[AusNOG] Dutton decryption bill

Robert Hudson hudrob at gmail.com
Wed Aug 15 14:27:46 EST 2018 

On Wed, 15 Aug 2018 at 14:04, Martin - StudioCoast <
martin.sinclair at studiocoast.com.au> wrote:

> The root certificate would facilitate re-encrypting of the connection at
> the ISP end.
> Or the government could just force certificate authorities to hand over
> the private keys. There have been reports this might already have occurred
> in other countries.
>

A MITM attack,effectively?

That only works if the app chooses to use the root certificate in question
- effectively you load the root certificate into either the OS or the
application certificate store, and then use that certificate (or a
certificate that uses it as a root of its trust path) to encrypt the data.

The government then intercepts the data, decrypts it, then re-encrypts it
and passes it on to the destination.  It works with browsers because their
default behaviour is to trust the certs in the certificate store, and the
browser then sees the connection as secure (so you get a green address bar
or tick or whatever the browser chooses to display), but can actually be
foiled if the user bothers to check the certificate being presented and
finds that instead of the bank's SSL certificate, the browser tells them
that it's the government's root cert (or a subordinate of it) in use.

That won't work for apps that create their own encryption keys (or better
yet, rolls them over frequently), and certainly won't work for apps that
are specifically created to bypass government interception.

There have been discussions in the browser community on how to best deal
> with this, there are already a few approved certificate authorities out
> there with government ties:
> https://wiki.mozilla.org/CA:GovernmentCAs
>

Frankly, if a terrorist organisation or paedophile ring are using apps that
use a certificate store that the government can compromise, they're not
competent enough to be a problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180815/316c09e1/attachment.html>

More information about the AusNOG mailing list