Wanna bet that CESG was using Man-in-the-Middle SSL with a fake cert/CA?

Certificate pinning and Convergence, now – or mandate VPNs. I don’t believe that Google’s Certificate Transparency addresses this narrow, one-off, state-sanctioned threat – am I wrong?

Foreign politicians and officials who took part in two G20 summit meetings in London in 2009 had their computers monitored and their phone calls intercepted on the instructions of their British government hosts, according to documents seen by the Guardian. Some delegates were tricked into using internet cafes which had been set up by British intelligence agencies to read their email traffic.

The revelation comes as Britain prepares to host another summit on Monday – for the G8 nations, all of whom attended the 2009 meetings which were the object of the systematic spying. It is likely to lead to some tension among visiting delegates who will want the prime minister to explain whether they were targets in 2009 and whether the exercise is to be repeated this week.

The disclosure raises new questions about the boundaries of surveillance by GCHQ and its American sister organisation, the National Security Agency, whose access to phone records and internet data has been defended as necessary in the fight against terrorism and serious crime. The G20 spying appears to have been organised for the more mundane purpose of securing an advantage in meetings. Named targets include long-standing allies such as South Africa and Turkey.

Continues at GCHQ intercepted foreign politicians’ communications at G20 summits | UK news | The Guardian.

3 thoughts on “Wanna bet that CESG was using Man-in-the-Middle SSL with a fake cert/CA?

  1. S

    I hadn’t seen the Google proposal.

    Apparently the Claws mailing list has regular gripes as Claws by default (well as much as Claws has anything by default) checks certs and pins them for its own email server (sounds sensible), but some users end up bouncing between Gmail servers with different but simultaneously valid certs when Google roll out new certs for Gmail.

    http://lists.claws-mail.org/pipermail/users/2012-January/001099.html

    Convergence client is Firefox only AFAIK, which would omit other uses of SSL. So might not address this case, but pinning or automated notaries would likely also flag up a possible issue.

    I can see why this might be painful for Google and other big operators, but it may be easier for them to ensure their certificates are consistent, or updated quickly, or alternatively that they identify the servers with distinct names under the bonnet somewhere, than devise a more complex scheme to try and address the issue, with the inevitable risk of a more complex scheme leaving more and bigger holes.

    I vaguely recall the Claws folk complaining about someone else, possibly Facebook(?), having issues when rolling out new certificates, but that the issue is now resolved, and they rolls new certificates out quickly across the infrastructure (on a regular basis).

    Either way the Google proposal appears to require everyone to change what they do, or did I misread it(?), wasn’t there a special checkbox for that on the Final and Ultimate Solution to the Spam Problem checklist?

    That said, surely a significant subset of G20 attendees should have a VPN or other stringent security measures for things like e-mail? Or do they have to have Gmail to leave messages in their Gmail account for their mistresses to pick up later? The French approach of quietly tolerating Mistresses removes that particular risk ;)

    Reply
  2. Pingback: | GCHQ intercepted foreign politicians’ communications at G20 summits! | | truthaholics

Leave a Reply