trust, mistrust, certs and covert surveillance


It is becoming generally known that the internet trust model (certs based on the likes of GoDaddy CA  and validation DLLs and “trust stores” in the likes of Microsoft Windows) was subverted in 1997 – in the “interests of America”. There is rarely anything wrong with the certs themselves or the cert issuing procedures (though military-grade subversion is the exception). What is subverted for the non-military goals of the likes of DEA is the process of verifying the certified evidence – so that communication is established to an imposter – able to pass the evidence threshold and test applied by (not particularly trustworthy [in the assurance sense] American-manufactured) devices.

In American crypto-political terms you first create, endorse and/or sponsor a trust system. Today, OpenID Connect is the (ongoing) equivalent initiative. And then you have a covert channel WITHIN THE TRUST SYSTEM itself – available to the elite of the society. You of course provide “legal cover” for the vendors, at both a technical rationale and liability level.

Strangely those who speak-up for “trust systems” seems always to find it appropriate, under the guise of national security secrecy (and/or wiretapping) rationales, to have a trapdoor within the trust system itself. In it, they are more trusted than others. And that is the secret – that not all Americans are equally trustworthy per se. Some are empowered to become an imposter of such as an apple-device (while being the actually the “non apple” device”). Note how wiretap rights includes (i) the power to induce the wire to be tappable, and (ii) placement of the communication tap (or intercept). Note the difference, first thinking in terms of 1950s wires and switches!

The journalist got it right, nothing when man-in-the-middle certs are issued (usually dynamically) with fields that trigger the apple (or other vendors’) trapdoor in the device’s trust system’s verification module. To hide the door a company like Apple (and Microsoft is no different…) does not lock down critical configuration files – saying that if the FBI/DEA has authority to wiretap this means – these days – this includes plant the “bug” on the computer (step (i) above). That bug can be altering the trust validation methods “in the name of the ‘user’” – as far as the device own technical security policy model goes. Thus no “compromise” of the technical security policy actually occurs, giving the vendor cover.

Weasel words, of course. But what else can Apple or Microsoft do? Its not as if they have any choice! They are American companies and America wants to spy – on foreigners (and locals). As loyal Americans, it’s the job of Apple and Microsoft to project American power (and ability to spy). Nothing new – whatsoever.

What will be interesting to Internet historians, one day, will be who, when, why and why not”! things happened at VeriSign – as it was indoctrinated into compliance with the trust practices of the US government. It was fun watching the transition of attitude (and how it was engendered). Not every immigrant or long-term tourist just off the boat gets to see such things happen, in real time.



Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in rant, spying. Bookmark the permalink.