Re: Russia attempts mandating installation of root CA on clients for TLS MITM
On Sun, 13 Mar 2022, Carsten Bormann wrote: Oh. Your message started insightful. Now you are back to binary authorization, just with a jurisdiction parameter going in. Public CAs are third-party introducers. Its like a friend of a friend of a friend sets you up on a blind date. Your friend's friend's friend may mean well, but your shouldn't rely on them for authentication or authorization of the trustworthiness of the person on the date. Just read the disclaimers of liability in every public CA statement of practices. The CAs 'customer' is the purchaser of the certificate, not an end-user. Private CAs are a different matter. Sometimes (frequently) people confuse their relationships between public CAs versus private CAs. Admitly public CA marketing departments encourage that confusion. The legal folks call it "puffery." Netscape's original engineering goal was convincing the public it was safe to use credit cards for ecommerce sites on the mid-1990s Internet. If you saw a padlock icon it was "safe" to enter your credicate number. Of course, people immediately started putting padlock icons on web pages :-( Authentication/authorization about an end-user's relationship with a public CA is mostly mumbo-jumbo. The public also gets confused by the role of notary publics, bearer instruments, cashiers cheques, pen-and-paper signatures, and old fashion wax seals. Con artists have taken advantage of that misplaced trust for hundreds of years.
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
>Mozilla is the only browser vendor these days that maintains its own >independent root CA storage for the browser. Chrome, Chromium, Safari, Edge, >IE etc all use whatever root CAs are trusted by the operating system. If they >can get Windows 10 client PCs pushed to retail with an image that includes >their CA... Google Chrome has it's own root program, and all vendors have been reliant on Mozilla's setup for some time. They don't just blindly trust the OS. --- Original Message --- On Friday, March 11th, 2022 at 1:34 PM, Eric Kuhnke wrote: > Considering that 99% of non-technical end users of windows, macos, android, > ios client devices have no idea what a root CA is, if an authoritarian regime > can mandate the installation of a government-run root CA in the operating > system CA trust store of all new devices sold at retail, as equipment is > discarded/upgraded/replaced incrementally over a period of years, they could > eventually have the capability of MITM of a significant portion of traffic. > > Presumably with Apple ending shipment of new MacOS devices to Russia and > retail sales of new devices, this wouldn't be so much of an issue with MacOS. > The process of re-imaging a modified MacOS install .DMG onto a "blank" > macbook air or similar with a new root CA included would be non trivial, and > hopefully might be impossible due to crypto signature required for a legit > MacOS bootable install image. > > Mozilla is the only browser vendor these days that maintains its own > independen root CA storage for the browser. Chrome, Chromium, Safari, Edge, > IE etc all use whatever root CAs are trusted by the operating system. If they > can get Windows 10 client PCs pushed to retail with an image that includes > their CA... > > On Thu, 10 Mar 2022 at 18:27, Dario Ciccarone (dciccaro) via NANOG > wrote: > >> I think the point Eric was trying to make is that while, indeed, the >> initial, stated goal might be to be able to issue certificates to replace >> those expired or expiring, there's just a jump/skip/hop to force >> installation of this root CA certificate in all browsers, or for Russia to >> block downloads of Firefox/Chrome from outside the Federation, and instead >> distribute versions which would already include this CA's certificate. And >> then MITM the whole population without their knowledge or approval. >> >> GIVEN: savvy users might know how to delete the certificate, or others may >> teach them how, and how to download other CA's certificates (if the >> government was to ship only this certificate with the browser). Cat and >> mouse game. The North Korean and Chinese governments have been doing these >> kind of shenanigans for a long time - I am sure Russia could copy their >> model. And considering the tight media control they’re already exercising, I >> don't think it is crazy or paranoid to think Internet will be next. They >> seem to be already going down that path. >> >> PS: opinions and statements, like the above, are my very own personal take >> or opinion. Nothing I say should be interpreted to be my employer's >> position, nor be supported by my employer. >> >> On 3/10/22, 7:38 PM, "NANOG on behalf of Sean Donelan" >> >> wrote: >> >> On Thu, 10 Mar 2022, Eric Kuhnke wrote: >>> I think we'll see a lot more of this from authoritarian regimes in the >>> future. For anyone unfamiliar with their existing distributed DPI >>> architecture, google "Russia SORM". >> >> Many nation's have a government CA. >> >> The United States Government has its Federal Public Key Infrastructure, >> and Federal Bridge CA. >> >> https://playbooks.idmanagement.gov/fpki/ca/ >> >> If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your >> computer needs to have the FPKI CA's. You don't need the FPKI CA's for >> other purposes. >> >> Some countries CA's issue for citizen and business certificates. >> >> While X509 allows you to specify different CA's for different purposes, >> since the days of Netscape, browsers trust hundreds of root or bridged CA >> in its trust repository for anything. >> >> Neither commercial or government CA's are inherently more (or less) >> trustworthy. There have been trouble with CA's of all types. >> >> A X509 certificate is a big integer number, in a fancy wrapper. Its not a >> magical object.
