Is there a way to make sure my government does not swap out SSL certificates?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












56















I was recently wondering whether there exists a way to make sure my government is not swapping out SSL certificates in order to intercept the traffic.



I know almost all browsers are complaining in case of a self-signed certificate. But what prevents a government to issue their own keychain?



One can imagine compromising the repositories containing packages with CA certificates and then issuing their own certificate in order to decipher the traffic. All the traffic is going through government loyal tier 1 operator which also has monopoly rights on providing Internet access.



If that is not a possible case, what mechanism is preventing them from doing it?










share|improve this question



















  • 14





    It is not unrealistic scenario. For example, in 2016, Kazakhstan government made attempts to sniff every user's TLS traffic: bugzilla.mozilla.org/show_bug.cgi?id=1229827, bugzilla.mozilla.org/show_bug.cgi?id=1232689. AFAIK, all these attempts failed in this particular case, but there is a chance for government to jump into trust list. Also, some non-democratic countries may force the use their root CAs on a law basis

    – Crypt32
    Jan 3 at 9:40






  • 3





    See also Can a nation-state adversary perform a MITM attack by compelling a CA to issue them with fake certs?

    – Ajedi32
    Jan 4 at 16:48






  • 1





    Browsers complain of self-signed certifcates if they do not know/you do not install their root chain...

    – Rui F Ribeiro
    Jan 5 at 16:05
















56















I was recently wondering whether there exists a way to make sure my government is not swapping out SSL certificates in order to intercept the traffic.



I know almost all browsers are complaining in case of a self-signed certificate. But what prevents a government to issue their own keychain?



One can imagine compromising the repositories containing packages with CA certificates and then issuing their own certificate in order to decipher the traffic. All the traffic is going through government loyal tier 1 operator which also has monopoly rights on providing Internet access.



If that is not a possible case, what mechanism is preventing them from doing it?










share|improve this question



















  • 14





    It is not unrealistic scenario. For example, in 2016, Kazakhstan government made attempts to sniff every user's TLS traffic: bugzilla.mozilla.org/show_bug.cgi?id=1229827, bugzilla.mozilla.org/show_bug.cgi?id=1232689. AFAIK, all these attempts failed in this particular case, but there is a chance for government to jump into trust list. Also, some non-democratic countries may force the use their root CAs on a law basis

    – Crypt32
    Jan 3 at 9:40






  • 3





    See also Can a nation-state adversary perform a MITM attack by compelling a CA to issue them with fake certs?

    – Ajedi32
    Jan 4 at 16:48






  • 1





    Browsers complain of self-signed certifcates if they do not know/you do not install their root chain...

    – Rui F Ribeiro
    Jan 5 at 16:05














56












56








56


12






I was recently wondering whether there exists a way to make sure my government is not swapping out SSL certificates in order to intercept the traffic.



I know almost all browsers are complaining in case of a self-signed certificate. But what prevents a government to issue their own keychain?



One can imagine compromising the repositories containing packages with CA certificates and then issuing their own certificate in order to decipher the traffic. All the traffic is going through government loyal tier 1 operator which also has monopoly rights on providing Internet access.



If that is not a possible case, what mechanism is preventing them from doing it?










share|improve this question
















I was recently wondering whether there exists a way to make sure my government is not swapping out SSL certificates in order to intercept the traffic.



I know almost all browsers are complaining in case of a self-signed certificate. But what prevents a government to issue their own keychain?



One can imagine compromising the repositories containing packages with CA certificates and then issuing their own certificate in order to decipher the traffic. All the traffic is going through government loyal tier 1 operator which also has monopoly rights on providing Internet access.



If that is not a possible case, what mechanism is preventing them from doing it?







tls certificates man-in-the-middle certificate-authority government






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 6 at 23:47









Solomon Ucko

1174




1174










asked Jan 3 at 9:04









romanroman

38627




38627







  • 14





    It is not unrealistic scenario. For example, in 2016, Kazakhstan government made attempts to sniff every user's TLS traffic: bugzilla.mozilla.org/show_bug.cgi?id=1229827, bugzilla.mozilla.org/show_bug.cgi?id=1232689. AFAIK, all these attempts failed in this particular case, but there is a chance for government to jump into trust list. Also, some non-democratic countries may force the use their root CAs on a law basis

    – Crypt32
    Jan 3 at 9:40






  • 3





    See also Can a nation-state adversary perform a MITM attack by compelling a CA to issue them with fake certs?

    – Ajedi32
    Jan 4 at 16:48






  • 1





    Browsers complain of self-signed certifcates if they do not know/you do not install their root chain...

    – Rui F Ribeiro
    Jan 5 at 16:05













  • 14





    It is not unrealistic scenario. For example, in 2016, Kazakhstan government made attempts to sniff every user's TLS traffic: bugzilla.mozilla.org/show_bug.cgi?id=1229827, bugzilla.mozilla.org/show_bug.cgi?id=1232689. AFAIK, all these attempts failed in this particular case, but there is a chance for government to jump into trust list. Also, some non-democratic countries may force the use their root CAs on a law basis

    – Crypt32
    Jan 3 at 9:40






  • 3





    See also Can a nation-state adversary perform a MITM attack by compelling a CA to issue them with fake certs?

    – Ajedi32
    Jan 4 at 16:48






  • 1





    Browsers complain of self-signed certifcates if they do not know/you do not install their root chain...

    – Rui F Ribeiro
    Jan 5 at 16:05








14




14





It is not unrealistic scenario. For example, in 2016, Kazakhstan government made attempts to sniff every user's TLS traffic: bugzilla.mozilla.org/show_bug.cgi?id=1229827, bugzilla.mozilla.org/show_bug.cgi?id=1232689. AFAIK, all these attempts failed in this particular case, but there is a chance for government to jump into trust list. Also, some non-democratic countries may force the use their root CAs on a law basis

– Crypt32
Jan 3 at 9:40





It is not unrealistic scenario. For example, in 2016, Kazakhstan government made attempts to sniff every user's TLS traffic: bugzilla.mozilla.org/show_bug.cgi?id=1229827, bugzilla.mozilla.org/show_bug.cgi?id=1232689. AFAIK, all these attempts failed in this particular case, but there is a chance for government to jump into trust list. Also, some non-democratic countries may force the use their root CAs on a law basis

– Crypt32
Jan 3 at 9:40




3




3





See also Can a nation-state adversary perform a MITM attack by compelling a CA to issue them with fake certs?

– Ajedi32
Jan 4 at 16:48





See also Can a nation-state adversary perform a MITM attack by compelling a CA to issue them with fake certs?

– Ajedi32
Jan 4 at 16:48




1




1





Browsers complain of self-signed certifcates if they do not know/you do not install their root chain...

