Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
It seems like the EFF is still trying to figure what the best way to protect against this sort of attack is. The idea they kicked around about using the Tor network to compare certificates in other geographical locations seems kinda clumsy to me, though. Surely they've got a better approach brewing. How about you guys? Any thoughts to share?
Why would you want to subvert law enforcement, you criminal? J/K This has other implications as well, not just law enforcement will end up with this technology. Not to mention if you are paranoid like me you don't trust the government in the long run. Abuse of power is abuse of power period and it will happen. Does anyone recall a negative utopian society from a novel called 1984?
Like Nixon said, "I am not a crook", and don't want law enforcement to have this capability either. There is something inherently wrong about, and they know it. That is why there is so much emphasis on keeping it secret behind closed doors. The whole purpose of the certificate authority is to guarantee that the sites are who they say they are. Compromise them and the whole system falls apart; and there is the crux of the problem. The device is really irrelevant, it just facilitates things. The real problem is the ability to obtain the encryption key(s) and then use that to eavesdrop on the communications, specifically web site traffic. The nefarious part of it is that they are able to do subvert the means to detecting that this is happening.
The article (said that one agency) claimed that they have never provided such a false certificate. If this is the case, then how are these devices of any value and how are any of them being sold.
I have serious doubts about the "types" of criminals that will be caught by this type of technology. I doubt that serious criminals are going to trust web sites enough, supposedly even encrypted ones, to be of much use to "law enforcement". To me this sounds more like "the Regime" wanting to further be able to restrict and listen in on the governed to help keep the status quo.
I do wonder about self generated, self signed encryption keys. The browser doesn't recognize those as being valid, but if it changes you will get a warning. I use one to connect to my own server and if I get a warning that something has changed, I know there is a problem. In any case, it is clear that some means to verify the authenticity of the certificate is required. It is no longer sufficient to rely on the fact that it was issued by a so called, trusted agency.
Perhaps SSL certificates need a form of key signing ability. You have the ability to imprint a key and then your browser will accept it. If it changes, such as in the case of a forged certificate, you get a warning of a problem.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
meh, problem is for every solution there is an equal and opposite workaround requiring an even more elaborite solution to prevent and so on
Code:
1 2
-------->|
^ |
| |
| |
<--------v3
4
-->1.discovery of a method to exploit security measures
| 2.implementation of said method
| 3. research/discovery of countermeasure
---4. deployment of new security measures
I ran into this Firefox add-on a few minutes ago, and I thought I'd share the link here. It's not a cure (obviously), but it does seem (to me at least) like in the proper hands it would reduce the probability of a successful attack of this kind.
two way SSL is not vulnerable to this. Client based certificates do not have to deal w/ this. you have to provide YOUR certificate in order to access a website and most of the time you have to register YOUR client certificate with _that_ web server.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Law Enforcement Appliance Subverts SSL
