MITM attacks with CA private key

There are tons of messaging tools and servers out there, each with their own private keys. Stealing the private key from every server takes effort. After Snowden leaks, there has been a push towards DHE so mass surveillance with passive decryption is slowly depricating. With DHE, a MITM attack is required every time. Is there an easier way to make undetectable MITM attacks against any service? Of course there is.

A government agency can either compel a certificate authority (CA) to issue false certificate, or request their private key to generate as many false certificates as desired. Does the surveillance equipment exist? Yes:

pfHas this practice been documented? It appears so:

It has been argued that issuing a subpoena for CA private keys is not needed, because a browser would trust certificate signed by any CA, Turkish Government for example. However, all it takes to detect the attack is clicking the lock icon in address bar.


Guess which one is the rogue certificate.

So it’s clear that the extremely risk averse HSAs only want to use the original CA to sign their false certificate / key of the original CA to remain undetectable. Once the false certificate has been created, here’s how the MITM attack works when server uses–

RSA key exchange:

9 - TLS RSA MITM CA keyDHE key exchange:

10 - TLS DHE MITM CA key
Yes. Google Chrome would detect if the pre-installed Google’s certificate suddenly changed. A browser however does not contain the certificates for every website, otherwise we would not need CAs.

Chrome’s installer is also signed by a key, which is in turn signed by a CA. Your operating system would not detect malicious version of Chrome that HSA has signed with CA private key.

Additionally, every time you open a Chromium installer, you completely bypass security provided by CAs by executing binary from “Unknown Publisher”:
unknown publisher
To summarize:

Private messaging with TLS provides no expectation of privacy against HSAs. There are of course many other bad actors who try to obtain credit card data etc. so using TLS works when there is commercial interest for trust between user and server. However, in private messaging, the server is always an untrustworthy man in the middle. We need something more private; End-to-end encryption.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s