– Rui F Ribeiro
Jan 5 at 16:05






Browsers complain of self-signed certifcates if they do not know/you do not install their root chain...

– Rui F Ribeiro
Jan 5 at 16:05











4 Answers
4






active

oldest

votes


















80














If your adversary is a powerful nation-state threat actor, web PKI will not protect you.



Nothing is preventing them from issuing their own certificate. In fact, many governments run their own certificate authorities, such as the US FPKI and affiliates. See a list of CAs currently trusted by Firefox:



  • Government of France

  • Government of Hong Kong (SAR), Hongkong Post

  • Government of Japan, Ministry of Internal Affairs and Communications

  • Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)

  • Government of Spain (CAV), Izenpe S.A.

  • Government of The Netherlands, PKIoverheid

  • Government of Taiwan, Government Root Certification Authority (GRCA)

  • Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)

While Firefox currently refuses to trust the US FPKI, it still trusts many other government-run CAs, and a sophisticated nation-state actor absolutely has access to some existing, commercial CAs. Chrome, Internet Explorer, and Edge use the system trust store which, for Windows, does include many government certificate authorities. Any of these could be used to sign a valid certificate for any website and your browser would happily trust them without batting an eye.



While the new and experimental standard for Certificate Transparency (CT) helps reduce the impact of mistakenly-issued certificates, it does not protect against a dedicated attacker who controls a malicious CA. Once it has seen greater adoption it may, however, make it easier to spot malicious or misbehaving CAs after a short period of time, but it will not prevent the attack immediately as it is performed.



Some browsers use certificate pinning where important and high-profile domains are validated against a hardcoded list of permitted certificate authorities. Signing a fraudulent certificate for those domains would require compromising the CA that they currently use. Unfortunately, this only applies to a small handful of domains and does not protect the web at large.



A partial solution would be to refuse to trust a domain without the .gov TLD whose certificate was issued by a government CA, which could be implemented client-side, but it would likely have little real-world impact. An adversarial government is not going to sign a malicious website with a state-run CA, since that would immediately attribute the attack to them. Rather, they would exploit covert relationships with existing CAs to trick them or force them into signing the certificate. CT, as mentioned in the previous paragraph, would detect this and the attack would be quickly noticed, but it does not prevent it.






share|improve this answer




















  • 17





    "Once it has seen greater adoption" FYI, Certificate transparency has ~100% adoption as of last year. Chrome won't even trust new certificates that aren't logged in CT anymore. (Though I suppose it will still be possible for another year for a malicious CA to backdate certs to get around the requirement.)

    – Ajedi32
    Jan 3 at 15:50






  • 5





    "Nothing is preventing them from issuing their own certificate" - this is not fully true. Browsers like Chrome and Firefox have built-in certificate pinning for critical domains (google, facebook, mozilla, ....) and these will detect if a different CA than expected has issued a certificate for these sites. This is for example how the use of fake certificates for Google in Iran got detected when DigiNotar got hacked. While certificate pinning (and checking of CT) gets disabled for explicitly added CA to facilitate legal SSL interception it gets not disabled for the builtin CA.

    – Steffen Ullrich
    Jan 3 at 16:44






  • 7





    Apart from certificate pinning any builtin CA which wrongly issues certificates risks to get quickly removed from the CA store of the browsers or to get the specific sub-CA banned. This happend several times in the past know (DigiNotar, Starcom, WoSign, Symantec) and it is unlikely that government-run CA did not get the message. I doubt that these CA will risk to get permanently banned. I find it more likely that the governments officially mandates the import of specific CA by their citizens to allow SSL interception, which has the nice side effect to disable pinning and CT too.

    – Steffen Ullrich
    Jan 3 at 16:49







  • 9





    Once caught being abused, government CAs will surely get distrusted like any other. The result will probably be permanent loss of reputation of the government as a certificate signer.

    – Joshua
    Jan 3 at 20:08






  • 3





    @Joshua What do you consider a free country? This happens in all western countries that people often consider "free" (e.g. USA, UK, Canada). Those governments seem to be going strong.

    – forest
    Jan 4 at 1:49



















11














Even if you have the original CA certificates the browser/OS might be modified to not properly check certificates. Or the browser/OS might be backdoored so that the plain data can be extracted directly from the application before encryption or after decryption. And such critical modifications or changes in the behavior might also be caused by the hardware you are using.



This means essentially you are asking how to make sure that the system you use (hardware, OS, software, configuration ...) has only the functionality you expect, i.e. has only the functionality intended by the vendor and developers (no backdoors or similar added later) and that this functionality does not include anything which can be used against you (no backdoors by vendor/developer but also no critical bugs which might be used as backdoor).



Unfortunately there is no mechanism to make fully sure that your system behaves like this. Ultimately it boils down how much you can trust the delivery chain both in terms of explicit backdoors but also regarding bugs (inadvertent backdoors). Delivery chain means how much you can trust the sources where you got your hardware and software from (vendors, downloads from the internet...) and also how the hardware and software got protected against tampering during transport from the source. And these sources usually use third party components too which means the question of how much the delivery chain can be trusted must be extended further.



There are a few ways which can help to trust the delivery chain but full trust is not possible. One way is to actually know your delivery chain in the first place and keep it small enough so that you can actually audit it. This also includes to have less complex systems since these allow for a smaller and more easy to audit delivery chain. While this might be possible for some governments or really large companies which have to fear targeted attacks, it is practically impossible for normal end users. These might try to reduce the risk by buying only from trusted vendors though (maybe abroad if you don't trust local vendors) and to minimize what is downloaded from the internet and to make sure it gets always loaded via a secure transport. One might also try to compare critical parts (like local CA certificates or the CA used for a specific connection) with others.



There are also mechanism like secure boot or certificate pinning which help to prevent or detect smaller modifications but might be simply bypassed by a more sophisticated attacker (government agencies) which might replace/disable the relevant checks if he controls enough of the delivery chain.



At the end an unsophisticated end user does not have much chance to distinguish between normal and abnormal system behavior since he does not have enough detail what a normal system behavior should look like in the first place. But assuming that attacks like replacing CA certificates or MITM using government controlled (and browser-trusted) CA will not target only such unsophisticated users but will be more widespread it is likely that some more paranoid and also knowledgeable user will be affected and will detect the attack and warn others.



It is also likely that the attacker will not control enough of the delivery chain, especially if more or less free access to the internet is possible (i.e. mostly free access apart from some explicit blacklisting). In this case users might download software which has added protection - like the built-in SSL-pinnings for critical domains in browsers like Chrome or Firefox. On the other hand paranoid users can also be tricked into downloading software which claims to protect their privacy but instead is a espionage trojan.






share|improve this answer






























    4














    Yes. Check the certificate's issuing CA and its fingerprint and/or entire public key, which you can find by viewing the certificate details in your browser. Compare these against the values seen by another person or another computer outside of the domain of the relevant government's control. You could do this with a cheap vps hosted in another country using command line tools to make the TLS connection and dump the certificate info. You can also use Certificate Transparency logs to see if you're getting a different certificate from what's being presented to other users.






    share|improve this answer






























      2














      It is indeed a risk and if you're going to do something that requires "real" security, let's say something like exchanging nuclear bomb codes, it is a real issue. Then again it's not the greater issue. The actors the attack passes through are not the government directly but CAs. A government always has access to the simple rubber-hose attack so this is always going to be an issue as long as the CAs will be public entities subject to the rule of law (because that will make them subject to one or more governments and thus sensible to pressures or plain old violence). As long as this attack is viable the more refined certificate manipulations are pretty useless, they could force CAs to help them (and keep the silence about it) even if they would not be CAs themselves.



      If you need a higher level of confidence I would suggest turning to different approaches to communication involving also (but not only) steganography and side channels to reduce the visibility of your communications and thus reduce the probability to suffer attacks.



      To delve into the situation a bit more the idea that a CA can exhibit proof of correctness of its certificates is not yet very popular but it could maybe be possible in a blockchain system. It would probably require significantly more calculations and so I doubt it's viable without some adjustments from the current industry. And even then governments have a very big say in what cryptographic primitives are secure so they could taint the very methods used to issue certificates, for example, I would like to refer you to the NSA's Bullrun program and for a more detailed example to the Dual_EC_DRBG backdoor theorized by Bruce Schneier and Niels Ferguson and later confirmed by Edward Snowden (an argument that I had the occasion to face during my studies before it was confirmed, Dual_EC_DRBG is potentially secure but you've got to generate the curves used in the cryptographic primitive yourself, otherwise you're essentially trusting the NSA to give you good private keys notice that this is not always the case with other algorithms).






      share|improve this answer
























        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "162"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200725%2fis-there-a-way-to-make-sure-my-government-does-not-swap-out-ssl-certificates%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        4 Answers
        4






        active

        oldest

        votes








        4 Answers
        4






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        80














        If your adversary is a powerful nation-state threat actor, web PKI will not protect you.



        Nothing is preventing them from issuing their own certificate. In fact, many governments run their own certificate authorities, such as the US FPKI and affiliates. See a list of CAs currently trusted by Firefox:



        • Government of France

        • Government of Hong Kong (SAR), Hongkong Post

        • Government of Japan, Ministry of Internal Affairs and Communications

        • Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)

        • Government of Spain (CAV), Izenpe S.A.

        • Government of The Netherlands, PKIoverheid

        • Government of Taiwan, Government Root Certification Authority (GRCA)

        • Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)

        While Firefox currently refuses to trust the US FPKI, it still trusts many other government-run CAs, and a sophisticated nation-state actor absolutely has access to some existing, commercial CAs. Chrome, Internet Explorer, and Edge use the system trust store which, for Windows, does include many government certificate authorities. Any of these could be used to sign a valid certificate for any website and your browser would happily trust them without batting an eye.



        While the new and experimental standard for Certificate Transparency (CT) helps reduce the impact of mistakenly-issued certificates, it does not protect against a dedicated attacker who controls a malicious CA. Once it has seen greater adoption it may, however, make it easier to spot malicious or misbehaving CAs after a short period of time, but it will not prevent the attack immediately as it is performed.



        Some browsers use certificate pinning where important and high-profile domains are validated against a hardcoded list of permitted certificate authorities. Signing a fraudulent certificate for those domains would require compromising the CA that they currently use. Unfortunately, this only applies to a small handful of domains and does not protect the web at large.



        A partial solution would be to refuse to trust a domain without the .gov TLD whose certificate was issued by a government CA, which could be implemented client-side, but it would likely have little real-world impact. An adversarial government is not going to sign a malicious website with a state-run CA, since that would immediately attribute the attack to them. Rather, they would exploit covert relationships with existing CAs to trick them or force them into signing the certificate. CT, as mentioned in the previous paragraph, would detect this and the attack would be quickly noticed, but it does not prevent it.






        share|improve this answer




















        • 17





          "Once it has seen greater adoption" FYI, Certificate transparency has ~100% adoption as of last year. Chrome won't even trust new certificates that aren't logged in CT anymore. (Though I suppose it will still be possible for another year for a malicious CA to backdate certs to get around the requirement.)

          – Ajedi32
          Jan 3 at 15:50






        • 5





          "Nothing is preventing them from issuing their own certificate" - this is not fully true. Browsers like Chrome and Firefox have built-in certificate pinning for critical domains (google, facebook, mozilla, ....) and these will detect if a different CA than expected has issued a certificate for these sites. This is for example how the use of fake certificates for Google in Iran got detected when DigiNotar got hacked. While certificate pinning (and checking of CT) gets disabled for explicitly added CA to facilitate legal SSL interception it gets not disabled for the builtin CA.

          – Steffen Ullrich
          Jan 3 at 16:44






        • 7





          Apart from certificate pinning any builtin CA which wrongly issues certificates risks to get quickly removed from the CA store of the browsers or to get the specific sub-CA banned. This happend several times in the past know (DigiNotar, Starcom, WoSign, Symantec) and it is unlikely that government-run CA did not get the message. I doubt that these CA will risk to get permanently banned. I find it more likely that the governments officially mandates the import of specific CA by their citizens to allow SSL interception, which has the nice side effect to disable pinning and CT too.

          – Steffen Ullrich
          Jan 3 at 16:49







        • 9





          Once caught being abused, government CAs will surely get distrusted like any other. The result will probably be permanent loss of reputation of the government as a certificate signer.

          – Joshua
          Jan 3 at 20:08






        • 3





          @Joshua What do you consider a free country? This happens in all western countries that people often consider "free" (e.g. USA, UK, Canada). Those governments seem to be going strong.

          – forest
          Jan 4 at 1:49
















        80














        If your adversary is a powerful nation-state threat actor, web PKI will not protect you.



        Nothing is preventing them from issuing their own certificate. In fact, many governments run their own certificate authorities, such as the US FPKI and affiliates. See a list of CAs currently trusted by Firefox:



        • Government of France

        • Government of Hong Kong (SAR), Hongkong Post

        • Government of Japan, Ministry of Internal Affairs and Communications

        • Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)

        • Government of Spain (CAV), Izenpe S.A.

        • Government of The Netherlands, PKIoverheid

        • Government of Taiwan, Government Root Certification Authority (GRCA)

        • Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)

        While Firefox currently refuses to trust the US FPKI, it still trusts many other government-run CAs, and a sophisticated nation-state actor absolutely has access to some existing, commercial CAs. Chrome, Internet Explorer, and Edge use the system trust store which, for Windows, does include many government certificate authorities. Any of these could be used to sign a valid certificate for any website and your browser would happily trust them without batting an eye.



        While the new and experimental standard for Certificate Transparency (CT) helps reduce the impact of mistakenly-issued certificates, it does not protect against a dedicated attacker who controls a malicious CA. Once it has seen greater adoption it may, however, make it easier to spot malicious or misbehaving CAs after a short period of time, but it will not prevent the attack immediately as it is performed.



        Some browsers use certificate pinning where important and high-profile domains are validated against a hardcoded list of permitted certificate authorities. Signing a fraudulent certificate for those domains would require compromising the CA that they currently use. Unfortunately, this only applies to a small handful of domains and does not protect the web at large.



        A partial solution would be to refuse to trust a domain without the .gov TLD whose certificate was issued by a government CA, which could be implemented client-side, but it would likely have little real-world impact. An adversarial government is not going to sign a malicious website with a state-run CA, since that would immediately attribute the attack to them. Rather, they would exploit covert relationships with existing CAs to trick them or force them into signing the certificate. CT, as mentioned in the previous paragraph, would detect this and the attack would be quickly noticed, but it does not prevent it.






        share|improve this answer




















        • 17





          "Once it has seen greater adoption" FYI, Certificate transparency has ~100% adoption as of last year. Chrome won't even trust new certificates that aren't logged in CT anymore. (Though I suppose it will still be possible for another year for a malicious CA to backdate certs to get around the requirement.)

          – Ajedi32
          Jan 3 at 15:50






        • 5





          "Nothing is preventing them from issuing their own certificate" - this is not fully true. Browsers like Chrome and Firefox have built-in certificate pinning for critical domains (google, facebook, mozilla, ....) and these will detect if a different CA than expected has issued a certificate for these sites. This is for example how the use of fake certificates for Google in Iran got detected when DigiNotar got hacked. While certificate pinning (and checking of CT) gets disabled for explicitly added CA to facilitate legal SSL interception it gets not disabled for the builtin CA.

          – Steffen Ullrich
          Jan 3 at 16:44






        • 7





          Apart from certificate pinning any builtin CA which wrongly issues certificates risks to get quickly removed from the CA store of the browsers or to get the specific sub-CA banned. This happend several times in the past know (DigiNotar, Starcom, WoSign, Symantec) and it is unlikely that government-run CA did not get the message. I doubt that these CA will risk to get permanently banned. I find it more likely that the governments officially mandates the import of specific CA by their citizens to allow SSL interception, which has the nice side effect to disable pinning and CT too.

          – Steffen Ullrich
          Jan 3 at 16:49







        • 9





          Once caught being abused, government CAs will surely get distrusted like any other. The result will probably be permanent loss of reputation of the government as a certificate signer.

          – Joshua
          Jan 3 at 20:08






        • 3





          @Joshua What do you consider a free country? This happens in all western countries that people often consider "free" (e.g. USA, UK, Canada). Those governments seem to be going strong.

          – forest
          Jan 4 at 1:49














        80












        80








        80







        If your adversary is a powerful nation-state threat actor, web PKI will not protect you.



        Nothing is preventing them from issuing their own certificate. In fact, many governments run their own certificate authorities, such as the US FPKI and affiliates. See a list of CAs currently trusted by Firefox:



        • Government of France

        • Government of Hong Kong (SAR), Hongkong Post

        • Government of Japan, Ministry of Internal Affairs and Communications

        • Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)

        • Government of Spain (CAV), Izenpe S.A.

        • Government of The Netherlands, PKIoverheid

        • Government of Taiwan, Government Root Certification Authority (GRCA)

        • Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)

        While Firefox currently refuses to trust the US FPKI, it still trusts many other government-run CAs, and a sophisticated nation-state actor absolutely has access to some existing, commercial CAs. Chrome, Internet Explorer, and Edge use the system trust store which, for Windows, does include many government certificate authorities. Any of these could be used to sign a valid certificate for any website and your browser would happily trust them without batting an eye.



        While the new and experimental standard for Certificate Transparency (CT) helps reduce the impact of mistakenly-issued certificates, it does not protect against a dedicated attacker who controls a malicious CA. Once it has seen greater adoption it may, however, make it easier to spot malicious or misbehaving CAs after a short period of time, but it will not prevent the attack immediately as it is performed.



        Some browsers use certificate pinning where important and high-profile domains are validated against a hardcoded list of permitted certificate authorities. Signing a fraudulent certificate for those domains would require compromising the CA that they currently use. Unfortunately, this only applies to a small handful of domains and does not protect the web at large.



        A partial solution would be to refuse to trust a domain without the .gov TLD whose certificate was issued by a government CA, which could be implemented client-side, but it would likely have little real-world impact. An adversarial government is not going to sign a malicious website with a state-run CA, since that would immediately attribute the attack to them. Rather, they would exploit covert relationships with existing CAs to trick them or force them into signing the certificate. CT, as mentioned in the previous paragraph, would detect this and the attack would be quickly noticed, but it does not prevent it.






        share|improve this answer















        If your adversary is a powerful nation-state threat actor, web PKI will not protect you.



        Nothing is preventing them from issuing their own certificate. In fact, many governments run their own certificate authorities, such as the US FPKI and affiliates. See a list of CAs currently trusted by Firefox:



        • Government of France

        • Government of Hong Kong (SAR), Hongkong Post

        • Government of Japan, Ministry of Internal Affairs and Communications

        • Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)

        • Government of Spain (CAV), Izenpe S.A.

        • Government of The Netherlands, PKIoverheid

        • Government of Taiwan, Government Root Certification Authority (GRCA)

        • Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)

        While Firefox currently refuses to trust the US FPKI, it still trusts many other government-run CAs, and a sophisticated nation-state actor absolutely has access to some existing, commercial CAs. Chrome, Internet Explorer, and Edge use the system trust store which, for Windows, does include many government certificate authorities. Any of these could be used to sign a valid certificate for any website and your browser would happily trust them without batting an eye.



        While the new and experimental standard for Certificate Transparency (CT) helps reduce the impact of mistakenly-issued certificates, it does not protect against a dedicated attacker who controls a malicious CA. Once it has seen greater adoption it may, however, make it easier to spot malicious or misbehaving CAs after a short period of time, but it will not prevent the attack immediately as it is performed.



        Some browsers use certificate pinning where important and high-profile domains are validated against a hardcoded list of permitted certificate authorities. Signing a fraudulent certificate for those domains would require compromising the CA that they currently use. Unfortunately, this only applies to a small handful of domains and does not protect the web at large.



        A partial solution would be to refuse to trust a domain without the .gov TLD whose certificate was issued by a government CA, which could be implemented client-side, but it would likely have little real-world impact. An adversarial government is not going to sign a malicious website with a state-run CA, since that would immediately attribute the attack to them. Rather, they would exploit covert relationships with existing CAs to trick them or force them into signing the certificate. CT, as mentioned in the previous paragraph, would detect this and the attack would be quickly noticed, but it does not prevent it.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 4 at 1:28

























        answered Jan 3 at 9:40









        forestforest

        34.2k16113117




        34.2k16113117







        • 17





          "Once it has seen greater adoption" FYI, Certificate transparency has ~100% adoption as of last year. Chrome won't even trust new certificates that aren't logged in CT anymore. (Though I suppose it will still be possible for another year for a malicious CA to backdate certs to get around the requirement.)

          – Ajedi32
          Jan 3 at 15:50






        • 5





          "Nothing is preventing them from issuing their own certificate" - this is not fully true. Browsers like Chrome and Firefox have built-in certificate pinning for critical domains (google, facebook, mozilla, ....) and these will detect if a different CA than expected has issued a certificate for these sites. This is for example how the use of fake certificates for Google in Iran got detected when DigiNotar got hacked. While certificate pinning (and checking of CT) gets disabled for explicitly added CA to facilitate legal SSL interception it gets not disabled for the builtin CA.

          – Steffen Ullrich
          Jan 3 at 16:44






        • 7





          Apart from certificate pinning any builtin CA which wrongly issues certificates risks to get quickly removed from the CA store of the browsers or to get the specific sub-CA banned. This happend several times in the past know (DigiNotar, Starcom, WoSign, Symantec) and it is unlikely that government-run CA did not get the message. I doubt that these CA will risk to get permanently banned. I find it more likely that the governments officially mandates the import of specific CA by their citizens to allow SSL interception, which has the nice side effect to disable pinning and CT too.

          – Steffen Ullrich
          Jan 3 at 16:49







        • 9





          Once caught being abused, government CAs will surely get distrusted like any other. The result will probably be permanent loss of reputation of the government as a certificate signer.

          – Joshua
          Jan 3 at 20:08






        • 3





          @Joshua What do you consider a free country? This happens in all western countries that people often consider "free" (e.g. USA, UK, Canada). Those governments seem to be going strong.

          – forest
          Jan 4 at 1:49













        • 17





          "Once it has seen greater adoption" FYI, Certificate transparency has ~100% adoption as of last year. Chrome won't even trust new certificates that aren't logged in CT anymore. (Though I suppose it will still be possible for another year for a malicious CA to backdate certs to get around the requirement.)

          – Ajedi32
          Jan 3 at 15:50






        • 5





          "Nothing is preventing them from issuing their own certificate" - this is not fully true. Browsers like Chrome and Firefox have built-in certificate pinning for critical domains (google, facebook, mozilla, ....) and these will detect if a different CA than expected has issued a certificate for these sites. This is for example how the use of fake certificates for Google in Iran got detected when DigiNotar got hacked. While certificate pinning (and checking of CT) gets disabled for explicitly added CA to facilitate legal SSL interception it gets not disabled for the builtin CA.

          – Steffen Ullrich
          Jan 3 at 16:44






        • 7





          Apart from certificate pinning any builtin CA which wrongly issues certificates risks to get quickly removed from the CA store of the browsers or to get the specific sub-CA banned. This happend several times in the past know (DigiNotar, Starcom, WoSign, Symantec) and it is unlikely that government-run CA did not get the message. I doubt that these CA will risk to get permanently banned. I find it more likely that the governments officially mandates the import of specific CA by their citizens to allow SSL interception, which has the nice side effect to disable pinning and CT too.

          – Steffen Ullrich
          Jan 3 at 16:49







        • 9





          Once caught being abused, government CAs will surely get distrusted like any other. The result will probably be permanent loss of reputation of the government as a certificate signer.

          – Joshua
          Jan 3 at 20:08






        • 3





          @Joshua What do you consider a free country? This happens in all western countries that people often consider "free" (e.g. USA, UK, Canada). Those governments seem to be going strong.

          – forest
          Jan 4 at 1:49








        17




        17





        "Once it has seen greater adoption" FYI, Certificate transparency has ~100% adoption as of last year. Chrome won't even trust new certificates that aren't logged in CT anymore. (Though I suppose it will still be possible for another year for a malicious CA to backdate certs to get around the requirement.)

        – Ajedi32
        Jan 3 at 15:50





        "Once it has seen greater adoption" FYI, Certificate transparency has ~100% adoption as of last year. Chrome won't even trust new certificates that aren't logged in CT anymore. (Though I suppose it will still be possible for another year for a malicious CA to backdate certs to get around the requirement.)

        – Ajedi32
        Jan 3 at 15:50




        5




        5





        "Nothing is preventing them from issuing their own certificate" - this is not fully true. Browsers like Chrome and Firefox have built-in certificate pinning for critical domains (google, facebook, mozilla, ....) and these will detect if a different CA than expected has issued a certificate for these sites. This is for example how the use of fake certificates for Google in Iran got detected when DigiNotar got hacked. While certificate pinning (and checking of CT) gets disabled for explicitly added CA to facilitate legal SSL interception it gets not disabled for the builtin CA.

        – Steffen Ullrich
        Jan 3 at 16:44





        "Nothing is preventing them from issuing their own certificate" - this is not fully true. Browsers like Chrome and Firefox have built-in certificate pinning for critical domains (google, facebook, mozilla, ....) and these will detect if a different CA than expected has issued a certificate for these sites. This is for example how the use of fake certificates for Google in Iran got detected when DigiNotar got hacked. While certificate pinning (and checking of CT) gets disabled for explicitly added CA to facilitate legal SSL interception it gets not disabled for the builtin CA.

        – Steffen Ullrich
        Jan 3 at 16:44




        7




        7





        Apart from certificate pinning any builtin CA which wrongly issues certificates risks to get quickly removed from the CA store of the browsers or to get the specific sub-CA banned. This happend several times in the past know (DigiNotar, Starcom, WoSign, Symantec) and it is unlikely that government-run CA did not get the message. I doubt that these CA will risk to get permanently banned. I find it more likely that the governments officially mandates the import of specific CA by their citizens to allow SSL interception, which has the nice side effect to disable pinning and CT too.

        – Steffen Ullrich
        Jan 3 at 16:49






        Apart from certificate pinning any builtin CA which wrongly issues certificates risks to get quickly removed from the CA store of the browsers or to get the specific sub-CA banned. This happend several times in the past know (DigiNotar, Starcom, WoSign, Symantec) and it is unlikely that government-run CA did not get the message. I doubt that these CA will risk to get permanently banned. I find it more likely that the governments officially mandates the import of specific CA by their citizens to allow SSL interception, which has the nice side effect to disable pinning and CT too.

        – Steffen Ullrich
        Jan 3 at 16:49





        9




        9





        Once caught being abused, government CAs will surely get distrusted like any other. The result will probably be permanent loss of reputation of the government as a certificate signer.

        – Joshua
        Jan 3 at 20:08





        Once caught being abused, government CAs will surely get distrusted like any other. The result will probably be permanent loss of reputation of the government as a certificate signer.

        – Joshua
        Jan 3 at 20:08




        3




        3





        @Joshua What do you consider a free country? This happens in all western countries that people often consider "free" (e.g. USA, UK, Canada). Those governments seem to be going strong.

        – forest
        Jan 4 at 1:49






        @Joshua What do you consider a free country? This happens in all western countries that people often consider "free" (e.g. USA, UK, Canada). Those governments seem to be going strong.

        – forest
        Jan 4 at 1:49














        11














        Even if you have the original CA certificates the browser/OS might be modified to not properly check certificates. Or the browser/OS might be backdoored so that the plain data can be extracted directly from the application before encryption or after decryption. And such critical modifications or changes in the behavior might also be caused by the hardware you are using.



        This means essentially you are asking how to make sure that the system you use (hardware, OS, software, configuration ...) has only the functionality you expect, i.e. has only the functionality intended by the vendor and developers (no backdoors or similar added later) and that this functionality does not include anything which can be used against you (no backdoors by vendor/developer but also no critical bugs which might be used as backdoor).



        Unfortunately there is no mechanism to make fully sure that your system behaves like this. Ultimately it boils down how much you can trust the delivery chain both in terms of explicit backdoors but also regarding bugs (inadvertent backdoors). Delivery chain means how much you can trust the sources where you got your hardware and software from (vendors, downloads from the internet...) and also how the hardware and software got protected against tampering during transport from the source. And these sources usually use third party components too which means the question of how much the delivery chain can be trusted must be extended further.



        There are a few ways which can help to trust the delivery chain but full trust is not possible. One way is to actually know your delivery chain in the first place and keep it small enough so that you can actually audit it. This also includes to have less complex systems since these allow for a smaller and more easy to audit delivery chain. While this might be possible for some governments or really large companies which have to fear targeted attacks, it is practically impossible for normal end users. These might try to reduce the risk by buying only from trusted vendors though (maybe abroad if you don't trust local vendors) and to minimize what is downloaded from the internet and to make sure it gets always loaded via a secure transport. One might also try to compare critical parts (like local CA certificates or the CA used for a specific connection) with others.



        There are also mechanism like secure boot or certificate pinning which help to prevent or detect smaller modifications but might be simply bypassed by a more sophisticated attacker (government agencies) which might replace/disable the relevant checks if he controls enough of the delivery chain.



        At the end an unsophisticated end user does not have much chance to distinguish between normal and abnormal system behavior since he does not have enough detail what a normal system behavior should look like in the first place. But assuming that attacks like replacing CA certificates or MITM using government controlled (and browser-trusted) CA will not target only such unsophisticated users but will be more widespread it is likely that some more paranoid and also knowledgeable user will be affected and will detect the attack and warn others.



        It is also likely that the attacker will not control enough of the delivery chain, especially if more or less free access to the internet is possible (i.e. mostly free access apart from some explicit blacklisting). In this case users might download software which has added protection - like the built-in SSL-pinnings for critical domains in browsers like Chrome or Firefox. On the other hand paranoid users can also be tricked into downloading software which claims to protect their privacy but instead is a espionage trojan.






        share|improve this answer



























          11














          Even if you have the original CA certificates the browser/OS might be modified to not properly check certificates. Or the browser/OS might be backdoored so that the plain data can be extracted directly from the application before encryption or after decryption. And such critical modifications or changes in the behavior might also be caused by the hardware you are using.



          This means essentially you are asking how to make sure that the system you use (hardware, OS, software, configuration ...) has only the functionality you expect, i.e. has only the functionality intended by the vendor and developers (no backdoors or similar added later) and that this functionality does not include anything which can be used against you (no backdoors by vendor/developer but also no critical bugs which might be used as backdoor).



          Unfortunately there is no mechanism to make fully sure that your system behaves like this. Ultimately it boils down how much you can trust the delivery chain both in terms of explicit backdoors but also regarding bugs (inadvertent backdoors). Delivery chain means how much you can trust the sources where you got your hardware and software from (vendors, downloads from the internet...) and also how the hardware and software got protected against tampering during transport from the source. And these sources usually use third party components too which means the question of how much the delivery chain can be trusted must be extended further.



          There are a few ways which can help to trust the delivery chain but full trust is not possible. One way is to actually know your delivery chain in the first place and keep it small enough so that you can actually audit it. This also includes to have less complex systems since these allow for a smaller and more easy to audit delivery chain. While this might be possible for some governments or really large companies which have to fear targeted attacks, it is practically impossible for normal end users. These might try to reduce the risk by buying only from trusted vendors though (maybe abroad if you don't trust local vendors) and to minimize what is downloaded from the internet and to make sure it gets always loaded via a secure transport. One might also try to compare critical parts (like local CA certificates or the CA used for a specific connection) with others.



          There are also mechanism like secure boot or certificate pinning which help to prevent or detect smaller modifications but might be simply bypassed by a more sophisticated attacker (government agencies) which might replace/disable the relevant checks if he controls enough of the delivery chain.



          At the end an unsophisticated end user does not have much chance to distinguish between normal and abnormal system behavior since he does not have enough detail what a normal system behavior should look like in the first place. But assuming that attacks like replacing CA certificates or MITM using government controlled (and browser-trusted) CA will not target only such unsophisticated users but will be more widespread it is likely that some more paranoid and also knowledgeable user will be affected and will detect the attack and warn others.



          It is also likely that the attacker will not control enough of the delivery chain, especially if more or less free access to the internet is possible (i.e. mostly free access apart from some explicit blacklisting). In this case users might download software which has added protection - like the built-in SSL-pinnings for critical domains in browsers like Chrome or Firefox. On the other hand paranoid users can also be tricked into downloading software which claims to protect their privacy but instead is a espionage trojan.






          share|improve this answer

























            11












            11








            11







            Even if you have the original CA certificates the browser/OS might be modified to not properly check certificates. Or the browser/OS might be backdoored so that the plain data can be extracted directly from the application before encryption or after decryption. And such critical modifications or changes in the behavior might also be caused by the hardware you are using.



            This means essentially you are asking how to make sure that the system you use (hardware, OS, software, configuration ...) has only the functionality you expect, i.e. has only the functionality intended by the vendor and developers (no backdoors or similar added later) and that this functionality does not include anything which can be used against you (no backdoors by vendor/developer but also no critical bugs which might be used as backdoor).



            Unfortunately there is no mechanism to make fully sure that your system behaves like this. Ultimately it boils down how much you can trust the delivery chain both in terms of explicit backdoors but also regarding bugs (inadvertent backdoors). Delivery chain means how much you can trust the sources where you got your hardware and software from (vendors, downloads from the internet...) and also how the hardware and software got protected against tampering during transport from the source. And these sources usually use third party components too which means the question of how much the delivery chain can be trusted must be extended further.



            There are a few ways which can help to trust the delivery chain but full trust is not possible. One way is to actually know your delivery chain in the first place and keep it small enough so that you can actually audit it. This also includes to have less complex systems since these allow for a smaller and more easy to audit delivery chain. While this might be possible for some governments or really large companies which have to fear targeted attacks, it is practically impossible for normal end users. These might try to reduce the risk by buying only from trusted vendors though (maybe abroad if you don't trust local vendors) and to minimize what is downloaded from the internet and to make sure it gets always loaded via a secure transport. One might also try to compare critical parts (like local CA certificates or the CA used for a specific connection) with others.



            There are also mechanism like secure boot or certificate pinning which help to prevent or detect smaller modifications but might be simply bypassed by a more sophisticated attacker (government agencies) which might replace/disable the relevant checks if he controls enough of the delivery chain.



            At the end an unsophisticated end user does not have much chance to distinguish between normal and abnormal system behavior since he does not have enough detail what a normal system behavior should look like in the first place. But assuming that attacks like replacing CA certificates or MITM using government controlled (and browser-trusted) CA will not target only such unsophisticated users but will be more widespread it is likely that some more paranoid and also knowledgeable user will be affected and will detect the attack and warn others.



            It is also likely that the attacker will not control enough of the delivery chain, especially if more or less free access to the internet is possible (i.e. mostly free access apart from some explicit blacklisting). In this case users might download software which has added protection - like the built-in SSL-pinnings for critical domains in browsers like Chrome or Firefox. On the other hand paranoid users can also be tricked into downloading software which claims to protect their privacy but instead is a espionage trojan.






            share|improve this answer













            Even if you have the original CA certificates the browser/OS might be modified to not properly check certificates. Or the browser/OS might be backdoored so that the plain data can be extracted directly from the application before encryption or after decryption. And such critical modifications or changes in the behavior might also be caused by the hardware you are using.



            This means essentially you are asking how to make sure that the system you use (hardware, OS, software, configuration ...) has only the functionality you expect, i.e. has only the functionality intended by the vendor and developers (no backdoors or similar added later) and that this functionality does not include anything which can be used against you (no backdoors by vendor/developer but also no critical bugs which might be used as backdoor).



            Unfortunately there is no mechanism to make fully sure that your system behaves like this. Ultimately it boils down how much you can trust the delivery chain both in terms of explicit backdoors but also regarding bugs (inadvertent backdoors). Delivery chain means how much you can trust the sources where you got your hardware and software from (vendors, downloads from the internet...) and also how the hardware and software got protected against tampering during transport from the source. And these sources usually use third party components too which means the question of how much the delivery chain can be trusted must be extended further.



            There are a few ways which can help to trust the delivery chain but full trust is not possible. One way is to actually know your delivery chain in the first place and keep it small enough so that you can actually audit it. This also includes to have less complex systems since these allow for a smaller and more easy to audit delivery chain. While this might be possible for some governments or really large companies which have to fear targeted attacks, it is practically impossible for normal end users. These might try to reduce the risk by buying only from trusted vendors though (maybe abroad if you don't trust local vendors) and to minimize what is downloaded from the internet and to make sure it gets always loaded via a secure transport. One might also try to compare critical parts (like local CA certificates or the CA used for a specific connection) with others.



            There are also mechanism like secure boot or certificate pinning which help to prevent or detect smaller modifications but might be simply bypassed by a more sophisticated attacker (government agencies) which might replace/disable the relevant checks if he controls enough of the delivery chain.



            At the end an unsophisticated end user does not have much chance to distinguish between normal and abnormal system behavior since he does not have enough detail what a normal system behavior should look like in the first place. But assuming that attacks like replacing CA certificates or MITM using government controlled (and browser-trusted) CA will not target only such unsophisticated users but will be more widespread it is likely that some more paranoid and also knowledgeable user will be affected and will detect the attack and warn others.



            It is also likely that the attacker will not control enough of the delivery chain, especially if more or less free access to the internet is possible (i.e. mostly free access apart from some explicit blacklisting). In this case users might download software which has added protection - like the built-in SSL-pinnings for critical domains in browsers like Chrome or Firefox. On the other hand paranoid users can also be tricked into downloading software which claims to protect their privacy but instead is a espionage trojan.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jan 3 at 10:05









            Steffen UllrichSteffen Ullrich

            114k13199264




            114k13199264





















                4














                Yes. Check the certificate's issuing CA and its fingerprint and/or entire public key, which you can find by viewing the certificate details in your browser. Compare these against the values seen by another person or another computer outside of the domain of the relevant government's control. You could do this with a cheap vps hosted in another country using command line tools to make the TLS connection and dump the certificate info. You can also use Certificate Transparency logs to see if you're getting a different certificate from what's being presented to other users.






                share|improve this answer



























                  4














                  Yes. Check the certificate's issuing CA and its fingerprint and/or entire public key, which you can find by viewing the certificate details in your browser. Compare these against the values seen by another person or another computer outside of the domain of the relevant government's control. You could do this with a cheap vps hosted in another country using command line tools to make the TLS connection and dump the certificate info. You can also use Certificate Transparency logs to see if you're getting a different certificate from what's being presented to other users.






                  share|improve this answer

























                    4












                    4








                    4







                    Yes. Check the certificate's issuing CA and its fingerprint and/or entire public key, which you can find by viewing the certificate details in your browser. Compare these against the values seen by another person or another computer outside of the domain of the relevant government's control. You could do this with a cheap vps hosted in another country using command line tools to make the TLS connection and dump the certificate info. You can also use Certificate Transparency logs to see if you're getting a different certificate from what's being presented to other users.






                    share|improve this answer













                    Yes. Check the certificate's issuing CA and its fingerprint and/or entire public key, which you can find by viewing the certificate details in your browser. Compare these against the values seen by another person or another computer outside of the domain of the relevant government's control. You could do this with a cheap vps hosted in another country using command line tools to make the TLS connection and dump the certificate info. You can also use Certificate Transparency logs to see if you're getting a different certificate from what's being presented to other users.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Jan 3 at 21:03









                    R..R..

                    4,67611419




                    4,67611419





















                        2














                        It is indeed a risk and if you're going to do something that requires "real" security, let's say something like exchanging nuclear bomb codes, it is a real issue. Then again it's not the greater issue. The actors the attack passes through are not the government directly but CAs. A government always has access to the simple rubber-hose attack so this is always going to be an issue as long as the CAs will be public entities subject to the rule of law (because that will make them subject to one or more governments and thus sensible to pressures or plain old violence). As long as this attack is viable the more refined certificate manipulations are pretty useless, they could force CAs to help them (and keep the silence about it) even if they would not be CAs themselves.



                        If you need a higher level of confidence I would suggest turning to different approaches to communication involving also (but not only) steganography and side channels to reduce the visibility of your communications and thus reduce the probability to suffer attacks.



                        To delve into the situation a bit more the idea that a CA can exhibit proof of correctness of its certificates is not yet very popular but it could maybe be possible in a blockchain system. It would probably require significantly more calculations and so I doubt it's viable without some adjustments from the current industry. And even then governments have a very big say in what cryptographic primitives are secure so they could taint the very methods used to issue certificates, for example, I would like to refer you to the NSA's Bullrun program and for a more detailed example to the Dual_EC_DRBG backdoor theorized by Bruce Schneier and Niels Ferguson and later confirmed by Edward Snowden (an argument that I had the occasion to face during my studies before it was confirmed, Dual_EC_DRBG is potentially secure but you've got to generate the curves used in the cryptographic primitive yourself, otherwise you're essentially trusting the NSA to give you good private keys notice that this is not always the case with other algorithms).






                        share|improve this answer





























                          2














                          It is indeed a risk and if you're going to do something that requires "real" security, let's say something like exchanging nuclear bomb codes, it is a real issue. Then again it's not the greater issue. The actors the attack passes through are not the government directly but CAs. A government always has access to the simple rubber-hose attack so this is always going to be an issue as long as the CAs will be public entities subject to the rule of law (because that will make them subject to one or more governments and thus sensible to pressures or plain old violence). As long as this attack is viable the more refined certificate manipulations are pretty useless, they could force CAs to help them (and keep the silence about it) even if they would not be CAs themselves.



                          If you need a higher level of confidence I would suggest turning to different approaches to communication involving also (but not only) steganography and side channels to reduce the visibility of your communications and thus reduce the probability to suffer attacks.



                          To delve into the situation a bit more the idea that a CA can exhibit proof of correctness of its certificates is not yet very popular but it could maybe be possible in a blockchain system. It would probably require significantly more calculations and so I doubt it's viable without some adjustments from the current industry. And even then governments have a very big say in what cryptographic primitives are secure so they could taint the very methods used to issue certificates, for example, I would like to refer you to the NSA's Bullrun program and for a more detailed example to the Dual_EC_DRBG backdoor theorized by Bruce Schneier and Niels Ferguson and later confirmed by Edward Snowden (an argument that I had the occasion to face during my studies before it was confirmed, Dual_EC_DRBG is potentially secure but you've got to generate the curves used in the cryptographic primitive yourself, otherwise you're essentially trusting the NSA to give you good private keys notice that this is not always the case with other algorithms).






                          share|improve this answer



























                            2












                            2








                            2







                            It is indeed a risk and if you're going to do something that requires "real" security, let's say something like exchanging nuclear bomb codes, it is a real issue. Then again it's not the greater issue. The actors the attack passes through are not the government directly but CAs. A government always has access to the simple rubber-hose attack so this is always going to be an issue as long as the CAs will be public entities subject to the rule of law (because that will make them subject to one or more governments and thus sensible to pressures or plain old violence). As long as this attack is viable the more refined certificate manipulations are pretty useless, they could force CAs to help them (and keep the silence about it) even if they would not be CAs themselves.



                            If you need a higher level of confidence I would suggest turning to different approaches to communication involving also (but not only) steganography and side channels to reduce the visibility of your communications and thus reduce the probability to suffer attacks.



                            To delve into the situation a bit more the idea that a CA can exhibit proof of correctness of its certificates is not yet very popular but it could maybe be possible in a blockchain system. It would probably require significantly more calculations and so I doubt it's viable without some adjustments from the current industry. And even then governments have a very big say in what cryptographic primitives are secure so they could taint the very methods used to issue certificates, for example, I would like to refer you to the NSA's Bullrun program and for a more detailed example to the Dual_EC_DRBG backdoor theorized by Bruce Schneier and Niels Ferguson and later confirmed by Edward Snowden (an argument that I had the occasion to face during my studies before it was confirmed, Dual_EC_DRBG is potentially secure but you've got to generate the curves used in the cryptographic primitive yourself, otherwise you're essentially trusting the NSA to give you good private keys notice that this is not always the case with other algorithms).






                            share|improve this answer















                            It is indeed a risk and if you're going to do something that requires "real" security, let's say something like exchanging nuclear bomb codes, it is a real issue. Then again it's not the greater issue. The actors the attack passes through are not the government directly but CAs. A government always has access to the simple rubber-hose attack so this is always going to be an issue as long as the CAs will be public entities subject to the rule of law (because that will make them subject to one or more governments and thus sensible to pressures or plain old violence). As long as this attack is viable the more refined certificate manipulations are pretty useless, they could force CAs to help them (and keep the silence about it) even if they would not be CAs themselves.



                            If you need a higher level of confidence I would suggest turning to different approaches to communication involving also (but not only) steganography and side channels to reduce the visibility of your communications and thus reduce the probability to suffer attacks.



                            To delve into the situation a bit more the idea that a CA can exhibit proof of correctness of its certificates is not yet very popular but it could maybe be possible in a blockchain system. It would probably require significantly more calculations and so I doubt it's viable without some adjustments from the current industry. And even then governments have a very big say in what cryptographic primitives are secure so they could taint the very methods used to issue certificates, for example, I would like to refer you to the NSA's Bullrun program and for a more detailed example to the Dual_EC_DRBG backdoor theorized by Bruce Schneier and Niels Ferguson and later confirmed by Edward Snowden (an argument that I had the occasion to face during my studies before it was confirmed, Dual_EC_DRBG is potentially secure but you've got to generate the curves used in the cryptographic primitive yourself, otherwise you're essentially trusting the NSA to give you good private keys notice that this is not always the case with other algorithms).







                            share|improve this answer














                            share|improve this answer



                            share|improve this answer








                            edited Jan 3 at 17:39









                            schroeder

                            73.4k29160195




                            73.4k29160195










                            answered Jan 3 at 17:30









                            user3341700user3341700

                            291




                            291



























                                draft saved

                                draft discarded
















































                                Thanks for contributing an answer to Information Security Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200725%2fis-there-a-way-to-make-sure-my-government-does-not-swap-out-ssl-certificates%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown






                                Popular posts from this blog

                                How to check contact read email or not when send email to Individual?

                                How many registers does an x86_64 CPU actually have?

                                Nur Jahan