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
Masataka Ohta wrote: Sean Donelan wrote: You'll notice there still isn't a CA trust list for use in the USG :-) Wait one... so who issues all the certificates for DoD CAC cards? Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. In our lab, theory and practice are combined: nothing works and no one knows why. ... unknown
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
Sean Donelan wrote: You'll notice there still isn't a CA trust list for use in the USG :-) It merely means that PKI does not have its own security and relies on trust for all the CAs (not only the root ones), which means PKI is as secure as the plain Internet, which is secure if all the ISPs are TPPs (trusted third parties). If you can assume all the CAs are TPPs, you can also assume all the ISPs are TPPs. About 95% of the TLS certificates globally are ultimately signed by about six CA organizations depending how you track ownership. (I know, multiple "abouts" in that sentence). The long tail of global business, means most operating systems ship (or after the installation autoupdate) with 100+ trusted certificate authorities by default. The number of blindly trusted root CAs is irrelevant because PKI with just one not-so-trustworthy root CA is bad enough. PKI is just insecure. Masataka Ohta
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
On 2022-03-13, at 01:33, Sean Donelan wrote: > > Its not a question of whether you trust one CA (e.g. the Russian Ministry of > Digital Development CA), but whether everyone trusts all 100+ CA's in > universal trust stores to sign everything/anything. Right. Authorization is not a binary thing. You don’t divide your world into the two classes “authorized” and “unauthorized”; you authorize for specific permissions. Your house cleaners may get access to your home, but not to your bank account. (I hear whispering: “Authorization? I thought we were talking about authentication.”. Yes. But we authenticate to authorize, and while we are doing this, we authorize (“trust”) to authenticate. We need to qualify this “trust” with what the resulting authorization can do.) > Again, I understand why companies and open source projects don't want to > maintain different trust lists for different jurisdictions around the world. > Like other localization requirements (currency, date & time formats, > languages) maybe its time has come for localization requirements for TLS/SSL > trust lists? Oh. Your message started insightful. Now you are back to binary authorization, just with a jurisdiction parameter going in. Grüße, Carsten
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
Likewise, my statements and opinions also do not represent any past, current or future employer. While I understand the engineering and business reasons (fewer customer complaints and lawsuits), the underlying risk is due to the combined 'universial trust root CA' store in most TLS/SSL software and vendors. About 10 years ago, while working on federal network security I tried to a trust list for USG agency use on USG I.T. equipment. Commercial vendors have different business reasons than governments for including or not including particular CA's. It was a deep rabbit hole, and I understand the details are much more complicated than this email can cover. You'll notice there still isn't a CA trust list for use in the USG :-) About 95% of the TLS certificates globally are ultimately signed by about six CA organizations depending how you track ownership. (I know, multiple "abouts" in that sentence). The long tail of global business, means most operating systems ship (or after the installation autoupdate) with 100+ trusted certificate authorities by default. According to Wikipedia: "As of 24 August 2020, 147 root certificates, representing 52 organizations, are trusted in the Mozilla Firefox web browser,[9] 168 root certificates, representing 60 organizations, are trusted by macOS,[10] and 255 root certificates, representing 101 organizations, are trusted by Microsoft Windows.[11] As of Android 4.2 (Jelly Bean), Android currently contains over 100 CAs that are updated with each release.