ZDNet Government

David Gewirtz
Home / News & Blogs / ZDNet Government

EFF: Gmail vulnerable to snooping: SSL certificates often faked

By | March 24, 2010, 6:12pm PDT

Summary: The Electronic Freedom Frontier released a report by Christopher Soghoian and Sid Stamm, internet computer researcher’s that suggests several international intelligence agencies can and regularly inject revised SSL security certificates

The Electronic Freedom Frontier released a report by Christopher Soghoian and Sid Stamm, Internet computer researchers, suggesting several international intelligence agencies can and do regularly inject revised SSL security certificates which, unbeknownst to the user, are being monitored by government agencies.

The EFF disclosed it is providing legal advice to the two researchers regarding the research work and what the draft paper discloses. The report doesn’t reveal anything new regarding the fact that Government intelligence agencies regularly monitor Internet traffic. Intelligence agencies routinely monitor internet, mobile - cellular - land line voice and data traffic around the world. Where it becomes problematic is how the technique becomes a powerful tool in finding enemies of the state in such regions of the world like China and Iran where internet traffic is automatically distrusted. Any form of security that offers some kind of Internet privacy is a desirable set of tools to have for the user. But when those same tools now expose the user, the results can literately prove fatal.

The draft research paper illustrates how governments can buy low cost equipment and software to implement injection of fake SSL certificates and look authentic and be trusted. The research paper documents how the United Arab Emirates government forced Blackberry users to update their phones which included software patches that allowed monitoring of all the devices features and applications including email, which sent copies back to a central government server.

Google has stated that it had no Chinese security breaches of its email user accounts except in two ‘attempted’ accounts. Google has also published a tip on how to ‘monitor suspicious activity’ concerning GMail. If the Intelligence community is monitoring you, you’re not going to be able to detect a thing - end of story. Google later announced that SSL connectivity to its servers should alleviate user privacy and security concerns. According to Soghoian and Stamm, doing so won’t solve user security and in fact where China is concerned, it actually makes it EASIER to intercept user email messages to viewed and copied by the Chinese government.

I wonder if the NSA and Google will disclose how this impacts Google’s international users elsewhere. Google Gmail users in Canada, Australia, New Zealand, Japan, Sweden and Western Europe are vulnerable to these monitoring techniques. Any service that uses SSL is vulnerable to these techniques.

Additional resources:

US Strategic Command recognizes cyber security challenges

Intelligence community warns Senate committee of increased terror threats

Internet attack defense: License and registration please…

Homeland Security is based on human control; but demands high-tech logic and speed

Global cyberwar: Installed in your PC at home, the office and government

Internet: A threat to government or the other way around?

New White House cybersecurity chief faces uphill battle

Homeland Security hearing: Senators scratching heads over IT-related testimony

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “ZDNet Government”

Topics

Google Inc., Google Gmail, SSL Certificate, SSL, Intelligence Agency, Internet, Ssl/Tls, Government, Authentication/Encryption, Network Security, Security, Networking, Doug Hanchard

Disclosure

Doug Hanchard

http://government.zdnet.com/?page_id=5774

Biography

Doug Hanchard

Doug is the principal of Rapid Response Consulting, an advisory group that integrates ICT solutions. He has worked at some of the largest telecommunications firms in Canada, including Bell Canada, Telus and AT&T and is a guest lecturer for several universities and associations. He serves on several advisory boards in Canada and the United States.

Starting with a new national ISP in 1993 in sales, positioning internet access, web sites and network services began the path of telecommunications technologies from the early Bulletin Board Services (BBS) to the first web pages for commercial clients.

Became the National Data Network Service Manager for Frame Relay and Internet access for AccTel Enterprises which was acquired (after 3 mergers already) by AT&T Canada. Interested in how marketing could expand service availability, he moved to Telus to become the Frame Relay / ATM Product Manager and expanded the network across Canada. In 2002 he went to Bell Canada becoming a Solution Architect to get back to his passion for technology working with enterprise clients. In 2006, became the Director of R&D and Senior Solution Architect for Bell Canada Security Solutions Inc, developing I.P. based physical and logical security platforms and ICT services.

