How the NSA, and your boss, can intercept and break SSL

How the NSA, and your boss, can intercept and break SSL

Summary: Most people believe that SSL is the gold-standard of Internet security. It is good, but SSL communications can be intercepted and broken. Here's how.

SHARE:

Is the National Security Agency (NSA) really "wiretapping" the Internet? Accused accomplices Microsoft and Google deny that they have any part in it and the core evidence isn't holding up that well under closer examination.

Some, however, doubt that the NSA could actually intercept and break Secure-Socket Layer (SSL) protected Internet communications.

Ah, actually the NSA can.

And, you can too and it doesn't require "Mission Impossible" commandos, hackers or supercomputers. All you need is a credit-card number.

There are many ways to attack SSL, but you don't need fake SSL certificates, a rogue Certification Authority (CA), or variations on security expert Moxie Marlinspike's man-in-the-middle SSL attacks. Why go to all that trouble when you can just buy a SSL interception proxy, such as Blue Coat Systems' ProxySG or their recently acquired Netronome SSL appliance to do the job for you?

Blue Coat, the biggest name in the SSL interception business, is far from the only one offering SSL interception and breaking in a box. Until recently, for example, Microsoft would sell you a program, Forefront Threat Management Gateway 2010, which could do the job for you as well.

There's nothing new about these services. Packer Forensics was advertising appliances that could do this in 2010. The company is still in business and, while they're keeping a low profile, they appear to be offering the same kind of devices with the same services.

Here's how they work. First, if you know networking, this, at a high-level, is how you assume SSL is working for you:

SSL-Handshake
How SSL normally works (Credit: Dell SecureWorks)

The client asks for a secure-connection and the server says sure and we're off to handshaking our way to a secure connection. The client, typically a Web-browser but it can also be an e-mail, cloud-storage or some other kind of network service client, replies with what kind of SSL it can handle and the client and server compare notes on identity certificates and cryptographic keys until they come to an agreement that they can set up a secure transport layer. At this point, most of you assume that you have a secure end-to-end connection.

Maybe. Maybe not.

With an SSL interception proxy program or device in place, here's what really happens:

SSL-Interception-Proxy
With an SSL proxy acting as a man-in-the-middle, this is how your "secure" traffic can be read by others. (Credit: Dell SecureWorks)

The SSL proxy intercepts traffic between your computer and the Internet. When you surf to a "secure" site, it, and not your browser, get the real Web server certificate and handles setting up a perfectly good SSL connection between it and the Web server. The proxy then sends you a digital certificate, which looks like the Web server's certificate, and sets up a "secure" connection between your browser and the proxy.

If your company has set up the proxy correctly you won't know anything is off because they'll have arranged to have the proxy's internal SSL certificate registered on your machine as a valid certificate. If not, you'll receive a pop-up error message, which, if you click on to continue, will accept the "fake" digital certificate. In either case, you get a secure connection to the proxy, it gets a secure connection to the outside site -- and everything sent over the proxy can be read in plain text. Whoops.

Now if your company can do this at your business' firewall couldn't the NSA do something like this at a tier-one ISP? At a major company's Web hosting facility? I don't see why not. After all the NSA set up Room 641A at what was then AT&T's 611 Folsom St. building in the mid-2000s for surveillance.

Is the NSA reading your e-mail and looking over your shoulder when you visit NaughtyNursesNamedNancy.com? I doubt it. With techniques like traffic and metadata analysis, they don't need to bother with that level of detail for the vast majority of people. Technically speaking could they do it? Yes. Easily and just by modifying commercial off-the shelf (COTS) hardware and software.

Related Stories:

Topics: Security, Government, Government US, Networking, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • Good article

    use to think Santa Clause was the only one with those powers, but move over Santa the NSA's got you beat.
    DancesWithTrolls
    • Ditto, with DancesWithTrolls great article

      ...
      RickLively
      • Its easy to detect proxies

        Just try and like a few news sources. On ZDNet, double posts would land you in trouble in the past. Though they have dealt with it some time ago. The key is that most small sites dont have the resources to do so. These are these are excellent test sites food proxies.
        Uralbas
        • try and test your network speed

          And look at the closest site. If its no where near you or by or ISP, you ARE being watched.
          Uralbas
  • Thanks

    I wonder if any of the press has asked Google/Facebook/etc whether they have surrendered copies of their SSL/TLS secret-keys over to the NSA. The NSA is a client of Packet Forensics, Llc.
    mvario
    • @mvario

      Adding with your comment, DOD uses the Blue Coat Systems' ProxySG systems.
      RickLively
    • No need to for companies to hand over anything

      If those companies have minimally responsible procedures, they *cannot* hand over their secret keys because they will be stored in certificate repositories from where they cannot be exported. At least if they use HSM (hardware security modules), dedicated TLS/SSL offloading hardware or Windows Server for TLS/SSL processing.

      TLS/SSL certificate requests can be generated and signed by cert authorities without the private key ever being transmitted through certificate requests. So in *theory* that part is perfectly secure.

      The *big* problem lies in the comparatively lax procedures for *issuing* TLS/SSL certificates. A large number of organizations around the world are allowed to issue (and digitally sign) SSL certs. They can issue "rogue" certificates for your domain names without you knowing about it. There is no regime in place where they have verify the request with the domain owner. They are not *supposed* to issue such certificates, but there is nothing *preventing* them from doing it.

      Which means that we have seen rogue cert authorities which have been set up by malicious organizations (and some governments as well) to *appear* as legitimate authorities but whose real raison d'être is to supply the shady organization with signed certs.

      We have also seen a number of downright incompetent cert authorities who have had their networks compromised to an extent where the bad guys could issue certs at their own whim.

      The point is, if you have an organization who is capable at intercepting the traffic between you and the internet infrastructure they can easily get their hands on certs that look legitimate to the browsers, and thus intercept and decrypt/encrypt the traffic.

      They don't need the companies to hand over keys at all. The difficult part is intercepting the traffic. And that is probably not too difficult for organizations like the NSA.
      honeymonster
  • Interesting

    SJVN,

    This implies the NSA could intercept all US-based traffic if they set these proxies in the correct physical locations. I wonder how miuch credit card fraud the NSA is doing and its being blamed on Russian, Chinese, etc hackers.

    My question is could the NSA set up proxies and traffic sniffers on the backbone in such a manner to monitor virtually all the traffice and yet leave companies like Apple or Google in the dark. The scenario I envision is the NSA has a valid FISA warrant for limited traffic monitoring. But when they install the necessary hardware and software at say Apple (example only) what is installed has capabilities well beyond the warrant and is set up to collect data beyond the scope of the warrant by the NSA. Since Apple, in this example, must allow the installation by the NSA and Apple does not know exactly what is installed - basically black boxes - they are uwilling dupes of the NSA. So when this blows up, Apple legitimately does not know what was installed was illegal and part of this program. I would not be surprised if only sketchy details of the cover warrant were ever provide - enough to ensure NSA access to install the black boxes.
    Linux_Lurker
    • You really think the NSA commits credit fraud?

      The dirty tricks is CIA I believe. NSA in not a domestic priority. The NSA is not the credit fraud agency, either enforcement or commission. Lol Of course if your worried about credit card fraud don't use one! Send your check in the mail.
      Altotus
    • The NSA isn't short on cash and doesn't need to engage in credit card fraud

      Personally I think you should focus on the actual bad things the NSA is doing, not the easily refutable things that they might hypothetically be doing.
      revsorg
      • Not for the cash

        But for creating panic, 911 style.
        danbi
  • WRONG!

    You have glossed over some VERY IMPORTANT details. This style of MITM attack only works seamlessly if the proxy's fake CA is trusted by the client. This is relatively easy in a corporate environment where the company owns the client and controls the operating system. IT IS NOT EASY IN NON-CORPORATE ENVIRONMENTS. There is no mechanism for a third-party (the NSA, your ISP, Chinese hackers, etc.) to make arbitrary clients trust their fake CA.

    I'm not saying SSL is "safe" -- I'm just saying the attack you're describing is only effective under limited circumstances. There are certainly other attacks, including fake certs and rogue CA's, that can fool arbitrary clients. However, those attacks are not easy.
    johndoe445566
    • Maybe not wrong, but definitely "not so easy"

      All it takes is one technically apt person to notice that their facourite web site suddenly has a different certificate and the whole scheme is in deep trouble.
      agtrier
    • Yes there is

      The NSA can set up a "fake" root or intermediate certificate authority or compromise an existing certificate authority. A company like godaddy has obtained the rights to issue certificates. How hard do you think it would be for the NSA to set up a shim operation and obtain a intermediate authority certificate?

      Of course, they would need to be careful not make it too obvious that they have issued certs for e.g. google.com, facebook, bing etc. But if they control the infrastructure at a few central points they can intercept and use those certs only for the subjects they are interested in eavesdropping on.