[12]" Besides popular off-the-shelf systems, the rabbit hole goes even deeper with a dozen other CA trust lists needed for things like ePassports, trade and customs exchanges, pharma and medical, etc. And some widely used business software like Adobe and Oracle have their own trust lists. If you are worried about a jump/skip/hop about authoritarian regimes gaining a foothold in TLS trust stores. That horse left the barn a long time ago. Have you looked at the list of CA's included by default in major open source and commercial vendor's TLS trust stores. Now re-consider those 'universal' trust lists from the point of view of 194 different countries around the world. Open source and commercial companies have been vulnerable to compromise too. Its not a question of whether you trust one CA (e.g. the Russian Ministry of Digital Development CA), but whether everyone trusts all 100+ CA's in universal trust stores to sign everything/anything. Again, I understand why companies and open source projects don't want to maintain different trust lists for different jurisdictions around the world. Like other localization requirements (currency, date & time formats, languages) maybe its time has come for localization requirements for TLS/SSL trust lists? On Fri, 11 Mar 2022, Dario Ciccarone (dciccaro) wrote: I think the point Eric was trying to make is that while, indeed, the initial, stated goal might be to be able to issue certificates to replace those expired or expiring, there's just a jump/skip/hop to force installation of this root CA certificate in all browsers, or for Russia to block downloads of Firefox/Chrome from outside the Federation, and instead distribute versions which would already include this CA's certificate. And then MITM the whole population without their knowledge or approval.
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
Clarification, Google Chrome has its own root CA revocation/CRL program. It does still rely on the operating system root CA trust store. Using a typical intranet/RFC1918 IP space environment as an example, as you might see in any $BIGCORP, if you install your own choice of root CA in the Windows 10 root CA trust store, Chrome's TLS1.2/TLS1.3 access to internal resources that are https only will work flawlessly without any security warnings. Very normal configuration these days. Used for things like DLP in banking/corporate environments or places where the gateway between internal IP space and the public world has a firewall in place with MITM ability for all TLS traffic. On any windows 10 system with local admin privileges you can manually find this by opening MMC, go to add/remove snap-ins, select the certificates (local computer) snap-in, left side menu browse to trusted root certificates. On Fri, 11 Mar 2022 at 10:48, Mu wrote: > >Mozilla is the only browser vendor these days that maintains its own > independent root CA storage for the browser. Chrome, Chromium, Safari, > Edge, IE etc all use whatever root CAs are trusted by the operating system. > If they can get Windows 10 client PCs pushed to retail with an image that > includes their CA... > > Google Chrome has it's own root program, and all vendors have been reliant > on Mozilla's setup for some time. They don't just blindly trust the OS. > > > --- Original Message --- > On Friday, March 11th, 2022 at 1:34 PM, Eric Kuhnke > wrote: > > Considering that 99% of non-technical end users of windows, macos, > android, ios client devices *have no idea what a root CA is,* if an > authoritarian regime can mandate the installation of a government-run root > CA in the operating system CA trust store of all new devices sold at > retail, as equipment is discarded/upgraded/replaced incrementally over a > period of years, they could eventually have the capability of MITM of a > significant portion of traffic. > > Presumably with Apple ending shipment of new MacOS devices to Russia and > retail sales of new devices, this wouldn't be so much of an issue with > MacOS. The process of re-imaging a modified MacOS install .DMG onto a > "blank" macbook air or similar with a new root CA included would be non > trivial, and hopefully might be impossible due to crypto signature required > for a legit MacOS bootable install image. > > Mozilla is the only browser vendor these days that maintains its own > independen root CA storage for the browser. Chrome, Chromium, Safari, Edge, > IE etc all use whatever root CAs are trusted by the operating system. If > they can get Windows 10 client PCs pushed to retail with an image that > includes their CA... > > > > > > > On Thu, 10 Mar 2022 at 18:27, Dario Ciccarone (dciccaro) via NANOG < > nanog@nanog.org> wrote: > >> I think the point Eric was trying to make is that while, indeed, the >> initial, stated goal might be to be able to issue certificates to replace >> those expired or expiring, there's just a jump/skip/hop to force >> installation of this root CA certificate in all browsers, or for Russia to >> block downloads of Firefox/Chrome from outside the Federation, and instead >> distribute versions which would already include this CA's certificate. And >> then MITM the whole population without their knowledge or approval. >> >> GIVEN: savvy users might know how to delete the certificate, or others >> may teach them how, and how to download other CA's certificates (if the >> government was to ship only this certificate with the browser). Cat and >> mouse game. The North Korean and Chinese governments have been doing these >> kind of shenanigans for a long time - I am sure Russia could copy their >> model. And considering the tight media control