Skip to main content
SpringerLink
Log in

Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper)

  • Conference paper
Financial Cryptography and Data Security (FC 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7035))

Included in the following conference series:

Abstract

This paper introduces the compelled certificate creation attack, in which government agencies may compel a certificate authority to issue false SSL certificates that can be used by intelligence agencies to covertly intercept and hijack individuals’ secure Web-based communications.

The full length version of this paper is available at www.dubfire.net. The authors hereby permit the use of this paper under the terms of the Creative Commons Attribution 3.0 United States license.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), Obsoleted by RFC 4346, updated by RFCs 3546, 5746 (January 1999)

    Google Scholar 

  2. Nightingale, J.: SSL Question Corner. meandering wildly (blog) (August 5, 2008), http://blog.johnath.com/2008/08/05/ssl-question-corner/

  3. Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: An empirical study of SSL warning effectiveness. In: Proceedings of the 18th Usenix Security Symposium (August 2009)

    Google Scholar 

  4. Soghoian, C.: Caught in the cloud: Privacy, encryption, and government back doors in the web 2.0 era. Journal on Telecommunications and High Technology Law (forthcoming)

    Google Scholar 

  5. Singel, R.: PGP Creator Defends Hushmail. Wired News Threat Level Blog (November 19, 2007), http://www.wired.com/threatlevel/2007/11/pgp-creator-def

  6. McCullagh, D.: Court to FBI: No spying on in-car computers. CNET News (November 19, 2003), http://news.cnet.com/2100-1029_3-5109435.html

  7. Markoff, J.: Surveillance of skype messages found in china. The New York Times (October 1, 2008), http://www.nytimes.com/2008/10/02/technology/internet/02skype.html

  8. Jacobs, A.: China requires censorship software on new pcs. The New York Times (June 8, 2009), http://www.nytimes.com/2009/06/09/world/asia/09china.html

  9. Singel, R.: Law Enforcement Appliance Subverts SSL. Wired News Threat Level Blog (March 24, 2010), http://www.wired.com/threatlevel/2010/03/packet-forensics/

  10. Stajano, F., Anderson, R.J.: The Resurrecting Duckling: Security Issues for Ad-Hoc Wireless Networks. In: Malcolm, J.A., Christianson, B., Crispo, B., Roe, M., et al. (eds.) Security Protocols 1999. LNCS, vol. 1796, pp. 172–182. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  11. Arkko, J., Nikander, P.: Weak Authentication: How to Authenticate Unknown Principals without Trusted Parties. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2002. LNCS, vol. 2845, pp. 5–19. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  12. Bussiere, M., Fratzscher, M.: Low probability, high impact: Policy making and extreme events. Journal of Policy Modeling 30(1), 111–121 (2008)

    Article  Google Scholar 

  13. Diwanji, P.: Detecting suspicious account activity. The Official Gmail Blog (March 24, 2010), http://gmailblog.blogspot.com/2010/03/detecting-suspicious-account-activity.html

  14. Certificate patrol (2010), http://patrol.psyced.org/

  15. Kaminsky, D.: Email conversation with author (February 28, 2010)

    Google Scholar 

  16. Gillmor, D.K.: Technical Architecture shapes Social Structure: an example from the real world (February 21, 2007), http://lair.fifthhorseman.net/~dkg/tls-centralization/

  17. Peter SJF Bance. Ssl: Whom do you trust? (April 20, 2005), http://www.minstrel.org.uk/papers/2005.04.20-ssl-trust.pdf

  18. Ed Gerck. First published online by the MCWG at http://mcwg.org/cert.htm (April 1997). Invited talk at the Black Hat Briefings 1999, Las Vegas, NV, July 7-8 (1999). Published by The Bell, ISSN 1530-048X, Vol. 1, No. 3, p. 8 (July 2000), http://www.thebell.net/papers/certover.pdf

  19. Hayes, J.M.: The problem with multiple roots in web browsers - certificate masquerading. In: WETICE 1998: Proceedings of the 7th Workshop on Enabling Technologies, pp. 306–313. IEEE Computer Society, Washington, DC (1998)

    Google Scholar 

  20. Crispo, B., Lomas, M.: A Certification Scheme for Electronic Commerce. In: Lomas, M. (ed.) Security Protocols 1996. LNCS, vol. 1189, pp. 19–32. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  21. Monkeysphere (2010), http://web.monkeysphere.info/

  22. Grigg, I.: VeriSign’s conflict of interest creates new threat. Financial Cryptography (blog) (September 1, 2004), http://financialcryptography.com/mt/archives/000206.html

  23. Grigg, I.: PKI considered harmful (October 14, 2008), http://iang.org/ssl/pki_considered_harmful.html

  24. Grigg, I.: Why the browsers must change their old SSL security (?) model. In: Financial Cryptography (blog) (March 24, 2010), financialcryptography.com/mt/archives/001232.html

  25. Grigg, I., Shostack, A.: VeriSign and Conflicts of Interest (February 2, 2005), http://forum.icann.org/lists/net-rfp-verisign/msg00008.html

  26. Engert, K.: Conspiracy — A Mozilla Firefox Extension (March 18, 2010), http://kuix.de/conspiracy/

  27. Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: NSPW 2009: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, pp. 133–144 (September 2009)

    Google Scholar 

  28. Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving ssh-style host authentication with multi-path probing. In: ATC 2008: USENIX 2008 Annual Technical Conference on Annual Technical Conference, pp. 321–334. USENIX Association, Berkeley (2008)

    Google Scholar 

  29. Alicherry, M., Keromytis, A.D.: Doublecheck: Multi-path verification against man-in-the-middle attacks. In: ISCC 2009: IEEE Symposium on Computers and Communications, pp. 557–563. IEEE, Piscataway (2009)

    Chapter  Google Scholar 

  30. Herzberg, A., Jbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Internet Technol. 8(4), 1–36 (2008)

    Article  Google Scholar 

  31. Close, T.: Petname tool (2005), http://www.waterken.com/user/PetnameTool/

  32. Ahmad, D.: Two Years of Broken Crypto: Debian’s Dress Rehearsal for a Global PKI Compromise. IEEE Security and Privacy 6, 70–73 (2008)

    Article  Google Scholar 

  33. Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference, pp. 15–27. ACM, New York (2009)

    Chapter  Google Scholar 

  34. The H Security. heise SSL Guardian: Protection against unsafe SSL certificates (July 4, 2008), www.h-online.com/security/features/Heise-SSL-Guardian-746213.html .

  35. Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  36. Anka, M.: SSL Blacklist 4.0 (January 31, 2010), http://www.codefromthe70s.org/sslblacklist.aspx

  37. Jackson, C., Barth, A.: Forcehttps: protecting high-security web sites from network attacks. In: WWW 2008: Proceeding of the 17th International Conference on World Wide Web, pp. 525–534. ACM, New York (2008)

    Google Scholar 

  38. Hodges, J., Jackson, C., Barth, A.: Strict Transport Security (December 18, 2009), lists.w3.org/Archives/Public/www-archive/2009Dec/att-0048/draft-hodges-strict-transport-sec-06.plain.html

Download references

Author information

Authors and Affiliations

  1. Center for Applied Cybersecurity Research, Indiana University, USA

    Christopher Soghoian & Sid Stamm

Authors
  1. Christopher Soghoian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sid Stamm
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

George Danezis

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Soghoian, C., Stamm, S. (2012). Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper). In: Danezis, G. (eds) Financial Cryptography and Data Security. FC 2011. Lecture Notes in Computer Science, vol 7035. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27576-0_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27576-0_20

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27575-3

  • Online ISBN: 978-3-642-27576-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation