Even Bigger Brother, or Governments using Social Engineering to Circumvent Crypto

	Author:	“No Bugs” Hare  Follow:
	Job Title:	Sarcastic Architect
	Hobbies:	Thinking Aloud, Arguing with Managers, Annoying HRs, Calling a Spade a Spade, Keeping Tongue in Cheek

[[We’re interrupting publishing of the Chapters from the upcoming “Development and Deployment of MMOG” book, in a post which purely coincidentally goes out on July 4th. If you’re waiting for the further Chapters of the book – there is no need to worry, next part of “beta” Chapter XVI is planned to be released next week.]]

NB: Please DON’T expect to find “some new way to break cryptography” in this article; there is absolutely nothing new cryptography-wise here; if anything, it is more about crypto-bypassing “social engineering” conducted by the (oppressive) government.

NB2: and no, this is (surprise!) not a conspiracy theory either. It is an analysis of what governments can do – and apparently ARE already doing – to make customers give up their cryptography, in a way which is so audacious that it might just work.

NB3: information within is NOT something new either; all the related news are rather old (and go back for about half a year or so). However, recently I’ve had quite a few conversations with different IT people who say “hey, you shouldn’t care, as <insert-some-fallacy-here>”. This lack of understanding of the scale of the problem in some of supposedly-security-aware circles is Really Alarming, that’s why I’ve decided to write about it.

On Cryptography Guarantees

“when we’re saying “hey, this crypto cannot be broken”, what is the EXACT meaning of it?First, let’s ask ourselves “what cryptography can possibly guarantee us?” In other words, when we’re saying “hey, this crypto cannot be broken”, what is the EXACT meaning of it?

To answer this question, let’s consider proverbial-in-the-crypto-related-circles Alice, who wants to speak to (at least as proverbial) Bob. They want to speak over the Internet, so their communication passes through an Evil ISP, which is controlled by the Evil Government representative, Eve. Our question is: what guarantees we can possibly expect from cryptography here?

Let’s assume that we have the best possible crypto, which nobody (NSA and martians-who’re-light-years-ahead-of-us-technically included) can possibly break. But what does it really mean? It means that

Sounds good, but note that big IF in the statement above. This IF means that we’re essentially relying on Eve and Evil government to do something useful for the rest of population; as we’ll see below, relying on them doing it is not always a good idea 🙁 .

Circumventing Crypto, Social Engineering Style

Before going any further, let’s make one all-important observation. Whether we like it or not, and regardless of the amount of education in the security field, people tend to consider security as a nuisance. In particular,

In other words, if facing lack of functionality (such as “hey, you cannot use Internet services”), there will be a backlash for a pretty much any modern government out there. The flip side of the same thing is that if the services are available in exchange to giving up security – Vast Majority of people will give up security Very Easily 🙁 .

Now, let’s see the game which Eve is able to play here.

It is as simple as that – as soon as the encrypted traffic goes over well-known channels (and it does go over well-known ports), there is a Very Simple way to make sure that (a) Internet access is there (for those willing to give up security), and (b) all the Internet traffic is unencrypted. And guess what – even in such as simple case the vast majority of Internet users will just use it. However, this approach will affect a significant portion of Internet services; in particular, quite a few web sites won’t be accessible at all. As a result (and consistently with the Joe Average perceptions stated above) doing it in this simplistic way will cause a Quite Substantial Backlash; not because of security, mind you, but because People Just Want to Use Internet!

Ok, let’s see what more-devious-Eve can do. Going one little step further, Eve a.k.a. Evil Government can try the following

“He CAN use all his services, and TBH, he doesn’t give a (ahem…) damn about the securityHow to do it technically – may vary; in particular, it can be done via installing government-issued root certificate as described below, but this is not our focus at the moment. Let’s see how such a policy will be PERCEIVED by the people.

For anybody with a security background, it is an Ultimate Fallacy, but we’re not speaking about the security specialists, but about Joe Average. And guess what – for Joe Average such approach is certainly MUCH MUCH better! He CAN use all his services, and TBH, he doesn’t give a (ahem…) damn about the security (unless, of course, it is not about his affair, and security is protecting him from his SO). In practice, I expect that even Take 2 would work without causing too much trouble for the government which implements it.

However, to reduce their risks, Eve and Evil Government can (and will) go even further, making the following

Going along this way requires more than just audacity, but apparently it is perfectly possible 🙁 .

Even Bigger Brother at Work

To see Even Bigger Brother at work, we can take a look at a typical browser-based TLS session. First, certain exchange with some *Hello messages happens, and then server sends an all-important Certificate message. This message contains an X.509 certificate; this certificate is signed, and certificate of the certificate-signer is also signed, and so on. These signatures form a chain (with all the links within the chain crypto-verifiable), but at certain point the chains ends. At this point, a “root of trust” (a.k.a. “trust anchor”) is needed to finish validation of the certificate, and such “root of trust” is implemented by ensuring that the last certificate of the certificate chain, is one of certificates stored within so-called “root certificate storage”, which “root certificate storage” is purely on the client-side (usually either within OS or within browser).

In other words, for a normal TLS session to succeed, “root” certificate of the certificate chain MUST be one of the root certificates stored within the “root certificate storage”.

So far so good, and browsers are pretty good in doing these things. Now, let’s see what will happen if the “root” certificate is NOT one of the stored within the “root certificate storage”. In this case, browser (after warning the user that something is wrong) basically has two options: (a) to allow session without valid certificate; (b) to disallow it completely (that is, until the certificate-used-as-root-to-sign-the-communication is not placed to “root certificate storage” on the client side).

Now we can start describing all the devilry of Even Bigger Brother:

1. “This is a very classical Man-In-The-Middle (MITM) attack, and that’s exactly what all those certificates and signatures are intended to counter.Whenever a supposedly-encrypted TLS connection A is made (from browser, say, to google.com), it is intercepted by Eve at the ISP level (most likely at one of the routers), and terminated there (i.e. the TLS connection A is formed not between client-and-google.com as client intends, but between client-and-Eve). At the same time, another TLS connection – connection B – is established from the ISP to the google.com. From now on, Eve forwards all the traffic from connection A to connection B and vice versa, so everything works as intended, except that Eve can easily read unencrypted traffic at this point. This is a very classical Man-In-The-Middle (MITM) attack, and that’s exactly what all those certificates and signatures are intended to counter.¹
   • To deal with it, for TLS connection A, Eve will quickly generate a “certificate” which is signed with some Government-Root-Key (obviously, well-known at least to the government). As a result, the TLS session A – between the browser and Eve – will be a perfectly legitimate TLS session, with the only caveat that being that certificate for google.com will be issued not by some independent Certificate Authority (as it normally should), but by Government-Root-Key.
2. At this point, browser WILL see that certificate is NOT in the list of root certificates, and WILL give user a warning, and MAYBE will block the connection too. If the connection is blocked – our Joe Average ask for help immediately, and if the connection is not blocked – he will likely bypass the warning for a few times, though if the problem persists – he’ll ask for help anyway.
3. Now we have our Joe Average who knows that there is something wrong. These days, he is going to ask about this mysterious problem among his friends and in forums (where else?). And he can easily find (our Evil Government will make sure that this information is readily available), that INDEED IT DOESN’T WORK BECAUSE THE CONNECTION IS NOT SECURE! They will also add, that all that’s necessary to IMPROVE SECURITY, is to install “root certificate” issued by the government (the one containing a counterpart to Government-Root-Key) into his browser (more precisely – it will go into “root certificate storage”)!
4. “Unless our Joe Average is a security specialist, he’ll install the certificate for sureUnless our Joe Average is a security specialist, he’ll install the certificate for sure, so now Government-Root-Key is within his “root certificate storage”.
5. After installing the certificate, browser will go again via ISP, and Eve at ISP router will mount exactly the same MITM again; however, at this time certificate WILL be in root storage, so the browser will happily let the session in, WHILE EVE BEING EAVESDROPPING ALL SUPPOSEDLY ENCRYPTED TRAFFIC.²
6. From the point of view of Joe Average, it means THAT THE GOVERNMENT WAS RIGHT: before installing the certificate, there was a problem reported by browser, and AFTER INSTALLING THE CERTIFICATE THE PROBLEM IS GONE!
7. From the point of view of Joe Average, everything looks very good and very secure from now on… while it is certainly NOT: not only the government can read whatever-you-write, but also – because Government-Root-Key needs to be multiplied across lots of ISPs and routers – it creates an ENORMOUS risk of leak, and leaked trusted root key enables whoever-owns-it to mount the same type of attacks government can do.
8. Useful idiot useful idiot is a term for people perceived as propagandists for a cause whose goals they are not fully aware of, and who are used cynically by the leaders of the cause.— Wikipedia — As a result of perceiving that everything is very good now (and because of the natural pride of knowing how to solve this specific problem), our Joe Average becomes one of those “useful idiots” who’re advising others and answering questions coming from their friends and in forums; he will eagerly explain how to solve that nasty problem (“obviously, introduced by the browser manufacturer who produced the browser which is not suitable for our beautiful country”) – BY INSTALLING THAT ROOT CERTIFICATE FROM THE GOVERNMENT SITE!

That’s it. From this point on, the avalanche is pretty much unstoppable until it consumes the whole Internet population of that country 🙁 . And as soon as enough people sign into it, going back (which will pretty much mean giving up the Internet) won’t be possible at all (that is, unless a Very Significant Pressure is applied from the outside).

Moreover, even those of us who DIDN’T buy the BS about “security enhanced by installing additional root certificate” and who DO understand what is going on, will be facing a Really Tough Choice: of giving up Internet altogether (in that country at least), or to install the certificate, effectively giving up encryption with our own hands… 🙁 🙁 Moreover, after giving security up, we’ll still see all the usual attributes of the secure connection – which can easily lead to complacency in security matters 🙁 🙁 🙁 .

Real-World Case(s)

For those thinking that the problem described above, is purely theoretical, think again. This thing is already out there. There IS at least one government playing this game right now [TheRegister.2][HackerNews].

Of specific interest is the wording of related government-sponsored materials:

“The law requires operators to carry traffic transmission for protocols using encryption, using the security certificate except traffic encrypted in the territory of the Republic of Kazakhstan. The new national security certificate will protect the citizens of Kazakhstan when using encrypted protocols to access foreign Internet resources”.

“On the other hand, it is Very Clear that such a system IS a wet dream of a pretty much ANY government out there. It seems that in spite of being officially several months in the wild, it is still NOT really deployed (yet?); whether this is just a temporary delay (which one would certainly expect whenever government deploys something of this scale), or a more permanent withdrawal from the program – remains to be seen.

On the other hand, it is Very Clear that such a system IS a wet dream of a pretty much ANY government out there. In particular, some sources, such as [SecurityLab], also suggest that another government (BTW, member of NATO and actively discussing EU membership(!)) is actively working on an exactly the same thing for some years 🙁 .

The problem is MUCH wider than one single country; the problem is that governments CAN and WILL force their own citizens to give up security; the worst thing here IMO is that people will do it voluntarily (well, being outright cheated, but it is nothing unusual when it comes to governments…) 🙁 .

On Workarounds

Is there something citizens of these unfortunate countries can do about it? Let’s see potential solutions in more detail.

Non-Solutions

First of all, let’s discuss some non-solutions. I’ve heard quite a few such “solutions” recently, but all of them were from the realm of easily-circumventable-security-by-obscurity 🙁 .

“The very first and very obvious non-solution is related to any kind of information sent via non-secure DNSThe very first and very obvious non-solution is related to any kind of information sent via non-secure DNS (like “let’s add another DNS record which states which CAs are allowed”). While these tricks MAY be a deterrent against casual attacker, they won’t work against an attacker-which-sits-right-on-your-ISP (they will simply modify any such records as soon as their use becomes public knowledge).

As for DNSSEC-based solutions (such as DANE), situation is not that obvious, but it still won’t work even if we assume that DNSSEC is widely used; even if the whole infrastructure is ready, ultimately, DNSSEC needs to rely on “trust anchors”, and as soon as user is willing to disable DNSSEC or add something-to-those-trust-anchors, there is no real way to protect him.