they’re already exercising, >> I don't think it is crazy or paranoid to think Internet will be next. They >> seem to be already going down that path. >> >> PS: opinions and statements, like the above, are my very own personal >> take or opinion. Nothing I say should be interpreted to be my employer's >> position, nor be supported by my employer. >> >> On 3/10/22, 7:38 PM, "NANOG on behalf of Sean Donelan" >> >> wrote: >> >> On Thu, 10 Mar 2022, Eric Kuhnke wrote: >> > I think we'll see a lot more of this from authoritarian regimes in the >> > future. For anyone unfamiliar with their existing distributed DPI >> > architecture, google "Russia SORM". >> >> Many nation's have a government CA. >> >> The United States Government has its Federal Public Key Infrastructure, >> and Federal Bridge CA. >> >> https://playbooks.idmanagement.gov/fpki/ca/ >> >> If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your >> computer needs to have the FPKI CA's. You don't need the FPKI CA's for >> other purposes. >> >> Some countries CA's issue for citizen and business certificates. >> >> >> While X509 allows you to specify different CA's for different purposes, >> since the da
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
Considering that 99% of non-technical end users of windows, macos, android, ios client devices *have no idea what a root CA is,* if an authoritarian regime can mandate the installation of a government-run root CA in the operating system CA trust store of all new devices sold at retail, as equipment is discarded/upgraded/replaced incrementally over a period of years, they could eventually have the capability of MITM of a significant portion of traffic. Presumably with Apple ending shipment of new MacOS devices to Russia and retail sales of new devices, this wouldn't be so much of an issue with MacOS. The process of re-imaging a modified MacOS install .DMG onto a "blank" macbook air or similar with a new root CA included would be non trivial, and hopefully might be impossible due to crypto signature required for a legit MacOS bootable install image. Mozilla is the only browser vendor these days that maintains its own independen root CA storage for the browser. Chrome, Chromium, Safari, Edge, IE etc all use whatever root CAs are trusted by the operating system. If they can get Windows 10 client PCs pushed to retail with an image that includes their CA... On Thu, 10 Mar 2022 at 18:27, Dario Ciccarone (dciccaro) via NANOG < nanog@nanog.org> wrote: > I think the point Eric was trying to make is that while, indeed, the > initial, stated goal might be to be able to issue certificates to replace > those expired or expiring, there's just a jump/skip/hop to force > installation of this root CA certificate in all browsers, or for Russia to > block downloads of Firefox/Chrome from outside the Federation, and instead > distribute versions which would already include this CA's certificate. And > then MITM the whole population without their knowledge or approval. > > GIVEN: savvy users might know how to delete the certificate, or others may > teach them how, and how to download other CA's certificates (if the > government was to ship only this certificate with the browser). Cat and > mouse game. The North Korean and Chinese governments have been doing these > kind of shenanigans for a long time - I am sure Russia could copy their > model. And considering the tight media control they’re already exercising, > I don't think it is crazy or paranoid to think Internet will be next. They > seem to be already going down that path. > > PS: opinions and statements, like the above, are my very own personal take > or opinion. Nothing I say should be interpreted to be my employer's > position, nor be supported by my employer. > > On 3/10/22, 7:38 PM, "NANOG on behalf of Sean Donelan" > > wrote: > > On Thu, 10 Mar 2022, Eric Kuhnke wrote: > > I think we'll see a lot more of this from authoritarian regimes in > the > > future. For anyone unfamiliar with their existing distributed DPI > > architecture, google "Russia SORM". > > Many nation's have a government CA. > > The United States Government has its Federal Public Key > Infrastructure, > and Federal Bridge CA. > > https://playbooks.idmanagement.gov/fpki/ca/ > > If you use DOD CAC ID's or FCEB PIV cards or other federal programs, > your > computer needs to have the FPKI CA's. You don't need the FPKI CA's > for > other purposes. > > Some countries CA's issue for citizen and business certificates. > > > While X509 allows you to specify different CA's for different > purposes, > since the days of Netscape, browsers trust hundreds of root or bridged > CA > in its trust repository for anything. > > Neither commercial or government CA's are inherently more (or less) > trustworthy. There have been trouble with CA's of all types. > > A X509 certificate is a big integer number, in a fancy wrapper. Its > not a > magical object. > >
