Skip to content

Instantly share code, notes, and snippets.

@alex
Last active June 19, 2020 01:20
Show Gist options
  • Save alex/5760270 to your computer and use it in GitHub Desktop.
Save alex/5760270 to your computer and use it in GitHub Desktop.

Guide to how fucked is SSL?

Thanks to Jacob Kaplan-Moss, Donald Stufft, David Reid, Allen Short, Zain Memon, and Chris Armstrong for review.

This is a guide for technical individuals to understand in what circumstances SSL communications are secure against an observer-in-the-middle (for all intents and purposes: the NSA).

How does SSL work?

The way SSL works is that when you got your operating system or browser, it had a list of Certificate Authorities (CA), basically a list of public keys. At some point google.com bought an SSL certificate from some CA, say Verisign, Verisign signed google's private key. When you make a connection to google.com it verifies that the SSL certificate it provides really was signed by a root certificate, and all communication is encrypted using standard public key cryptography.

What types of observers are there?

There are two types of observers-in-the-middle (OITM), active and passive:

Passive observers record all traffic (either decrypted, or for later decrypting), they in no way alter it.

Active observers read all messages, decrypt them (if encrypted), possibly rewrite them, record them, re-encrypt them (if originally encrypted) and send them on to their destination.

How can SSL be fucked?

Verisign gives the NSA their private key

If this happens, then the NSA is able to sit between you and google.com and it can rewrite all of google.com's traffic to say that it's certificate is some other one, which they created and signed using Verisign's private key. Note that this works for any CA, it doesn't have to be the CA that signed google.com's original key.

This requires an active observer.

Prevention: This can be prevented by using certificate pinning. Pinning works by requiring that a given host must be identified by a specific public key. There is currently no general, widely deployed, mechanism for certificate pinning. Google Chrome includes a list of pinned hosts, and tack.io is a proposal for a general purpose pinning system.

google.com gives the NSA their private key

If this happens then the NSA is able to read all encrypted traffic to and from google.com.

This works with either an active or passive observer.

Prevention: This can be prevented by perfect forward secrecy (PFS). Essentially PFS works by using two secret keys, the private key, and a second, per session key, exchanged using a Diffie-Hellman key exchange. This will protect against passive observers, but is still vulnerable to active observers.

The NSA has a lot of computation power

The NSA is able to read individual messages, reading all traffic would (probably) be too much computering.

This works with either an active or passive observer.

Prevention: Increase key-sizes used in certificates.

RSA is broken

We're all fucked.

This works with either an active or passive observer.

Prevention: Turn off your computer.

Conclusion

If the NSA has google.com's private key and is performing an active attack then you're screwed. Against a passive attack PFS and certificate pinning will thwart attacks. If the NSA broke RSA or has a lot of computers, we're all fucked.

Remember: google.com is just an example, and computer refers to any networked device (e.g. your phone, your tablet, your television...).

@kmcallister
Copy link

Another big problem is that most non-browser SSL clients don't check certificates properly and so are vulnerable to a MITM attack with no special key knowledge.

Also I don't know if you consider this in scope, but the NSA can just hack your browser using one of the 0-days they're sitting on, and then no amount of transport encryption helps.

@rryan
Copy link

rryan commented Jun 12, 2013

Since you're using Google as an example, you should mention that Google has used Perfect Forward Secrecy since 2011.
http://googleonlinesecurity.blogspot.com/2011/11/protecting-data-for-long-term-with.html

@michael-gebis
Copy link

Is it worth mentioning the possibility that various symmetric key portions of ciphersuites could be broken? For example, if RC4 has an unknown vulnerability, the effective key space could be small enough for the NSA to attack that way.

@jcdickinson
Copy link

You missed a prevention in your "the CA gives the eaves-dropper their private key" (or it's compromised, that's also a possibility - forget the government). If, in this case, Google is a not also in cahoots with the eaves-dropper you can use client certificate authentication/mutual authentication, depending on the cipher used.

@pjbakker
Copy link

But even the PFS ciphersuites cannot prevent real access by the NSA, as they can just instruct Google to not give them the private key, but just save and relay the actual session keys over some private wire.

In the case Google is colluding with the NSA, we're screwed any way they like it..

One of the additional problems is that most big sites have non-ephemeral ciphersuites prioritized over ephemeral (PFS) ciphersuites (if they offer them at all) in their list. And as the server makes the final decision for the selected ciphersuite, this means that the client still uses non-ephemeral suites if both parties support them.

My guess: SSL accelerators cause this as they prefer non-ephemeral suites that do not require additional per-connection storage and session key generation.

Source: I'm the maintainer of one of the SSL libraries

@zzz6519003
Copy link

不明觉厉
don't know why, but think it's Big

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment