EFF: Gmail vulnerable to snooping: SSL certificates often faked

EFF: Gmail vulnerable to snooping: SSL certificates often faked

Summary: The Electronic Freedom Frontier released a report by Christopher Soghoian and Sid Stamm, internet computer researcher's that suggests several international intelligence agencies can and regularly inject revised SSL security certificates


The Electronic Freedom Frontier released a report by Christopher Soghoian and Sid Stamm, Internet computer researchers, suggesting several international intelligence agencies can and do regularly inject revised SSL security certificates which, unbeknownst to the user, are being monitored by government agencies.

The EFF disclosed it is providing legal advice to the two researchers regarding the research work and what the draft paper discloses. The report doesn't reveal anything new regarding the fact that Government intelligence agencies regularly monitor Internet traffic. Intelligence agencies routinely monitor internet, mobile - cellular - land line voice and data traffic around the world. Where it becomes problematic is how the technique becomes a powerful tool in finding enemies of the state in such regions of the world like China and Iran where internet traffic is automatically distrusted. Any form of security that offers some kind of Internet privacy is a desirable set of tools to have for the user. But when those same tools now expose the user, the results can literately prove fatal.

The draft research paper illustrates how governments can buy low cost equipment and software to implement injection of fake SSL certificates and look authentic and be trusted. The research paper documents how the United Arab Emirates government forced Blackberry users to update their phones which included software patches that allowed monitoring of all the devices features and applications including email, which sent copies back to a central government server.

Google has stated that it had no Chinese security breaches of its email user accounts except in two 'attempted' accounts. Google has also published a tip on how to 'monitor suspicious activity' concerning GMail. If the Intelligence community is monitoring you, you're not going to be able to detect a thing - end of story. Google later announced that SSL connectivity to its servers should alleviate user privacy and security concerns. According to Soghoian and Stamm, doing so won't solve user security and in fact where China is concerned, it actually makes it EASIER to intercept user email messages to viewed and copied by the Chinese government.

I wonder if the NSA and Google will disclose how this impacts Google's international users elsewhere. Google Gmail users in Canada, Australia, New Zealand, Japan, Sweden and Western Europe are vulnerable to these monitoring techniques. Any service that uses SSL is vulnerable to these techniques.

Additional resources:

US Strategic Command recognizes cyber security challenges

Intelligence community warns Senate committee of increased terror threats

Internet attack defense: License and registration please...

Homeland Security is based on human control; but demands high-tech logic and speed

Global cyberwar: Installed in your PC at home, the office and government

Internet: A threat to government or the other way around?

New White House cybersecurity chief faces uphill battle

Homeland Security hearing: Senators scratching heads over IT-related testimony

Topics: Collaboration, Browser, Google, Government, Government US, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Avoid the Gmail web version 'like the plague'. Use an IMAP client

    Much safer and more reliable--less prone to down-time.

    I use Ubuntu Linux with Evolution and Spamassassin.
    Dietrich T. Schmitz GNU/Linux Advocate
    • that won't help..

      If you log into GMail with SSL enabled and let's say your in Canada or another country other than the U.S. , you could be obtaining an SSL certificate that has been modified, which then instructs the mail to be duplicated and sent to a different web server to be read and analyzed.

      This has nothing to do with Windows. Read the white paper by the researchers. It's a facinating and worthwhile read.
  • US does it regularly too, kit for it is now required

    for most ISPs by CALEA. SSL offers a little protection against civilian hackers and phishers, but it is completely wide open to attacks and monitoring by ISPs themselves at the behest of government authorities.
    terry flores
    • nothing to do with the ISP

      ...not really anyway.

      The user ISP would not be able to detect
      certificate modification. That said, if you
      define ISP as the provider of the SSL service
      "you" use, then yes, that is something that the
      provider needs to ensure that appropriate SSL
      certificate providers are trustworthy.

      The paper details the lack of oversight of
      certificate issuers. The paper is well done.

      Thanks for writing.
  • This has been discussed before...

    This has been discussed before for years. Anyway, the only thing you can be sure when using an SSL connection is that the link is encrypted, but you know nothing about who or what is at the other side of the connection. All the EV (extended validation) work from the CAs worths nothing when they face a court order (or just any national security-related request). And they cannot tell you they have done it.

    For those thinking this is a good or necessary thing... it is good or necessary for the State. If it is good for the rest of us that's a different story.


  • RE: EFF: Gmail vulnerable to snooping: SSL certificates often faked

    Huh, I never considered SSL something to protect email privacy. It has it's place, but it doesn't do much to protect email content. Those emails are sitting on the server in plaintext, and they were transmitted to the server in plaintext. If you want to keep your emails private you need to at least encrypt the mails themselves. It may not completely stop someone like the NSA, but they'd have to *really* want to read your mail to have any chance of doing so.

    Unless you believe they've already cracked or backdoored the available encryption software. In which case, you'd probably best just keep your thoughts to yourself :)

    Still, these certificate shenanigans are interesting.
  • better encryption

    More proof that email providers need to offer better encryption, which is easy for me to shout out since I work in the industry-Thawte. Unfortunately email encryption is rarely viewed as an indispensable protection technology, not even by Google. If Gmail were protected by Extended Validation SSL it could become the go-to mail application for small-to-medium size business, but encryption keeps holding it back (probably due to financial reasons, to keep the email free?).
  • RE: EFF: Gmail vulnerable to snooping: SSL certificates often faked

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>