What happens when governments ignore privacy?

During the last couple of weeks, some alarming news have been uncovered. In particular, governments have the ability to intercept "secure" web pages that people use for their online banking, shopping, email and more by influencing so called "root certificate" holders in their countries.

Another threat to our privacy has been presented by the Chinese. They were caught redirecting requests for certain sites (such as Facebook and Youtube) to a Chinese IP address by influencing a root DNS server hosted in China. This was affecting users worldwide and not just Chinese citizens as intended by their "great firewall". If this was an accident by the ISP or deliberate by the Chinese government is unknown. The affected server has been shutdown.

While both problems are significant, the SSL interception problem is potentially huge. Our browsers have a so called 'chain-of-trust' that we use to determine if we can trust web pages online. That chain has a top level, called a 'root certificate authority'. This authority can issue certificates that our browsers will just trust without question.

In short, if certificate authority is to be pressured by its government to issue a certificate for your bank, that in fact points to a server owned by a government institution. This would allow them to bypass the encryption that ensures your data is held private.

To put this into terms easily understood, this undermines the entire chain of trust that we use for online banking, shopping or other activities online. It only takes one certificate authority to be compromised and not necessarily by a government entity.

What can we do?

Detailed in this article, some plugins exist to check if the trust originates from the same country as the certificate was issued. However, not all certificates are trusted in the same country that they are issued from. There is no simple solution to this. Internet traffic can by intercepted and corrupted so that the end user is never wiser to the situation.

What I suggest is that site owners start using certificate authorities in their own countries and browsers start checking with more scrutiny, who it is we are actually trusting for this information.

This has primarily focused on encrypted traffic, but most of the traffic online is not encrypted at all. Sites like Facebook for example that recently won the throne as the most popular web site (Google is second) do not encrypt anything beyond your login details.

Conclusion

Take a moment and think about who could potentially be watching your online activities and if you're doing something that you do not want others to know, stop. Privacy is no longer a right, it is a privilege, that fewer and fewer people can afford.

Use encryption, wherever you can and be sure to know, whom you are trusting for it to be encrypted.

A suggestion

Right now, these actions are going unnoticed with some exceptions. To be able to counter this, something must be done.

• Create an international group of security experts that will host a site that allows people to report SSL certificates that have been tampered with
• Publicize a revocation list that would allow this task force to revoke single certificates or CA, as a last resort.
• Get browser vendors to incorporate this revocation list

The most important part is that these actions get recorded and collected so we can see who is actually doing this and if at all possible, counter them.

Other articles

• Has SSL become pointless? Researchers suspect state-sponsored CA forgery
• Gov't, certificate authorities conspire to spy on SSL users?