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
I think the point Eric was trying to make is that while, indeed, the initial, stated goal might be to be able to issue certificates to replace those expired or expiring, there's just a jump/skip/hop to force installation of this root CA certificate in all browsers, or for Russia to block downloads of Firefox/Chrome from outside the Federation, and instead distribute versions which would already include this CA's certificate. And then MITM the whole population without their knowledge or approval. GIVEN: savvy users might know how to delete the certificate, or others may teach them how, and how to download other CA's certificates (if the government was to ship only this certificate with the browser). Cat and mouse game. The North Korean and Chinese governments have been doing these kind of shenanigans for a long time - I am sure Russia could copy their model. And considering the tight media control they’re already exercising, I don't think it is crazy or paranoid to think Internet will be next. They seem to be already going down that path. PS: opinions and statements, like the above, are my very own personal take or opinion. Nothing I say should be interpreted to be my employer's position, nor be supported by my employer. On 3/10/22, 7:38 PM, "NANOG on behalf of Sean Donelan" wrote: On Thu, 10 Mar 2022, Eric Kuhnke wrote: > I think we'll see a lot more of this from authoritarian regimes in the > future. For anyone unfamiliar with their existing distributed DPI > architecture, google "Russia SORM". Many nation's have a government CA. The United States Government has its Federal Public Key Infrastructure, and Federal Bridge CA. https://playbooks.idmanagement.gov/fpki/ca/ If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your computer needs to have the FPKI CA's. You don't need the FPKI CA's for other purposes. Some countries CA's issue for citizen and business certificates. While X509 allows you to specify different CA's for different purposes, since the days of Netscape, browsers trust hundreds of root or bridged CA in its trust repository for anything. Neither commercial or government CA's are inherently more (or less) trustworthy. There have been trouble with CA's of all types. A X509 certificate is a big integer number, in a fancy wrapper. Its not a magical object.
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
On Thu, 10 Mar 2022, Eric Kuhnke wrote: I think we'll see a lot more of this from authoritarian regimes in the future. For anyone unfamiliar with their existing distributed DPI architecture, google "Russia SORM". Many nation's have a government CA. The United States Government has its Federal Public Key Infrastructure, and Federal Bridge CA. https://playbooks.idmanagement.gov/fpki/ca/ If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your computer needs to have the FPKI CA's. You don't need the FPKI CA's for other purposes. Some countries CA's issue for citizen and business certificates. While X509 allows you to specify different CA's for different purposes, since the days of Netscape, browsers trust hundreds of root or bridged CA in its trust repository for anything. Neither commercial or government CA's are inherently more (or less) trustworthy. There have been trouble with CA's of all types. A X509 certificate is a big integer number, in a fancy wrapper. Its not a magical object.
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
On Thu, Mar 10, 2022 at 10:26 AM Eric Kuhnke wrote: > https://bugzilla.mozilla.org/show_bug.cgi?id=1758773 > > I think we'll see a lot more of this from authoritarian regimes in the > future. For anyone unfamiliar with their existing distributed DPI > architecture, google "Russia SORM". Point of clarification: what's happening is that Russian web sites' certificates are expiring and because of the sanctions, their CAs are refusing to renew them. So, Russia has spun up their own CA which is, of course, only present in Russian web browsers. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
- Original Message - > From: "Eric Kuhnke" > Subject: Russia attempts mandating installation of root CA on clients for TLS > MITM > https://bugzilla.mozilla.org/show_bug.cgi?id=1758773 > > I think we'll see a lot more of this from authoritarian regimes in the > future. For anyone unfamiliar with their existing distributed DPI > architecture, google "Russia SORM". Some tech press coverage on this: https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/ Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Russia attempts mandating installation of root CA on clients for TLS MITM
https://bugzilla.mozilla.org/show_bug.cgi?id=1758773 I think we'll see a lot more of this from authoritarian regimes in the future. For anyone unfamiliar with their existing distributed DPI architecture, google "Russia SORM".
