openPGP в России / Библиотека / Статьи / Сертифицированная ложь: обнаружение атак перехвата SSL, осуществляемых властями, и защита от них / 3. Большой брат в браузере

id: Гость вход регистрация
текущее время 23:14 24/04/2024

Владелец: unknown редакция от 29/03/2010 14:53 (автор: unknown)

Печать

Категории: криптография, инфобезопасность, политика, защита сети, распределение ключей, следственные мероприятия, стандарты, ssl, спецслужбы

https://www.pgpru.com/Библиотека/Статьи/CertifiedLies/BigBrotherintheBrowser

Последние изменения Последние комментарии Удаленные документы Требуется доработка Досье пользователей Опросы Keyserver Документация Wiki Правила сайта denied

Регистрация

Это старая редакция страницы Библиотека / Статьи / Certified Lies / Big Brotherinthe Browser за 29/03/2010 14:53.

3. Большой брат в браузере

3 Big Brother in the Browser
Microsoft, Apple and Mozilla all include a number
of national government CAs in their respective CA
databases.5

For example, Microsoft's Root Certificate Program in-

cludes the governments of Austria, Brazil, Finland, France,
Hong Kong, India, Japan, Korea, Latvia, Macao, Mexico,
Portugal, Serbia, Slovenia, Spain, Switzerland, Taiwan, The
Netherlands, Tunisia, Turkey, United States and Uruguay
[16].

These government CAs are often in-
cluded for legitimate reasons: Many governments
embed cryptographic public keys in their national
ID cards, or do not wish to outsource their own in-
ternal certificate issuing responsibilities to private
companies.

While it might be quite useful for Estonian users

of Internet Explorer to trust their government's CA
by default (thus enabling them to easily engage in
secure online tasks that leverage their own national
ID card), the average resident of Lebanon or Peru
has far less to gain by trusting the Estonian gov-
ernment with the blanket power to issue SSL cer-
tificates for any website. Thus, users around the
world are put in a position where their browser en-
trusts their private data, indirectly, to a number of
foreign governments whom those individuals would
never ordinarily trust.

As an example of what is currently possible,

should it do so, the Korean Information Security
Agency can create a valid SSL certificate for the In-
dustrial and Commercial Bank of China (whose ac-
tual certificate is issued by VeriSign, USA), that can
be used to perform an effective man-in-the-middle
attack against users of Internet Explorer.

While this might at first seem like an extremely

powerful attack, there are several reasons why gov-
ernments are unlikely to use their own CAs to per-
form man in the middle attacks.

First, while some governments have convinced the

browser vendors to include their CA certificates, not
all governments have been able to do so. Thus, for
example, the governments of Singapore, the United
Kingdom and Israel (among many others) are not
trusted by any of the ma jor browsers. These gov-
ernments are therefore unable to easily create their
own fake certificates for use in intelligence and other
law enforcement investigations where snooping on a
SSL session might be useful.

Second, due to the fact that the SSL chain of trust

is non-repudiable, any government using its own CA
to issue fake certificates in order to try and spy on
someone else's communications will leave behind ab-
solute proof of its involvement. That is, if the Span-
ish government issues a fake certificate for Google
Mail, and the surveillance is somehow discovered,
anyone with a copy of the fake certificate and a
web browser will be able to independently trace the
botched operation back to the Spanish government.

Назад | Оглавление | Дальше