[Cryptography] hard to trust all those root CAs

Justin Goldberg justgold79 at gmail.com
Wed Jul 23 14:15:03 EDT 2014 

On Wed, Jul 23, 2014 at 12:00 PM, <cryptography-request at metzdowd.com> wrote:

<snip>


Send cryptography mailing list submissions to
>         cryptography at metzdowd.com
> Date: Wed, 23 Jul 2014 05:32:39 -0700
> From: John Denker <jsd at av8n.com>
> To: cryptography at metzdowd.com
> Subject: Re: [Cryptography] hard to trust all those root CAs
> Message-ID: <53CFAB67.2050406 at av8n.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/22/2014 04:59 PM, Russ Nelson wrote:
> >
> > Crypto without a threat model is like cookies without milk. Keep
> > saying it until it becomes second nature to specify the threat model.
>
> The moderators wisely insist on brevity.  However, we
> have to give up something in return.  You don't get to
> snip out the threat model and then complain that no
> threat model was specified.
>
> I hate to belabor the obvious, but on 07/19/2014 02:03
> PM, the OP in this thread did mention MITM attacks and
> did cite data on forged certificates in the wild.
>
> If you want the next level of detail, it is known that
> the NSA acts as a MITM at the /hardware/ layer:  they
> intercept and tamper with shipments after they leave
> the manufacturer and before they reach the end-user.
> They can insert back doors in everything from consumer-
> grade stuff like cable modems, to corporate firewalls,
> to carrier-grade backbone routers.  This meddle-in-the-
> middle approach saves them the trouble of suborning a
> whole bunch of manufacturers directly;  all they need
> to do is suborn a handful of shipping companies.  This
> is documented in the Snowden files; no tin-foil hat is
> required.
>

I could see a business around this: NSA-proof shipping company, using
Apple's model, put out an NSL notice each month:


   - For January, we have not received any Nation Security Letters this
   month.
   - On the month you receive one, you stop putting such notices out, and
   sell the now-useless business.

This doesn't stop the receiving country from inserting such devices, but
would help regain some trust overseas about NSA bugged devices that ship
from the USA.

- Justin

PS: Sorry about quoting the digest




>
> If the Chinese PLA Third Department is not installing
> their own back doors, I'd be shocked.  If they weren't
> doing it a year ago, they must have read the Snowden
> files as a how-to manual.  For equipment made in China,
> they can demand direct cooperation from the manufacturers.
>
> Couple that with a rogue CA.  Now you're drowning in
> milk.
>
> Note that back doors are notoriously hard to secure.
> A third party gets to choose the NSA back door, or
> the Third Department back door, or some generic stack-
> overflow bug, or whatever.
>
> A question for each person on this list:  Are you sure
> that all of your communications with your banker, doctor,
> lawyer, mistresses, etc. move over networks that are
> immune to MITM attacks?  If so, please raise your hand.
>
> On 07/22/2014 03:07 PM, Jerry Leichter wrote:
> > I forget the name, but there was a plugin that would warn you of
> > unexpected changes in location of the CA.
>
> It can't be a very successful solution, if people refer
> to it in the past tense, and can't remember the name.
>
> Note the contrast:  As currently deployed:
>   SSL relies on authority, with no pinning or notary.
>   SSH relies on pinning, with no authority or notary.
>   PGP relies on web-of-trust, which usually boils down
>    to little more than a labor-intensive form of pinning.
>
> As discussed on 09/27/2013 09:43 AM, I reckon a heterotic
> approach would greatly increase security in all three cases.
> I use the term "pinning" to refer to local approaches,
> and "notary" to refer to network-based online approaches.
>
> AFAICT no "perfect" solution is possible.  If somebody
> wants to make a Truman Show / Matrix fake universe for
> you to live in, they can do so -- in principle.  However,
> I reckon that good crypto engineering can make this much
> more expensive to do, and much easier to detect.
>
> Evidently there are no widely-deployed solutions;
> otherwise we wouldn't be seeing forged certificates
> in the wild.  Is there anything on the horizon?
> If not, why not?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIVAwUBU8+rYPO9SFghczXtAQJ/
> xRAAn1DVw6rNhsGwom5Evg4FWuhJHpn/q9aa
> 4hmh20tCFba9erXtXeEzGmAdGXvNpy/u7dRk46FclQPrVJciLg3uTsaHLijOFWng
> YA3vg1H5HbTmDvTo+gDG/AWiO3Ix6WCkFWn7AsJowue7mmzfFKpcb9/VSAw9Zo+0
> C/dddCj0xrwKSkOkNCHo08bB461AQe++Iq5PsPVNeVabnB64FWuB0SuJBigKxRNz
> KN3C4xwE9ruQ/dGYhJA9NbGAQCg1iE3VY6DQHG00vdih0dyIbtDdLlxjvJeJhfvW
> 2Z3SBd4snglbo2LxmtQeS3KeDDdJf8aWHW3duOEWE5MXRsM3SkS73WGdE2ib7yOA
> 1Ex8QqozAeYwm+MW1FpjR8z2/XhCMDZebn1iy+a8SVP1ScEbbl4OKxJs7IDlIK9y
> yxfHXClJXAYe5U9CjU92oVnBfkgtJasSPsjwPcY++ZRcSpmTUNLZejL69elgHGCq
> qMVJGIuVEpeGGZmgWG14yES1fTrI7KwR7HsnvBYf2gFgI5G94BQ5dC+BmCkIJZKt
> /qMPQFqEQdIClk1u53jgNODXWA7Ft3h/o1k4e9lSs7FO98RRBS+ixzSqBBCQdxBq
> 5D94WpF4jd5Gs+eeVI6uJfX8zTPAj5fy5hHbtu0nU1tiyth+WuSWlXqw3JuASuaw
> MWSE8IgB5yE=
> =Ih1m
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140723/f331a2bd/attachment.html>

More information about the cryptography mailing list