Another way-I’ve-heard-as-proposed to deal with this Even-Bigger-Brother class of attacks (in particular, it was articulated on [HackerNews]), was “pinned certificates”. However, as pretty much any solution, it won’t work either. Yes, it will tell the user that government is doing MITM. Well, it is known even without the “pinned certificate”; the whole problem here is not “how user can learn that they’re being MITM-ed”, but a VERY different problem of “how to convince the user NOT to give up protection?” And technical solutions, such as “making a browser without an option to remove pinned certificates, ever” won’t really work for many practical reasons (from ability to reinstall – to ability to use different browser without such a protection; heck, government can even – perfectly legally BTW – make their own distribution of Mozilla or something for this purpose – with “national certificate” preinstalled).

Yet another set of non-solutions revolves around [Convergence]. While I DO recognise a Very Significant value of Convergence-style schemas in the context of traditional non-government attacks (with users who do NOT cooperate with attackers), for the purposes of anti-Even-Bigger-Brother attacks it won’t work either 🙁 . The government will simply instruct users to reconfigure their browsers to trust Government-Root-Certificate above and beyond everything else (if necessary – they will make two Government-Root-Certificates etc.)

And last but certainly not least, I’ve had rather long discussions with people trying to push P2P as a solution to this problem (mostly on the basis of “hey, the root of the evil is the center, so let’s communicate directly and everything will be fine!”). If government has at least some people with half-a-brain,³ P2P will be even EASIER to circumvent. Let’s take a look at it, using WhatsApp as an example.

What the government can do to deal with WhatsApp? There are at least THREE different ways of handling it:

• Block ports of WhatsApp. These ports are rather specific, and blocking them won’t cause THAT much public backlash. As for port 443 (which is common for HTTPS and WhatsApp) – as long as it uses TLS, it can be subject to usual MITM described above (and it does NOT matter whether WhatsApp simply complains about connection being insecure, or blocks it), otherwise – traffic can be blocked.
• “As WhatsApp will NOT work without the patch (all the undecryptable traffic will be blocked at ISP one way or another), and WILL work with the patch - bingo! - users will use the patch for sureA patch “to make WhatsApp secure” can be produced by the government (to be installed by users), making the app accept MITM-ed connections (either in the same manner as root certificate is installed within the browser – or even worse than that). As WhatsApp will NOT work without the patch (all the undecryptable traffic will be blocked at ISP one way or another), and WILL work with the patch – bingo! – users will use the patch for sure (and ALL the social mechanics described above for Even-Bigger-Brother, will fly – including “useful idiots” too).
• As an extension to the previous approach – government can easily intercept downloads of WhatsApp and REPLACE it with its own “patched” version (as they already have their root cert on user’s devices, signing “patched version” with their own key won’t be a problem(!) – and neither will HTTPS). And even if somebody can get “real” WhatsApp – it won’t work, so that “patched” versions will be actively distributed by the community of “useful idiots” too… 🙁 🙁

Bottom line:

If the government is perceived as “your best friend”, AND it has the power to disable all the non-circumvented crypto – users will do ANYTHING to make things “just work” for them – which means giving up security…

Real Workarounds

About real workarounds to “Even Bigger Brother” attacks.

From Inside: Out-of-Band + Steganography

Let’s consider somebody who IS aware of the problem, and REALLY wants to communicate in a secure manner from such a country. What are the options she has?

Unfortunately, assuming the fact that the government is cunning enough, I can see only one option – AND it requires a communication channel which goes beyond the Internet (or ASSUMES that SOME conversation over the Internet is not really monitored). Such a channel can be either NON-monitored phone call, or things such as “connecting to the Internet via Inmarsat/Iridium connection”.

Yet another example of such a still-secure channel is to use some still-secure-connection (such as WhatsApp which you probably can still assume that it was NOT “patched” yet, or even browser as long as it DOES NOT have that government certificate installed).

Let’s name such channels “out-of-band channels” (BTW, “out-of-band channel” DOES NOT need to exchange more than a few thousands of bits, so cellular communications are “good enough”).

Steganography Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video— Wikipedia —As soon as you have such an “out-of-band” channel – you can use it to agree on TWO things:

• Encryption key (symmetric one will do)
• A “steganography” channel which you use to communicate.

A bit more on steganography. First of all, let’s note that steganography IS necessary, as otherwise the government would be able to block the channel (as with the attacks on WhatsApp described above). However, if you’re using a channel which is just posting your pics on your Facebook (with each of the pics storing a few bits of data-you-want-to-transfer) – blocking it will be MUCH more difficult without an apriori knowledge of what exactly is the channel you’re using.

