Spooks in the Middle: How the Home Office might break HTTPS

It was reported yesterday that the Home Office are now saying that they’re not worried about encryption, because they can look inside HTTPS. Most people’s reaction is that this isn’t possible, or at least isn’t easy unless you’re going to throw huge resources at the problem. (Edit: Privacy International have reported this in more detail)

Sadly, it’s not that hard – but it has worrying implications.

The technical bit

There’s been a trick used by large corporate IT departments for a while to check on what employees are doing, which they often need to do for regulatory compliance. It works because the IT department controls your PC and the can tell it what Certificate Authorities (CAs) to trust to authenticate remote sites. The proxy you use to access the internet has a root CA on it that your PC has been told to trust, so it can create apparently legitimate looking certificates on-the-fly for any web site on the internet you visit.

This is known as a “Man-in-the-Middle” attack, because you’re sitting between A and B and altering the communications, rather than just listening to it passively. It’s also out there and used today – here’s an example of a commercial device that uses this technique.

That’s fine for corporates, because they control the end devices. However, things became a little scarier earlier this year when one of the real root Certificate Authorities broke the trust of the community.

CAs don’t use their highest level certificates for day-to-day signing. Those certificates are installed in every web browser out there and they have to negotiate with browser manufacturers individually if they’re to change them, so if they’re compromised it’s game over for them. Instead, they generate an “intermediate root” certificate and use that, so it can be revoked if someone leaks it. The real root key stays locked in a safe somewhere. One root CA, Trustwave, didn’t just generate intermediate roots for it’s own use, however: It also generated one for use in one of these snooping devices.

Unsurprisingly, the shit hit the proverbial fan, Mozilla threatened to revoke their CA status (Which would have ended them as a company) and they apologised and promised never to do it again.

Back to where we are today

It seems likely that if the Home Office think they can break HTTPS, they’ve spoken to someone with one of these magic SSL snooping boxes and also spoken with a root CA willing to let them have a certificate. If that’s the case, it’s concerning because they think it’s acceptable not just to listen in on traffic but to alter it in transit in order to glean the contents. We’ve seen the unintended consequences of such actions before, when the Internet Watch Foundation listed Wikipedia as a child porn hosting site.

I can see nothing in the proposed Bill that would act as a safeguard against the Home Office mandating the ISPs engage in such behaviour.

Luckily, it probably won’t work. The moment a CA is caught giving the Home Office a root certificate, Mozilla would likely revoke it. They can lean on Apple, Google and Microsoft as corporate entities to play along but Mozilla is run by the community and it’s going to be hard to pull the wool over everyone’s eyes there.

You wouldn’t be able to get on a site without being snooped on, but at least your browser will pop up lots of warnings letting you know that Big Brother is watching.

P.S. If you’re worried about this sort of attack being used on you, I can recommend Certificate Patrol for Firefox. It pops up quite a few false-positives, but will give a pretty good clue if something suddenly causes all your certificates to change.

5 comments

  1. I believe that even this SSL man in the middle attacks you will have trouble finding the host header to sign the certificate with.

    Unless you have a manual proxy then you will not see the CONNECT string sent. Which means you have to establish SSL first before being able to read the host header which could mean you get invalid cerficate errors as the host header doesn’t match the name on the certificate.

    1. The Magic-SSL-Box (For want of a better name) can get the real certificate, complete with all the certificate information required, by connecting to the intended target site. It then generates it’s own version with identical information.

    1. I like the idea, but I’ve been playing with it since you posted this and it seems to still have a few implementation problems. It seemed to be OK with self-signed certificates I’m 90% certain no other Convergence user will have ever seen, but failed others – and when it fails, it tends to just stop you accessing the site and there’s nothing you can do about it.

      Some cross between a convergence-style approach and DNSSEC (With public keys or a hash of them held in DNS) seems the way forward.

Leave a Reply