0

Sorry for the basic question, I'm still wrapping my head around the ins and outs of SSL and asymmetric encryption. In order to better test my understanding, I was considering the following thought experiment:

Given a CA is responsible for providing certificates, I was wondering whether (e.g. due to pressure from law enforcement authorities) they could create a new certificate that tricks a client into believing they are getting access to the website?

For example, suppose I want to start an e2ee service, like WhatsApp, or similar, could my clients be compromised if the government puts pressure on the CA I use? And just to make sure I understand properly, would my clients instead be safe if I used a self-signed certificate?

fruitless fruit juice
  • 109
  • 1
  • 1
    The scenario that you describe is very similar to the infamous breach of the Diginotar CA in 2011. See https://security.stackexchange.com/questions/230689/if-an-adversary-took-over-a-major-certificate-authority-what-bad-things-could-t for more info. – mti2935 Aug 11 '23 at 21:09
  • 1
    The answer is Yes - if they are a trusted CA, trusted by the operating system, they can pretend to be you, or anyone. This is the big problem with certificates. – Ben Aug 11 '23 at 22:34
  • 2
    It's much easier for LE to seize your domain from the DNS registry, and then they can impersonate you by legitimately getting a DV cert, which is the (only) kind most people use now probably including you. In fact that's what they actually do routinely. Even if you use IPaddress(es), which means in practice zero users, they can grab that. To avoid these you need to use Tor .onion, and then even if they do get a fake cert from a CA they can't reroute your traffic to it. – dave_thompson_085 Aug 12 '23 at 01:08
  • @dave_thompson_085 thank you, that's really interesting. I think I'll have to look to better understand how onion urls are formed. otherwise I suppose there's no solution where clients are made to verify a domain if only a certain agent has signed? also, given you mentioned other types of certificates, is this something I could look into to find a solution? – fruitless fruit juice Aug 12 '23 at 19:40
  • In abstract the client can be configured to accept only certain CA(s), or certain end-user key(s), using public key pinning. But if the admin makes any mistake this frequently results in the website being unusable for a long time, and admins are human and make mistakes, so browsers abandoned it making it basically unusable for a website. If you (write and) use a client app against an app server, that can do pinning if you wish, at least with some protcol stacks or libraries. ... – dave_thompson_085 Aug 14 '23 at 02:24
  • ... As referenced there, browsers today DO enforce 'transparency'; if a CA issues someone else a cert for 'your' domain either because the domain is seized or because the CA is suborned or deceived, it must publicly log that cert and you can detect the impersonation, but you can't prevent it and you may or may not be able to effectively correct it. – dave_thompson_085 Aug 14 '23 at 02:28

0 Answers0