0xfeedface Tech musings and rants

I came across a recent paper detailing how government agencies can easily hijack SSL connections. The paper is well written and the authors definitely did proper research. The solution they came up with is elegant despite only being able to catch a few attack scenarios.

Overall, the paper describes difficulties in the current implementation of SSL. Users have to trust that Certificate Authorities (CAs) are always 100% trustworthy. Users also have to trust that governments around the world are also trustworthy. While the attacks aren't new, they are detailed in great manner. Moxie Marlinspike of Thought Crime talked about defeating SSL in his BlackHat USA 2009 video (a video I will upload soon). The paper mainly follows the concepts talked about in Moxie's video.

I'm impressed with the solution the authors of the paper created. They wrote a Firefox extension which caches the SSL cert the first time an SSL site is visited. Each time the user visits the same site, the Country Code of the cert is verified. If the Country Code changed, then the user is warned and prompted to continue or cancel. As a user of Google's Chrome, I might consider porting this Firefox extension to Chrome. I'm excited to see their Firefox extension take off and be further developed.

I'll conclude with an excerpt from the whitepaper:

VeriSign, the largest provider of SSL certificates in the world, whose customers include many foreign banks, companies and governments from countries that do not have friendly relations with the United States, also happens to make significant sums of money by facilitating the disclosure of US consumers' private data to US government law enforcement and intelligence agencies. This fact alone may be sufficient to give some foreign organizations good reason to question their choice of CA.