrote: While I'm not a lawyer and my opinion is in noway authoritive I do not believe there is any violation. They ay be an accessory to a potential crime but they themselves did not do the tapping. I think its a bit broader than an accessory since they knoew what the company wanted to do. Trustwave was onsite and set the system up - they were clearly a co-conspirator. They even bragged about how ethical it was because they used an HSM. Jeff On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 4:04 AM, Adam Back a...@cypherspace.org wrote: So it happened, per recent discussion on this list, it seems that at least one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 mozilla is threatening to remove the CA from their browser. Trustwave says they have/will revoke all these sub-CAs and will not issue any more. They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. So says the US Attorney General in New Jersey when he charged Wiseguys Tickets with gaming the TicketMaster systems [1,2]. If the Attorney General is to be believed, Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). Jeff [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, 12 Feb 2012 05:57:02 -0500 Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov mailli...@krassi.biz wrote: While I'm not a lawyer and my opinion is in noway authoritive I do not believe there is any violation. They ay be an accessory to a potential crime but they themselves did not do the tapping. Now on the other hand those companies that did the tapping should be OK for as long as they are clear with the employees that they cannot expect privacy, which usually is the case. Usually this is in the paperwork you sing when you start working there in the section privacy policy. Two questions: (1) How can a company actively attack a secure channel and tamper with communications if there are federal laws prohibiting it? It seems to me they can only take the role of passive adversaries and still comply with US law, Plenty of companies install monitoring software on their employees' workstations and listen to employee phone calls, which is generally legal: https://www.privacyrights.org/fs/fs7-work.htm (2) Did the other end of the SSL/TLS tunnel also agree to be monitored? Does that matter? -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell signature.asc Description: PGP signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. As the article made quite clear, this particular cert was used to monitor traffic on the customer's own network, which is 100% legal absent some contractual agreement with the customers not to do that. (In which case it still be a tort, not a crime.) It's not like the Ticketmaster case, where the guy was outside Ticketmaster's network, effectively breaking in to trick them into selling him tickets that they didn't want to sell him. I'm not arguing that MITM certificates are a good idea, but they're not illegal until someone uses them to do something illegal, and I don't see that here. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 02/12/2012 10:24 AM, John Levine wrote: They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. As the article made quite clear, this particular cert was used to monitor traffic on the customer's own network, which is 100% legal absent some contractual agreement with the customers not to do that. IANAL by any stretch, but it seems to me that to say something is 100% legal is usually a bit of an overstatement. For example, I knew someone who audited network monitoring equipment for a retail chain that (as many do) issued credit cards. They were able to monitor all kinds of traffic in and out of their network, *except* when an employee went to check the balance on their own cards. One could imagine all kinds of other protected communication that might happen in an employment scenario. What happens if the interception device gets hacked? Even if the keys remain in some HSM, the attacker could compromise any machine on the inside and route traffic through it. By observing the log messages (as Telecomix did on Syria's BlueCoats) he may successfully decrypt some or all of the traffic. So even if we assume they are intended to be used for good, these existence of these MitM certs diminish the effective security of SSL/TLS for everyone. As I see it, this could turn into an epic legal meltdown if, say, the widows of disappeared Libyan/Syrian/Iranian dissidents were to file suit against the companies making interception equipment (or even browser vendors like Mozilla). These vendors CAs could be in a bad spot if they made public statements that turned out to be contradictory to their actual practice. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 13/02/12 10:53 AM, Marsh Ray wrote: On 02/12/2012 10:24 AM, John Levine wrote: They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. As the article made quite clear, this particular cert was used to monitor traffic on the customer's own network, which is 100% legal absent some contractual agreement with the customers not to do that. IANAL by any stretch, but it seems to me that to say something is 100% legal is usually a bit of an overstatement. For example, I knew someone who audited network monitoring equipment for a retail chain that (as many do) issued credit cards. They were able to monitor all kinds of traffic in and out of their network, *except* when an employee went to check the balance on their own cards. One could imagine all kinds of other protected communication that might happen in an employment scenario. From a tactical legal point of view, I'm come around to Marsh's original claim that there is enough wiggle room in the policy such that they can sneak through. The policies typically require ownership or control to be established. Control can be established over another person's domain simply by fiat - in my house, all your domains are under my control. One might be somewhat jaundiced about claiming the All Your Base defence, but I reckon a good fight could be made in court over it. Which tactically is enough, as this will be settled. What happens if the interception device gets hacked? Even if the keys remain in some HSM, the attacker could compromise any machine on the inside and route traffic through it. By observing the log messages (as Telecomix did on Syria's BlueCoats) he may successfully decrypt some or all of the traffic. So even if we assume they are intended to be used for good, these existence of these MitM certs diminish the effective security of SSL/TLS for everyone. That all above is what CAs are about. And the standard answer to that is audit. Which they did. (I'm not saying the answer is satisfactory, but the context and response remains the same as far as I can see.) As I see it, this could turn into an epic legal meltdown if, say, the widows of disappeared Libyan/Syrian/Iranian dissidents were to file suit against the companies making interception equipment (or even browser vendors like Mozilla). These vendors CAs could be in a bad spot if they made public statements that turned out to be contradictory to their actual practice. Yeah, this is where statements start turning out to be false or at least untenable in company with trust. Or as I put it, the jaws of trust just snapped shut: http://financialcryptography.com/mt/archives/001359.html iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 9:13 PM, Krassimir Tzvetanov mailli...@krassi.biz wrote: I agree, I'm just reflecting on the reality... :( Reality is actually as I described, at least for some shops that I'm familiar with. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Feb 12, 2012, at 10:26 46PM, Nico Williams wrote: On Sun, Feb 12, 2012 at 9:13 PM, Krassimir Tzvetanov mailli...@krassi.biz wrote: I agree, I'm just reflecting on the reality... :( Reality is actually as I described, at least for some shops that I'm familiar with. The trend is the other way, towards allowing (and even encouraging) employee-owned devices. If nothing else, it saves the company money. It also lets you get more work out of employees if they can deal with management requests from their personal iToys or Andtoys. The trick is to manage this behavior; banning it tends to be futile. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
I'm sure the trend is currently the other way, yes, but with low-cost high-bandwidth wireless becoming more common it doesn't really matter, does it? And it all depends on the organization and it's risk taking profile. But to bring this back on topic: I'd rather see draconian corporate network access rules than MITMing CAs. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography