[Cryptography] Opening Discussion: Speculation on "BULLRUN"

[Joe Abley]

On 2013-09-09, at 12:04, "Salz, Rich" <rsalz at akamai.com> wrote:

> ➢  then maybe it's not such a "silly accusation" to think that root CAs are routinely distributed to multinational secret
> ➢  services to perform MITM session decryption on any form of communication that derives its security from the CA PKI.
> 
> How would this work, in practice?

Suppose Mallory has access to the private keys of CAs which are in "the" browser list or otherwise widely-trusted.

An on-path attack between Alice and Bob would allow Mallory to terminate Alice's TLS connection, presenting an opportunistically-generated server-side certificate with signatures that allow it to be trusted by Alice without pop-ups and warnings. Instantiating a corresponding session with Bob and ALGing the plaintext through with interception is then straightforward.

This would be detectable by Bob by the visible client address, but that could be obfuscated (Mallory could exit the session through something tor-like, for example, to avoid advertising their topological location; this would just make it look like Alice is using tor).

In the case where Alice is presenting a certificate specifically trusted by Bob, this wouldn't work so well. But my observation is that many TLS-protected streams used by consumers don't use client certificate authentication.

As an aside, I see CAs with Chinese organisation names in my browser list. I don't know how to distinguish between enterprises and government from this side of the Pacific (so, presumably, assume they are all government). I had always assumed that this was already happening at the Great Firewall, as a working example of government-sponsored TLS interception with no requirement for expensive crunching of large integers.


Joe