> It provides the USG with capabilities beyond simple surveillance, for instance by allowing them to spoof Google pages. There can't be any legitimate reason to provide them that blanket authority.
The US government already has at least Verisign under their belt. They can already MITM just about any SSL connection they could ever want to.
I would wager that they have a large number of private keys anyway. It's not like datacenters would be able to do much when the NSA rocks up with a NSL.
But a MitM exploit is an active attack that requires control of a network over which the traffic passes, and it is detectable (for the specific case of Chrome and Google sites, trivially so).
Access to the master keys for a SSL/TLS session isn't like that at all. They could retroactively capture, archive, and decrypt any traffic to the site at all with nothing but the undetectable network taps we already believe they have.
That said: the linked article is talking about "legally" compelling Google et. al. I don't think that's the only tool in the box. Surely someone at each of these companies has access to the private keys and can be coerced via an appropriate bribe (which at the scales we're talking about could be staggeringly large!) or blackmail attempt to provide it "illegally".
> Access to the master keys for a SSL/TLS session isn't like that at all. They could retroactively capture, archive, and decrypt any traffic to the site at all with nothing but the undetectable network taps we already believe they have.
They can't in every case, especially for Google, who use a newer SSL that supports perfect forward secrecy. You are completely correct in the differing magnitudes of attack detectability though.
I believe that Google has changed them several times even in the last few years though, so it could be that even they don't have access to the old static keys anymore.
Yes, but if caught Mr. Rogue Employee Who Wants To Get Rich would now be facing federal felony charges (or state felony charges, if FedGov declines to prosecute). I suppose anything is possible, but Google employees in positions of high trust tend to be very well-compensated, and presumably the company has thought of this threat post-China intrusions and adopted the appropriate countermeasures.
Also, as another comment points out, Google uses PFS, so Apple, Yahoo, Microsoft, etc. are better targets for this type of insider attack.
As a legal matter, the scope of an NSL is defined in law, and does not cover SSL keys (even the FBI/NSA would recognize it would be a loser of an argument). NSLs can also be challenged; I disclosed in May that Google was fighting two lawsuits on this front.
> Red herring. We are never discussing active MITM in these NSA threads because they don't do that.
I believe that this quote in the article pretty much implies an active attack.
For individuals who put encryption on their traffic, we understand that there would need to be some individualized solutions if we get a wiretap order for such persons...
That was the FBI talking, not the NSA (I'm the author of the article). Everything we've learned about the NSA in the last decade thanks to whistleblowers points to widespread passive surveillance. If anything, NSA is extremely hypercautious about revealing its surveillance methods and techniques, which active attacks could do.
I can envision the NSA wanting to undertake active attacks in rare situations, but we don't know whether it has the technical ability to do so under its relationship with AT&T/Verizon/etc. Also even AT&T/VZ/etc. that have historically opened their networks to the NSA for passive surveillance -- in violation of the law -- may have second thoughts if the attacks are active. I suppose you could posit the installation of devices at the target's ISP, but, again, we have no evidence this is something NSA does.
Seems like NSA is using 'individualized solutions' as a term of art for which we don't know their real definition. But based on recent disclosures we're probably safe going with the wildest possible interpretations.
Neither is inherently safer than the other, certificates are about trust, SSL/TLS gives you encryption regardless of where the certificate comes from. If you control both ends of a connection or know the person who signed the self-signed cert and trust him more than someone like Verisign, then yes, self-signed is just as good or better.
In the case of an organisation like Google, I don't see why the US government would even need the keys for Googles SSL certificates. Google have all the data they could ever want stored unencrypted anyway (or at least have the ability to decrypt). If they had any legal reason for wanting the content of my gmail account, they could just get the courts to subpoena Google for the data.
> they could just get the courts to subpoena Google for the data
I think that's one of the motivations right there. Even if FISA generally gives the government what it wants, it's still a process that the government appears to regard as a hassle to be eliminated.
I think the second reason is that google is a sophisticated enough company that they could perhaps infer things from the data request patterns that the requesting agencies would prefer secret.
Depends who your perceived thread is really. If you're trying to avoid a government MITM'ing you, sure, in a sense that's more secure.
The chief issue in all this is the huge number of trusted CA that are the default in most operating systems. My install of OSX for example has 181 default certificate authorities, and any one of them could be compromised. I'd be willing to bet that a sizeable portion are under nefarious control.
Just to make a point I picked a random CA and tried to look up some information about it. Couldn't reach their site the first time, as they are lacking an A record on their domain root. I've no idea why they would be trusted, as they look sketchy as all hell — http://www.valicert.com/
Depending on your use case and world-view, they've quite possibly been for a long time, maybe always. You just need to distribute the public part through other channels to the users.
If you train your users to accept self signing you might as well just give up on pki. It appears from the chromium pinning list that they really do let anyone add a pinning rule for themselves if they want to, that would probably be the most practical. I'm not sure of the status of pinning support in other browsers.
The US government already has at least Verisign under their belt. They can already MITM just about any SSL connection they could ever want to.
I would wager that they have a large number of private keys anyway. It's not like datacenters would be able to do much when the NSA rocks up with a NSL.