This position created new commercial concepts such as Crisis and Disaster technology solutions required for emergency use after an event occurred. He designed interoperable technologies and application combinations allowing any to any I.P. service through landline, broadband, satellite and wireless technologies to be deployed anywhere

Talkback Most Recent of 8 Talkback(s)

  • Avoid the Gmail web version 'like the plague'. Use an IMAP client
    Much safer and more reliable--less prone to down-time.

    I use Ubuntu Linux with Evolution and Spamassassin.
    ZDNet Gravatar
    Dietrich T. Schmitz GNU/Linux Advocate
    24th Mar 2010
  • that won't help..
    If you log into GMail with SSL enabled and let's say your in Canada or another country other than the U.S. , you could be obtaining an SSL certificate that has been modified, which then instructs the mail to be duplicated and sent to a different web server to be read and analyzed.

    This has nothing to do with Windows. Read the white paper by the researchers. It's a facinating and worthwhile read.
    ZDNet Gravatar
    doug.hanchard@...
    24th Mar 2010
  • US does it regularly too, kit for it is now required
    for most ISPs by CALEA. SSL offers a little protection against civilian hackers and phishers, but it is completely wide open to attacks and monitoring by ISPs themselves at the behest of government authorities.
    ZDNet Gravatar
    terry flores
    25th Mar 2010
  • nothing to do with the ISP
    ...not really anyway.

    The user ISP would not be able to detect
    certificate modification. That said, if you
    define ISP as the provider of the SSL service
    "you" use, then yes, that is something that the
    provider needs to ensure that appropriate SSL
    certificate providers are trustworthy.

    The paper details the lack of oversight of
    certificate issuers. The paper is well done.

    Thanks for writing.
    Doug
    ZDNet Gravatar
    doug.hanchard@...
    25th Mar 2010
  • This has been discussed before...
    This has been discussed before for years. Anyway, the only thing you can be sure when using an SSL connection is that the link is encrypted, but you know nothing about who or what is at the other side of the connection. All the EV (extended validation) work from the CAs worths nothing when they face a court order (or just any national security-related request). And they cannot tell you they have done it.

    For those thinking this is a good or necessary thing... it is good or necessary for the State. If it is good for the rest of us that's a different story.

    Regards,

    MV
    ZDNet Gravatar
    MV_z
    25th Mar 2010
  • RE: EFF: Gmail vulnerable to snooping: SSL certificates often faked
    Huh, I never considered SSL something to protect email privacy. It has it's place, but it doesn't do much to protect email content. Those emails are sitting on the server in plaintext, and they were transmitted to the server in plaintext. If you want to keep your emails private you need to at least encrypt the mails themselves. It may not completely stop someone like the NSA, but they'd have to *really* want to read your mail to have any chance of doing so.

    Unless you believe they've already cracked or backdoored the available encryption software. In which case, you'd probably best just keep your thoughts to yourself happy

    Still, these certificate shenanigans are interesting.
    ZDNet Gravatar
    frylock
    25th Mar 2010
  • better encryption
    More proof that email providers need to offer better encryption, which is easy for me to shout out since I work in the industry-Thawte. Unfortunately email encryption is rarely viewed as an indispensable protection technology, not even by Google. If Gmail were protected by Extended Validation SSL it could become the go-to mail application for small-to-medium size business, but encryption keeps holding it back (probably due to financial reasons, to keep the email free?).
    ZDNet Gravatar
    gregorycreaser
    30th Mar 2010
  • RE: EFF: Gmail vulnerable to snooping: SSL certificates often faked
    Well done! Thank you very much for professional templates and community edition
    seslisohbet seslichat
    ZDNet Gravatar
    birumut
    3rd May

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources