From nobody Sun Dec 04 01:26:16 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NPpt40KPYz4k0F1; Sun, 4 Dec 2022 01:26:20 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NPpt26mnVz3qkC; Sun, 4 Dec 2022 01:26:18 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=j6Nj0hpw; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e2e as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-xe2e.google.com with SMTP id b189so2159839vsc.10; Sat, 03 Dec 2022 17:26:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=686NIf1KIBcl9er/S5vKPY7QqZKJCo2i9rFrcKo6W6c=; b=j6Nj0hpwLA5tI7O8V/AZy//pv7jCZ9Nn5xWpTpeFuwjnlk+z4+pUfLNazRNn+oR/nT 2l1jYCwQw41fsRSySzbAu1dscw7mvvtoQRZilTkp3FbXlxGNG+z19v55sNhadH9EDYml W00QT7nbs85Id4ggxK7m7YnMdHQAgv5kICsRiuFBrk3GJphPe9hggWJKddDIBXkhK3d2 z9mW2Ag6QTJpmiLRFC5hUWrTCjHSj3Np81rimbflr2ITjCo7rprPag2Qh0h79/g79my5 MuMOWLYZ7JNP5cz6k0kbGjfKqKm7XBaZpYgzcjsZmp/glwPnTCHwXrlh1Y9vxRKMES0h /Lnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=686NIf1KIBcl9er/S5vKPY7QqZKJCo2i9rFrcKo6W6c=; b=qCp9Dme7PgKn1s1f95tB0T2FttAkSYYv9rD2cmL1sPrLWcd+Nrfd0aNaYvBSvhN/U8 zvTYgDiVy8TSLouaKsXDs5UbU5AGCFi7+IKbTf+1ouUkazq5nIDr9jakwz6LqVNB8Vvy 1vWuhn4QOx6Is92On5JBCR+saOqkZP/grP0P1Srifl7xOzjrYtDtl/ZzySvg0icAj4Iz yE4rR3iz6PcClrBlPlGt+s9yuqShICvsbrtZ9hkauvwQaF3u/pqmHsg7Pi14A0mQ6vmH Nt3z3umxQrWJD5LirvVMQKKVVx/eD24z0fDI8irMEsy+2p0g9Z1dAxzFVqxFv1YnX+bQ 3/Bw== X-Gm-Message-State: ANoB5pmEKPZmxFtZgKN5oUZeRwJk3gx4JGe0w2/0rW1bC9zlUAn+MwGr K6EwlPqtYJFHij5oXEt70+VZ7BiNgURQyFFveJDa5a3qvZzO1ZgAUDY= X-Google-Smtp-Source: AA0mqf4obSX09BCQpTbBN5nwz/5dDkzqpUNmZYTgL0N2t67hzWDHbeUEA3IO4i68GU2SEJKvm30y0Fb7BWVPbNUyWSw= X-Received: by 2002:a05:6102:502:b0:3b0:df43:87af with SMTP id l2-20020a056102050200b003b0df4387afmr8751071vsa.1.1670117177359; Sat, 03 Dec 2022 17:26:17 -0800 (PST) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:acc2:0:b0:32b:33ff:fbc3 with HTTP; Sat, 3 Dec 2022 17:26:16 -0800 (PST) In-Reply-To: References: From: grarpamp Date: Sat, 3 Dec 2022 20:26:16 -0500 Message-ID: Subject: Re: CA's TLS Certificate Bundle in base = BAD To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org, freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, freebsd-pkg@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-3.97 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.986]; NEURAL_HAM_MEDIUM(-0.98)[-0.984]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2e:from]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org,freebsd-questions@freebsd.org,freebsd-hackers@freebsd.org,freebsd-current@freebsd.org,freebsd-pkg@freebsd.org]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4NPpt26mnVz3qkC X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Again, FreeBSD should not be including the bundle in base, if users choose to, they can get it from ports or packages or wherever else. Including such bundles exposes users worldwide to massive risks. You need to do more gpg attestation, pubkey pinning [1], tofu, and cert management starting from empty file... and quit trusting bundles of hundreds of random CA's, all of which are entities who have zero duty or care to the user, and often exist/corrupt/break to present evil [2] ... [1] https://github.com/curl/curl/blob/master/docs/cmdline-opts/pinnedpubkey.d https://github.com/curl/curl/blob/master/docs/libcurl/opts/CURLOPT_PINNEDPU= BLICKEY.3 FreeBSD pkg(8) (aka, and: fetch(3)) don't even support this simple option, thus they're incapable of securely fetching packages, iso's, etc from servers in re [2]. Nor does FreeBSD even post sigs over its servers pubkeys for users to get, verify, and pin out of band. Even pubkeys were swapped ou= t on FreeBSD servers without announcing for users if any exploit or loss occu= rred there or for some other reason. That's all bad news :( But can be fixed :) [2] https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addr= esses-government-connections https://www.msn.com/en-us/news/technology/mysterious-company-with-governmen= t-ties-plays-key-internet-role/ar-AA13RwPh https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4= /m/etbBho-VBQAJ Major Web Browsers Drop Mysterious Authentication Company After Ties To US Military Contractor Exposed TrustCor Systems vouches for the legitimacy of websites. But its physical address is a UPS Store in Toronto. Mysterious company with government ties plays key internet role An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google=E2=80=99s Chrome, Apple=E2=80=99s Safari, nonprofit Firefox and othe= rs allow the company, TrustCor Systems, to act as what=E2=80=99s