EFF: Gmail vulnerable to snooping: SSL certificates often faked

The Electronic Freedom Frontier released a report by Christopher Soghoian and Sid Stamm, internet computer researcher's that suggests several international intelligence agencies can and regularly inject revised SSL security certificates
Written by Doug Hanchard, Contributor

The Electronic Freedom Frontier released a report by Christopher Soghoian and Sid Stamm, Internet computer researchers, suggesting several international intelligence agencies can and do regularly inject revised SSL security certificates which, unbeknownst to the user, are being monitored by government agencies.

The EFF disclosed it is providing legal advice to the two researchers regarding the research work and what the draft paper discloses. The report doesn't reveal anything new regarding the fact that Government intelligence agencies regularly monitor Internet traffic. Intelligence agencies routinely monitor internet, mobile - cellular - land line voice and data traffic around the world. Where it becomes problematic is how the technique becomes a powerful tool in finding enemies of the state in such regions of the world like China and Iran where internet traffic is automatically distrusted. Any form of security that offers some kind of Internet privacy is a desirable set of tools to have for the user. But when those same tools now expose the user, the results can literately prove fatal.

The draft research paper illustrates how governments can buy low cost equipment and software to implement injection of fake SSL certificates and look authentic and be trusted. The research paper documents how the United Arab Emirates government forced Blackberry users to update their phones which included software patches that allowed monitoring of all the devices features and applications including email, which sent copies back to a central government server.

Google has stated that it had no Chinese security breaches of its email user accounts except in two 'attempted' accounts. Google has also published a tip on how to 'monitor suspicious activity' concerning GMail. If the Intelligence community is monitoring you, you're not going to be able to detect a thing - end of story. Google later announced that SSL connectivity to its servers should alleviate user privacy and security concerns. According to Soghoian and Stamm, doing so won't solve user security and in fact where China is concerned, it actually makes it EASIER to intercept user email messages to viewed and copied by the Chinese government.

I wonder if the NSA and Google will disclose how this impacts Google's international users elsewhere. Google Gmail users in Canada, Australia, New Zealand, Japan, Sweden and Western Europe are vulnerable to these monitoring techniques. Any service that uses SSL is vulnerable to these techniques.

Additional resources:

US Strategic Command recognizes cyber security challenges

Intelligence community warns Senate committee of increased terror threats

Internet attack defense: License and registration please...

Homeland Security is based on human control; but demands high-tech logic and speed

Global cyberwar: Installed in your PC at home, the office and government

Internet: A threat to government or the other way around?

New White House cybersecurity chief faces uphill battle

Homeland Security hearing: Senators scratching heads over IT-related testimony

Editorial standards