“SOME of the pics I will be posting on my Facebook page, will contain messages, encrypted with such-and-such keys, using such-and-such steganography tool, with such-and-such settingsSteganography can come in different shapes. The simplest of them is trivial “hey, let’s just configure an undocumented port for our app”. This, however, is easily preventable by the ISP-controlling governments. The same goes for “let’s use some encrypted app very few people are using” – it will still work only until government is interested enough in blocking this specific app (or until it blocks ALL the communications it cannot understand). In any case – all such tricks do qualify as steganography (or at least as a “reasonable facsimile”) – they just assume that the government doesn’t know (or doesn’t care) about the very existence a covert certain communication channel which goes through them; as soon as the government knows and cares about such a channel – they have all the means necessary to block it, once again forcing users to choose between giving up encryption and giving up communication 🙁 .

A bit more complicated example of such agreement on steganography channel would be the following: “SOME of the pics I will be posting on my Facebook page, will contain messages, encrypted with such-and-such keys, using such-and-such steganography tool, with such-and-such settings”. ⁴

What WE can do from the OUTSIDE

Now let’s see if there is anything WE (residing outside of such countries) can do to help people inside, to withstand this “Even Bigger Brother” regimes. It is not much, but IMNSHO we still SHOULD do our best:

• RAISE awareness of this problem, in general and for specific countries too. In particular, making it clear that these certificates do NOT “improve security”, but do exactly the opposite – IS important
• Browser-devs (and device-devs):
  • “THINK about providing an option to install new root which is trusted for ONLY one specific site, AND make this option a default one.THINK about providing an option to install new root which is trusted for ONLY one specific site, AND make this option a default one.
    • CONSIDER making installing new-root-which-is-trusted-for-the-whole-Internet, AS DIFFICULT AS POSSIBLE. As installing such Internet-wide CAs creates a Big Security Risk, it SHOULD NOT be easy to do.
  • THINK about the wording of security warnings in browsers. Of special interest are warnings which correspond to “Certificate mismatch” (maybe also detecting frequent mismatches leading to THE SAME root – which is outright suspicious anyway), AND warnings when the user installs new root. With “making root ONLY for specific site” option, wording for installing root GLOBALLY can be made REALLY REALLY HARSH (not that it will help a lot, but it might at least give a chance to another 0.1% of people).
  • THINK about making an ONGOING WARNING while the user has a page authenticated-under-CA-which-is-NOT-preinstalled.
    • I’ve heard about such a warning being present in Android, but I never had a chance to validate this claim.
  • MAKE SURE that ALL such warnings are translated into ALL the languages you can think of (AND by native speakers-not-affiliated-with-the-respective-government too).
• Site owners:
  • At least until that ONGOING WARNING is implemented by ALL major browsers, IMO we should STOP making HTTPS-ONLY web sites (except where HTTPS is REALLY necessary for security purposes); dual http:// + https:// sites are ok. The tricky part here is that with Even-Bigger-Brother in effect, each and every HTTPS-ONLY web site serves as a yet another reason to succumb to the installing that “National Certificate” (which, in addition to being unable to communicate securely, also creates an erroneous perception that the connection is secure while it is not).
    • In other words – if I would be within such a country, I would try to avoid installing such a “National Certificate” as long as possible. However, if most of the Internet is HTTPS-ONLY – I’d probably have no other choice than to install it (as living without the Internet is not an option), which – without ONGOING WARNING from the browser – increases chances for inadvertent compromises down the road 🙁 .

TL;DR

To summarize the article above very briefly:

• Governments CAN use “Even Bigger Brother” social engineering to make vast majority of the users within their country to give up their privacy when they’re communicating over the Internet
• At least some of the governments are already actively working on it
• Dealing with “Even Bigger Brother” is EXTREMELY difficult
  • In particular, is NOT as easy as “hey, let’s just use <whatever-app>” – while certain apps MAY help for the time being, blocking/circumventing them is only a matter of time and relatively small effort on the part of the government
  • However, there are a few things which can be done to improve things a bit.

Don't like this post? Comment↯ below. You do?! Please share:

Acknowledgement

Cartoons by Sergey Gordeev from Gordeev Animation Graphics, Prague.