known as a root certificate authority, a powerful spot in the internet=E2=80=99s infrastructure that guarantees websites are not fake, guiding users to them seamlessly. The company=E2=80=99s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. The Pentagon did not respond to a request for comment on TrustCor. TrustCor also did not respond to a request for comment. [Minutes before Trump left office, millions of the Pentagon=E2=80=99s dorma= nt IP addresses sprang to life] TrustCor=E2=80=99s products include an email service that claims to be end-to-end encrypted, though experts consulted by The Washington Post said they found evidence to undermine that claim. A test version of the email service also included spyware developed by a Panamanian company related to Packet Forensics, researchers said. Google later banned all software containing that spyware code from its app store. A person familiar with Packet Forensics=E2=80=99 work confirmed that it had used TrustCor=E2=80=99s certificate process and its email service, MsgSafe,= to intercept communications and help the U.S. government catch suspected terrorists. =E2=80=9CYes, Packet Forensics does that,=E2=80=9D the person said, speakin= g on the condition of anonymity to discuss confidential practices. Packet Forensics counsel Kathryn Temel said the company has no business relationship with TrustCor. She declined to say whether it had had one previously. The latest discovery shows how the technological and business complexities of the internet=E2=80=99s inner workings can be leveraged to a= n extent that is rarely revealed. Concerns about root certificate authorities, though, have come up before. In 2019, a security company controlled by the government of the United Arab Emirates that had been known as DarkMatter applied to be upgraded to top-level root authority from intermediate authority with less independence. That followed revelations about DarkMatter hacking dissidents and even some Americans; Mozilla denied it root power. In 2015, Google withdrew the root authority of the China Internet Network Information Center (CNNIC) after it allowed an intermediate authority to issue fake certificates for Google sites. With Packet Forensics, a paper trail led to it being identified by researchers twice this year. Mostly known for selling interception devices and tracking services to authorities, the company is four months into a $4.6 million Pentagon contract for =E2=80=9Cdata processing, hosting and related services.=E2=80=9D In the earlier spyware matter, researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley found that a Panamanian company, Measurement Systems, had been paying developers to include code in a variety of innocuous apps to record and transmit users=E2=80=99 phone numbers, email addresses and exact locations. They estimated that those apps were downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps. Measurement Systems=E2=80=99 website was registered by Vostrom Holdings, according to historic domain name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records. Measurement Systems was registered in Virginia by Saulino, according to another state filing. After the researchers shared their findings, Google booted all apps with the spy code out of its Play app store. Tremel said that =E2=80=9Ca company previously associated with Packet Forensics was a customer of Measurement Systems at one time=E2=80=9D but th= at there was no ownership stake. When Reardon and Egelman looked deeper at Vostrom, they found it had registered the domain name TrustCor.co, which directed visitors to the main TrustCor site. TrustCor has the same president, agents and holding-company partners listed in Panamanian records as Measurement Systems. A firm with the same name as one of the holding companies behind both TrustCor and Measurement Systems, Frigate Bay Holdings, filed papers to dissolve this March with the secretary of state in Wyoming, where it was formed. The papers were signed by Saulino, who listed his title as manager. He could not be reached for comment. TrustCor has issued more than 10,0000 certificates, many of them for sites hosted with a dynamic domain name service provider called No-IP, the researchers said. That service allows websites to be hosted with constantly changing Internet Protocol addresses. Because root authority is so powerful, TrustCor can also give others the right to issue certificates. Certificates for websites are publicly viewable so that bad ones should be exposed sooner or later. There have been no reports so far that the TrustCor certificates have been used inappropriately, for example by vouching for impostor websites. The researchers speculated that the system is only used against high-value targets within short windows of time. The person familiar with Packet Forensics=E2=80=99 operati= ons agreed said that was in fact how it has been used. =E2=80=9CThey have this position of ultimate trust, where they can issue encryption keys for any arbitrary website and any email address,=E2=80=9D Egelman said. =E2=80=9CIt=E2=80=99s scary this is being done by some shady = private company.