On 2013-09-09, at 12:04, "Salz, Rich" <rs...@akamai.com> wrote:

> ➢  then maybe it's not such a "silly accusation" to think that root CAs are 
> routinely distributed to multinational secret
> ➢  services to perform MITM session decryption on any form of communication 
> that derives its security from the CA PKI.
> 
> How would this work, in practice?

Suppose Mallory has access to the private keys of CAs which are in "the" 
browser list or otherwise widely-trusted.

An on-path attack between Alice and Bob would allow Mallory to terminate 
Alice's TLS connection, presenting an opportunistically-generated server-side 
certificate with signatures that allow it to be trusted by Alice without 
pop-ups and warnings. Instantiating a corresponding session with Bob and ALGing 
the plaintext through with interception is then straightforward.

This would be detectable by Bob by the visible client address, but that could 
be obfuscated (Mallory could exit the session through something tor-like, for 
example, to avoid advertising their topological location; this would just make 
it look like Alice is using tor).

In the case where Alice is presenting a certificate specifically trusted by 
Bob, this wouldn't work so well. But my observation is that many TLS-protected 
streams used by consumers don't use client certificate authentication.

As an aside, I see CAs with Chinese organisation names in my browser list. I 
don't know how to distinguish between enterprises and government from this side 
of the Pacific (so, presumably, assume they are all government). I had always 
assumed that this was already happening at the Great Firewall, as a working 
example of government-sponsored TLS interception with no requirement for 
expensive crunching of large integers.


Joe
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Reply via email to