      If all traffic to google.com suddenly was encrypted with a different certificate from that on googles servers, that would elevate the risk that someone would notice. But if only *select* traffic were intercepted this way you nobody else would be in a position to discover the eavesdropping.
      honeymonster
      • Ignoring Certificate Pinning

        Companies like Google employ certificate pinning which is one of the reasons Google were notified of the fake certificates issued last year.

        Even if the NSA had a CA root out their this would counter that.
        andygambles
        • certificate pinning

          This does not scale.
          danbi
      • Breaking SSL is harder than you think

        @honeymonster: "The NSA can set up a "fake" root or intermediate certificate authority"

        Anybody can set up a CA. The hard part is getting arbitrary clients to trust it.

        You need to convince Microsoft, Mozilla, Apple, Google, etc. to add your CA to their trusted CA list. This isn't trivial, and it's also highly visible. The world will see that a new root CA got added, and start asking questions about it. (Some would say it's too easy to become a root CA, and that rouges can get in, but that's a separate discussion).


        @honeymonster: "or compromise an existing certificate authority."

        I'll stipulate that the NSA can do damn near anything they want if they're willing to break the law. Somebody is going to jail (or hoping for a presidential pardon) if they get caught compromising a CA.


        @honeymonster: "How hard do you think it would be for the NSA to set up a shim operation and obtain a intermediate authority certificate?"

        Hard. They would need the root CA's cooperation, which no CA would provide voluntarily.


        @honeymonster: "they can intercept and use those certs only for the subjects they are interested in eavesdropping on. ... if only *select* traffic were intercepted this way you nobody else would be in a position to discover the eavesdropping."

        Being very selective might delay discovery, but is unlikely to prevent it. Somebody will eventually notice. Also, many of the "big names" are also the best targets for NSA interception (e.g. gmail, Hotmail, Yahoo, etc.).
        johndoe445566
    • not easy?

      It is trivial.

      You run the site thegreatsite.com? Fine, I own an CA, recognized by your browser.
      One day, I issue an SSL certificate for thegreatsite.com, signed by my very own CA. I don't tell anybody.

      Will your browser trust it? Answer for yourself.
      Now, open the list of trusted CAs in your browser. How many of those entities you recognize? Your browser trusts all these parties, for any domain name.
      SSL PKI is just hopelessly broken.

      Do you still believe those attacks are not easy?
      danbi
  • Not so wrong

    Well, johndoe445566, the author did talk about a company doing this, not from a home computer. However, the technique would still work pretty much 100% of the time for a couple of reasons.

    First, the vast majority of ordinary internet users will see the browser pop up the question about a fake certificate and go "Eh! Shut up, stupid computer" and click the link to accept the certificate. This is the same reason social engineering attacks work.

    The second thing that occurred to me is that if the fake certificate is what makes a MITM attack harder, then all the national sigint agencies around the world simply need to obtain a certificate that has been signed by a trusted global certificate authority, like Verisign or Thwate. If you are a legitimate signals intelligence agency, why use a rogue CA when you can use a real one? A real certificate will certainly fool any arbitrary client. All you have to do is place all your proxies in the right locations to grab whatever traffic you're looking for.

    Having said that, while the agencies could read personal and private stuff, there's so much traffic and they are chasing such specific material that I'm not really all that concerned about losing my privacy. My stuff is lost in a sea of data.
    koalaboy
    • Technical flaw vs. human problem

      @Peter: "the vast majority of ordinary internet users will see the browser pop up the question about a fake certificate and ... click the link to accept the certificate."

      I agree that the vast majority of Internet users are clueless about security. Where we may disagree is whether SSL can be blamed for this.

      The title of the article is "How the NSA, and your boss, can intercept and break SSL". I consider that alarmist hyperbole, bordering on irresponsible. "Lots of people ignore security warnings and shoot selves in foot" would be more accurate.


      @Peter: "all the national sigint agencies around the world simply need to obtain a certificate that has been signed by a trusted global certificate authority, like Verisign or Thwate."

      No. To fool arbitrary clients, the NSA would need the PRIVATE KEY for a trusted CA's root cert. This would let them create fake certs for any site. CA's are supposed to guard their private keys as if their (corporate) life depends on (because it does), so getting the key wouldn't be easy. Could the US government twist Verisign's arm so hard that they coughed up their keys? I guess anything is possible, but I doubt it.
      johndoe445566