National-Security-in-the-Middle Attack – the Crypto Wars continue
National security has officially reached the SSL/TLS infrastructure – at least in Kazakhstan. The Google cache features an article published by the Kazakhtelecom JSC where the introduction of a so-called national security certificate for Internet users was proudly announced. We show you some parts of the original text for educational purposes, because we have never seen the announcement of a backdoor to communication channels in this glorious manner.
From 1 January 2016 pursuant to the Law of the Republic of Kazakhstan «On communication» Committee on Communication, Informatization and Information, Ministry for investments and development of the Republic of Kazakhstan introduces the national security certificate for Internet users.
According to the Law telecom operators are obliged to perform traffic pass with using protocols, that support coding using security certificate, except traffic, coded by means of cryptographic information protection on the territory of the Republic of Kazakhstan.
The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources.…
Decrypting the user’s Internet traffic is now a security measure. Of course this step poses a logistical challenge, because you need to put the backdoor into all devices and operating systems used by Kazakh citizens and every foreigner in the country. In addition there is a compatibility problem between the many country seeking to ban information security. Senator McCain has called for putting backdoors into the products of US American companies as well. How does one handle the exchange of decrypted data between the USA and Kazakhstan? Maybe the creation of a global certificate authority issuing all counterfeit certificates used for endangering the economy on a large scale would be a feasible way to go. Individual countries could save the trouble of committing certificate fraud; plus it is a lot easier to manage. You could even re-use certificates and include Honest Achmed’s Used Cars and Certificates CA while you are at it.
While these attempts to attack secure communication are very ambitious, they lack a fundamental solution to the problem of unencrypted communication. The Paris attackers did not use fancy ways to talk to each other. The New York Times published an article showing the connections of the criminals via Facebook. So why go after secure communication and make every business, citizen, and country vulnerable to script kiddies? Well, everyone who saw the private screening of „A Good American“ on the last day of DeepSec 2015 knows the answer already. The call for banning strong encryption is a cry for help and the confession of one’s own incompetence.
We wish the sources for this article were April Fool’s Day material, sadly they aren’t.