The state-level attack on the SSL CA security model

Crist Clark Crist.Clark at
Mon Mar 28 18:47:26 CDT 2011

>>> On 3/25/2011 at  2:21 AM, Florian Weimer <fweimer at> wrote:
> * Roland Dobbins:
>> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>>>  Disclosure devalues information.
>> I think this case is different, given the perception of the cert as
>> a 'thing' to be bartered.
> Private keys have been traded openly for years.  For instance, when
> your browser tells you that a web site has been verified by "Equifax"
> (exact phrasing in the UI may vary), it's just not true.  Equifax has
> sold its private key to someone else long ago, and chances are that
> the key material has changed hands a couple of times since.
> I can't see how a practice that is completely acceptable at the root
> certificate level is a danger so significant that state-secret-like
> treatment is called for once end-user certificates are involved.

Any large, well funded national-level intelligence agency
almost certainly has keys to a valid CA distributed with
any browser or SSL package. It would be trivial for the US
Gov't (and by extension, the whole AUSCANNZUKUS intelligence
community) to simply form a shell company CA that could get
a trusted cert in the distros or enlist a "legit" CA to do
their patriotic duty (along with some $$$) and give up a key.

Heck, it's so easy, private industry sells this as a product
for the law enforcement community. It's an easy recipe,

  1) Go start your own CA (or buying an existing one may be
     easier, as Florian points out).
  2) Get your key put in Windows, Firefox, Opera, etc.
  3) Build an appliance that uses your key to do MIM attacks
     on the fly.
  4) Sell appliance to law enforcement (or anyone else with the
     money, maybe a smaller nation's intelligence apparatus?).
  5) Profit!

Just Google around for commercial products aimed at LI that
have this capability.

Commercial SSL/TLS, i.e. using built-in CAs, offers no
protection against nation-states at the intelligence or law
enforcement level.

Crist Clark
Network Security Specialist, Information Systems
408 933 4387

More information about the NANOG mailing list