Jump to content

SSL certificates


Recommended Posts


Does anyone know how can the NSA spy on https traffic?

As far as I know (Please correct me if I'm wrong), a SSL certificate has a public key, a private key and the issuer has a MASTER key? And that key is used by the NSA to listen to https traffic?

What about a https connection without a 'certified' SSL certificate? When my server generates it, it only has a pair of keys, no MASTER key.....

Does this mean that this type of a https connection is safer then one with a Verisign issues certificate?

Why does Darren keep saying that https is not that secure, and a VPN is more secure.. only because the data can be compromised at the receiving end?

Looking forward for an enlightening discussion.

Edited by iamnoxtras
Link to comment
Share on other sites

some Certificate Authorities (CAs) have created a sort-of master-key certificate set. i.e they can sign certificates, that are trusted by the browser, they can then simply MiTM you; and you'll be completely unaware, as your browser will accept and trust and rogue certificate.

It that conspiracy theory doesnt work for you... they have so much computing power they can simply crack the crypto!!!!

Link to comment
Share on other sites

Hi Midnite, can I call you Snake?:)

I don't think it's a conspiracy theory, I was reading somewhere that one of the authorities was hacked about a year ago and the end result was that the hackers could say that they are site X or site Y that had a certificate issued by that authority...

That said, I have no idea where to start researching on this. With Lavabit gone, I want to start a new secure email alternative (hosted in Germany or locally here in RO - thou, Romania is a BIG kiss ass for the US, so don't know how long till the local police would take these servers down) and I do mean secure: I would recommend users to use the secure site by IP (to avoid DNS takeovers..or what are they called) and to had just a server signed certificate (this is the problematic part of the service).

If the Cert authorities DO have a master key, then this will be the only safe choice (self signed cert), however if someone that feels at home with SSL can confirm that the NSA can only hack the 4k key...they the service would be easier to use.

Link to comment
Share on other sites

From the podcast I listen to, the speaker made a really good, interesting and useful point. We all know SSL certificates given out by the CA's expire after a certain point. ( 3 years I believe?) Then the site will have to re-up and pay for a renewed signed cert, along with a new pub. and priv. key. So he made the argument that what if the NSA demanded the old expired keys? This would make all back traffic open to decrypting. Any back logged back traffic (we now know they have it) can be decrypted using the old keys that the CA had given out. You guys think this is feasible?

Link to comment
Share on other sites

Self Singed is not a option. Who would ever trust a "secure mailing service" using self singed https.

2nd like midnitesnake pointed out. https is unsecure for MiTM attacks. Best way to solve it. Use vpn to get a secure way out. That lessens the chance on a MiTM attack.

(P.S. Kim Dotcom is also working on 1, there main problem is searching in encrypted e-mail)

Now comming to a possible sollution. What about running the mailservice behind a SSL vpn solution?


- Secure connection from anywere with any client ( mac, linux, windows, ... )

- No vpn/server/.... needed by the client

- The whole route from client to mailserver is encrypted


- Needs Java on the client side.

- Require more powerfull servers and mayby special hardware

Link to comment
Share on other sites

Thanks for the info!

I just read an article about MiTM on https, so that would be possible.

Indeed a master key defeats the purpose of SSL..

I think I just realized what journalists are talking about the NSA wanting a 'master key' from providers... Do they just mean 'master key' (of a hotel for example) like a backdoor?

So it's not a decryption master key, but a backdoor of any kind....

Java had a lot of problems last year and people are not used to update Java so when a security bug is found, it can be exploited for a long time....

About the VPN part, the thing is I'm a decent server side programmer in python, php, nodejs, creating a custom, secure, VPN client would require someone with at least as much experience in c++ as I have in scripting languages.

Is a MiTM attack possible if I'm using just an IP, no domain name? I know a domain name can be easily spoofed, but an IP address?

I know searching will be a problem. I watched the latest episode of Foundation, and the founder of Evernote has the same problem with encrypted notes..

I think for now, I'll create an index, with subject, sender, date, has attachment. You can search your emails (sort of) and your data is still secure.

Link to comment
Share on other sites

Never said you need to write your own SSLVPN software. You could run a firewallserver/vpnserver like pfsense that uses openvpn. Or real hardware firewalls like zywalls and such to do the vpn stuff.

or something like: http://sourceforge.net/projects/openvpn-als/

There enough out there. ready to use solutions.

About the java. If a persone wants a secure e-mail like that. Then you can be sure they know how to keep java up-to-date. And people that realy want to be secure can just set java only to be allowed on your site.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...