Commentary by Seth Schoen and Eva Galperin
What’s worse than finding a worm in your apple? Finding half a worm.
What’s worse than discovering that someone has launched a man-in-the-middle attack against Iranian Google users, silently intercepting everything from email to search results and possibly putting Iranian activists in danger? Discovering that this attack has been active for two months.
People all over the world use Google services for sensitive or private communications every day. Google enables encrypted connections to these services in order to protect users from spying by those who control the network, such as ISPs and governments. Today, the security of this encryption relies entirely on certificates issued by certificate authorities (CAs), which continue to prove vulnerable to attack. When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.
The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.
This latest attack was reportedly caught by a user running the Google Chrome browser in Iran who noticed a warning produced by the “public key pinning” feature which Google introduced in May of this year. Basically, Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site—as this attacker did—newer versions of the Chrome browser would not be fooled.
Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years and EFF has voiced concerns that the problem may be even more widespread. But this is the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months ago, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked earlier today. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificates. For example, the certificate in question here was issued by a Dutch certificate authority with which Google had no business relationship at all; that didn't make it any less acceptable to web browsers.
As the problems with the certificate authority system become clear, lots of people are working on ways to detect and mitigate these attacks. Chrome's pinning feature is available not only to Google web sites but to any webmaster; if you run an HTTPS site, you can contact the Chrome developers and get your site's keys hard-coded. Other browser vendors may implement a similar feature soon. The same result could also be achieved by giving web sites themselves a way to tell browsers what certificates to anticipate—and efforts to do this are now underway, building on top of DNSSEC or HSTS. Then browsers could simply not believe conflicting information, or at least provide a meaningful way to report it or warn the user about the situation.
EFF's own SSL Observatory aims to find attacks of this kind in the wild. Soon, our ability to do this will be expanded significantly as we deploy distributed certificate reporting features in HTTPS Everywhere and other browser add-on software; this will let users choose to tell us about the certificates they encounter for the sites they visit, letting us or other researchers or webmasters notice when people on a particular network or in a particular country are presented with an unusual certificate for a site. A new browser add-on called Convergence also aims to replace the certificate authority system entirely with a distributed reporting mechanism inspired by Perspectives. There are also further-reaching proposals to create new infrastructure for securely distributing cryptographic keys, and EFF is actively involved in research in this area.
The good news is that the computer security community is now taking this threat very seriously. Unfortunately, the bad news is spectacularly bad: users in Iran (or on any network where an eavesdropper had the key to this certificate) may have been vulnerable for two months. What's more, there are hundreds of certificate authorities in dozens of jurisdictions, and several have been tricked into issuing false certificates. So there may well be other certificates like this out there that we don't know about. That means almost all Internet users are still vulnerable to this sort of attack.