> The IETF has said that pervasive monitoring is an attack, and the Internet Architecture Board (the IETF’s parent organization) recommends that new protocols use encryption by default.
While HTTPS does prevent just anyone from monitoring, I've long been under the impression that the government, and possibly influential corporations, probably have access to any certificates issued by the large CAs.
Is this a tinfoil hat theory? Is anything legally or technically preventing this from happening, and/or are there ways for me to know when my own browsing is truly private between myself and only the party at the other end, and not other curious or intrusive uninvited third parties?
> I've long been under the impression that the government, and possibly influential corporations, probably have access to any certificates issued by the large CAs.
Everyone has that access. Click on the padlock icon on any HTTPS-using website, and after a few more clicks you can export a copy of the site's certificate (at least on Firefox).
But that gains you nothing without the corresponding private key. The private key is generated on the website's server, and is never sent to the certificate authority (what is sent is a "certificate request", which has basically the same information found on the certificate).
> are there ways for me to know when my own browsing is truly private between myself and only the party at the other end, and not other curious or intrusive uninvited third parties?
Now that's a different question. While having access to the certificates is no problem at all, being able to create a new certificate for an arbitrary website allows one to pretend to be that website. The only defense against it is that, if a CA is caught issuing these certificates, it risks being removed from the browser's trust lists, which is a death penalty for a CA's business. Also, there is a new initiative (Certificate Transparency) to make it easier for these certificates to be caught.
> Now that's a different question. While having access to the certificates is no problem at all, being able to create a new certificate for an arbitrary website allows one to pretend to be that website. The only defense against it is that, if a CA is caught issuing these certificates, it risks being removed from the browser's trust lists, which is a death penalty for a CA's business. Also, there is a new initiative (Certificate Transparency) to make it easier for these certificates to be caught.
There is a defense against rogue CAs: HTTP Public Key Pinning (HPKP) [0]. Chrome, Firefox et al use a HPKP preload list, but unlike with Strict Transport Security (HSTS) there currently appears to be no way to submit one's own site for inclusion in the preload lists. See e.g. Mozilla's policy [1].
As well as what rhblake said, it's also always worth remembering a core aspect of all this: a lot of general authentication discussions are concerned with the extremely important issues of public scalability and ease-of-use, which is where things like the standard CA system come into play, but those don't necessarily need to apply for someone's own specific instance. So in this case:
>are there ways for me to know when my own browsing is truly private between myself and only the party at the other end, and not other curious or intrusive uninvited third parties?
Yes, you can use a side-channel. At that point it's just a tradeoff between how much effort you want to/can expend vs what value is at risk. At the simplest and easiest, this could just plain mean giving them a call (or message or even snail mail) and spending a few seconds having them verify what the certificate signature should be. Or for that matter talk to a few other people at geographically distinct locations and ask what they see. Combined with pinning (or manual trust/locking or whatever depending on your tool) merely knowing you've got the right cert and will be alerted if it changes may be all that's required and immensely raises the time/resource/expertise cost for any potential attacker. For more effort and a higher level of security, people can flat out physically exchange certs/keys (or even pure entropy) and bypass any 3rd party authentication involvement entirely. It's easy to make one's own entire CA architecture in fact, all the tools are freely available for all. It's the general sharing and trusting that is the stick wicket, but within the bounds of an existing trust relationship it's much more straightforward.
Obviously this is all more work then just going to a URL and seeing if it has a green lock, or CT or anything else, and because it's work each time it's unrealistic to expect the general population to do so in general. But if someone specifically needs communications to be "truly private between myself and only the party at the other end" then it's achievable by trading in more upfront setup work, and always has been. Much of the ongoing development and research and marketing efforts are about trying to raise the universal floor level, but everyone is free to exceed that if necessary.
Correct me if I'm wrong, but isn't the whole point of the CA system that you only need to send the public key to the CAs?
So, unless the NSA possesses some P=NP level crypto breaking technology, it should be technically impossible for CAs to fake a particular public key, no matter how corrupt/undermined they are.
Of course there a few other more practical things an evil CA can do:
- generate another keypair and create a certificate that claims the key represents <organization of your choice>. Certificate Transparency is supposed to prevent that. Also if the organization gets to know about your fake certificate, prepare for their wrath.
- Offer a service in which you "helpfully" also generate the keypairs for your customers before creating the cert. Now you can simply save a copy of the private key and keep control. That will only work if your customers fall for it though and don't insist on bringing their own keys.
While HTTPS does prevent just anyone from monitoring, I've long been under the impression that the government, and possibly influential corporations, probably have access to any certificates issued by the large CAs.
Is this a tinfoil hat theory? Is anything legally or technically preventing this from happening, and/or are there ways for me to know when my own browsing is truly private between myself and only the party at the other end, and not other curious or intrusive uninvited third parties?