What happens when one country has access to another country’s SSL certificates?
India’s Deccan Chronicle recently reported that more than 31 Indian government websites shared SSL certificates with Akamai, a private American company that’s subject to American law, not Indian law.
Having access to an SSL certificate allows the party to decrypt the internet traffic of the website which uses it. Akamai, being an American company, could have been a vector for the US government to acquire access to sensitive Indian data.
Security researcher Kingsly John said:
“Government websites should not be using such foreign services like Akamai and Cloudflare in the first place. Everyone's name, Aadhaar (Indian government identification system for Indian citizens), and mobile number are first sent in clear text to a US company's servers before they reach the government server. A whole bunch of government websites seem to be using Akamai which can be forced by the US to hand over any and all data. This is a disgrace and impacts national security.”
The Reserve Bank of India was also using certificates from an American company Cloudflare, a serious Indian cybersecurity risk.
The bank and other Indian government websites have since ceased using SSL certificates from American companies and are now using certificates that only Indian entities have ownership of. Government websites worldwide should be similarly careful to keep SSL certificate ownership exclusively domestic, so that it’s not so easy for foreign governments to deploy man-in-the-middle attacks.
One particular group doesn’t want any of us to have good encryption technology! Five Eyes is an intelligence alliance between Canada, the United States, the United Kingdom, Australia, and New Zealand. They want all civilian encryption technology to have backdoors for police and intelligence. They cloak their opinion that they and law enforcement should be able to digitally spy on anyone without the annoyance of cryptography under the guise of “countering the illicit use of online spaces.” From their Five Country Ministerial 2018:
“Encryption is vital to the digital economy, a secure cyberspace and the protection of personal, commercial and government information. The five countries have no interest or intention to weaken encryption mechanisms. We recognise, however, that encryption, including end-to-end encryption, is also used in the conduct of terrorist and criminal activities. The inability of intelligence and law enforcement agencies to lawfully access encrypted data and communications poses challenges to law enforcement agencies' efforts to protect our communities. Therefore, we agreed to the urgent need for law enforcement to gain targeted access to data, subject to strict safeguards, legal limitations, and respective domestic consultations. We have agreed to a Statement of Principles on Access to Evidence and Encryption that sets out a framework for discussion with industry on resolving the challenges to lawful access posed by encryption, while respecting human rights and fundamental freedoms.”
Not so fast, Five Eyes. If there’s a backdoor for law enforcement, anyone can exploit it, rendering the encryption useless. According to Bruce Schneier:
<“There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There's no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.
This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It's actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals' safe houses would be more secure, but it's pretty clear that this downside would be worth the trade-off of protecting everyone's house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.
Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won't make it impossible for law enforcement to solve crimes; I'll get to that later in this chapter.) Regardless, it's worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects.”
Having your SSL certificates in the hands of other countries is a security problem that’s easy to miss. The consequences can be dire if an outside government can decrypt your internet communications. You could even have regulatory compliance problems.
Fortunately, you can get a Certificate Risk Assessment performed by Venafi, free of charge. It’s vital for you to find out what’s going on with your encrypted internet services, and you can’t fix a problem until you know what it is!