=E2=80=9D The leadership page of the TrustCor=E2=80=99s website lists just two men, identified as co-founders. Though that page does not say so, one of them died months ago, and the other=E2=80=99s LinkedIn profile says he left= as chief technology officer in 2019. That man declined to comment. The website site lists a contact phone number in Panama, which has been disconnected, and one in Toronto, where a message had not been returned after more than a week. The email contact form on the site doesn=E2=80=99t work. The physical address in Toronto given in its auditor= =E2=80=99s report, 371 Front St. West, houses a UPS Store mail drop. TrustCor adds another layer of mystery with its outside auditing firm. Instead of using a major accounting firm that rates the safety of internet infrastructure companies, TrustCor selected one called Princeton Audit Group, which gives its address as a residential townhouse in Princeton, N.J. In addition to TrustCor=E2=80=99s certificate power, the firm offers what purports to be end-to-end encrypted email, MsgSafe.io. But researchers said the email is not encrypted and can be read by the company, which has pitched it to a variety of groups worried about surveillance. MsgSafe has touted its security to a variety of potential customers, including Trump supporters upset that Parler had been dropped by app stores in January 2021, and to users of encrypted mail service Tutanota who were blocked from signing on to Microsoft services. =E2=80=9CCreate your free end-to-end encrypted email today with over 40 domains to choose from and are guaranteed to work with Microsoft Teams,=E2=80=9D the company tweeted in August. Reardon sent test messages over MsgSafe that appeared unencrypted in transmission, meaning MsgSafe could read them at will. Egelman ran the same test with the same result. Jon Callas, a cryptography expert at the Electronic Frontier Foundation, also tested the system at The Post=E2=80=99s request and said t= hat MsgSafe generated and kept the private key for his account, so that it could decrypt anything he sent. =E2=80=9CThe private key has to be under the person=E2=80=99s control to be end-to-end,=E2=80=9D Callas explained. Packet Forensics first drew attention from privacy advocates a dozen years = ago. In 2010, researcher Chris Soghoian attended an invite-only industry conference nicknamed the Wiretapper=E2=80=99s Ball and obtained a Packet Forensics brochure aimed at law enforcement and intelligence agency customers. The brochure was for a piece of hardware to help buyers read web traffic that parties thought was secure. But it wasn=E2=80=99t. =E2=80=9CIP communication dictates the need to examine encrypted traffic at will,=E2=80=9D the brochure read, according to a report in Wired that quote= d Saulino as a Packet Forensics spokesman. =E2=80=9CYour investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption,=E2=80=9D the brochure added. The brochure told customers they could use a decryption key provided by a court order or a =E2=80=9Clook-alike key.=E2=80=9D Researchers thought at the time that the most likely way the box was being used was with a certificate issued by an authority for money or under a court order that would guarantee the authenticity of an impostor communications site. They did not conclude that an entire certificate authority itself might be compromised. Obtaining trusted root certificate authority takes time and money for the infrastructure and for the audit that browsers require, experts say. Each browser has slightly different requirements. At Mozilla=E2=80=99s Firefox, the process takes two years and includes crowdsourced and direct vetting as well as an audit. But all of that typically focuses on formal statements of technological steps, rather than mysteries of ownership and intent. The person familiar with Packet Forensics said the big tech companies probably were unwitting participants in the TrustCor play: =E2=80=9CMost people aren=E2=80=99t paying attention.=E2=80=9D =E2=80=9CWith enough money, you or I could become a trusted root certificat= e authority,=E2=80=9D said Daniel Schwalbe, vice president of technology at w= eb data tracker DomainTools. Mozilla currently recognizes 169 root certificate authorities, including three from TrustCor. The case gives new focus to problems with that system, in which critical tech companies outsource their trust to third parties with their own agendas. =E2=80=9CYou can=E2=80=99t bootstrap trust, it has to come from somewhere,= =E2=80=9D Reardon said. =E2=80=9CRoot certificate authorities are the kernel of trust from wh= ich it is all built on. And it will always be shaky, because it will always involve humans, committees and decision-making.=E2=80=9D Reardon and Egelman alerted Google, Mozilla and Apple to their research on TrustCor in April. They said they have heard little back. Google did not respond to a request for comment. Mozilla said it would say more after reviewing details from the researchers= . Major Web Browsers Drop Mysterious Authentication Company After Ties To US Military Contractor Exposed This week several major web browsers quickly severed ties with a mysterious software company used to certify the security of websites, three weeks after the Washington Post exposed its connections to a US military contractor, the Post reports. TrustCor Systems provided 'certificates' to browsers to Mozilla Firefox and Microsoft Edge, which vouched for the legitimacy of said websites. "Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware," said Mozilla's Kathleen Wilson in an email to browser security experts. "Trustcor=E2=80=99s responses via their Vice President of= CA operations further substantiates the factual basis for Mozilla=E2=80=99s concerns." According to TrustCor's Panamanian (!?) registration records, the company has the same slate of officers, agents and officers as Arizona-based Packet Forensics, which has sold communication interception services to the U.S. government for over a decade. One of those contracts listed the =E2=80=9Cplace of performance=E2=80= =9D as Fort Meade, Md., the home of the National Security Agency and the Pentagon=E2=80=99s Cyber Command. The case has put a new spotlight on the obscure systems of trust and checks that allow people to rely on the internet for most purposes. Browsers typically have more than a hundred authorities approved by default, including government-owned ones and small companies, to seamlessly attest that secure websites are what they purport to be. -WaPo Also of concern, TrustCor's small staff in Canada lists its place of operation at a UPS Store mail drop, according to company executive Rachel McPherson, who says she told their Canadian staffers to work remotely. She also acknowledged that the company has 'infrastructure' in Arizona as well. McPherson says that ownership in TrustCor was transferred to employees despite the fact that some of the same holding companies had invested in both TrustCor and Packet Forensics. Various technologists in the email discussion said they found TrustCor to be evasive when it came to basic facts such as legal domicile and ownership - which they said was not appropriate for a company responsible for root certificate authority that verifies a secure 'https' website is not an imposter. The Post report built on the work of two researchers who had first located the company=E2=80=99s corporate records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley. Those two and others also ran experiments on a secure email offering from TrustCor named MsgSafe.io. They found that contrary to MsgSafe=E2=80=99s public claims, emails sent through its system were not end-to-end encrypted and could be read by the company. McPherson said the various technology experts had not used the right version or had not configured it properly. -WaPo In a previous case which illustrates the importance of trusting root-level authorities - a security company controlled by the United Arab Emirates, DarkMatter, applied in 2019 to have top-level root authority from their status as an intermediate authority with less independence. The request followed revelations that DarkMatter had hacked dissidents and even some Americans - after which Mozilla denied it root power. "Received email from DDNS no-IP, they offering free TrustCor Standard DV SSL certificate." "Free, comes complete with spyveillance and exploit, lol." "Imagine that even the most trusted CA's are actually rogue!"