In a recent post on Privacy Digest, and an article in the NYTimes, there is a discussion of some major and well known vulnerabilities in the global public key infrastructure (PKI) and some examples of exploitations of that vulnerability.

The issue is with the proliferation of certificate authorities on the Internet, and the low level of oversight on their policies.

Using the web as an example, here is how it works. Embedded in every browser is a list of “certificate authorities”. These are companies that are deemed trustworthy to issue and sign website certificates. Website certificates are what allows websites to be authenticated by your browser and enables SSL based secure connections (e.g. to your bank).

These certificate authorities may also be able to delegate their certificate signing authorities to other secondary certificate authority organizations. The list of primary certificate authorities in your browser is long (I count 43 in my copy of Firefox), and who knows how many secondary certificate authorities may be out there. These certificate authorities exist all over the world, and any of them can issue a certificate that your browser will accept as valid.

A malevolent certificate authority could issue certificates to allow them to impersonate any secure website.

The articles talk specifically about a secondary certificate authority called Etisalat, located in the UAE. They created a certificate which allowed them to sign code which would be accepted as valid and authorized by BlackBerry cell phones. They then created and distributed software to about 100,000 users which enabled government surveillance of the devices. RIM, the maker of BlackBerry, was able to detect and patch this introduced back door.

Etisalat could create certificates to allow the UAE to intercept and read all secure web traffic traveling over networks within that country.

It is likely that there are many other certificate authorities that are similarly willing to compromise the security of the PKI for various ends. To date, no action has been taken against Etisalat. The EFF is calling for Verizon to revoke Etisalat’s ability to issue certificates (Verizon is the primary authority that delegated to Etisalat as the secondary).

Hack Exploits Google Street View to Find Victims – The New New Internet

This very short article describes a really simple attack that enables someone to discover your physical location with a very high degree of reliability and accuracy.

It involves using JavaScript to access the MAC address of your WiFi wireless access point (base station). The examples for this I have seen are IE specific. Any malware that has gotten itself installed on your computer could also do this.

Given that information, it is easy to pass this information to a Location Services API which returns a location good to a few hundred feet, sometimes much closer. Here is a website that does this for you.

We discovered a major security hole in Facebook almost by accident. The exploit is so trivial I can’t justify calling it hacking. Any time you are on an open WiFi and accessing Facebook, anyone else on the same network can easily grab your credential and access Facebook as you with full access to your account.

We have posted a video demonstrating this to YouTube as well as putting it in the Anonymizer Labs section of our website.

Many sites, including the Los Angeles Times are reporting on a change to Apple’s privacy policy that allows collection and sharing of “anonymous” location information. The only way to prevent this seems to be completely disabling location services on the iPhone.

It appears that Google’s privacy policy allows a similar level of information collection.

Much of the chatter I have seen about this issue talks about targeted advertising and user tracking. While I have no doubt that both companies are very interested in doing that I don’t think this particular disclosure is about that. Message targeting is more likely to happen within applications where the user has granted explicit permission to push location based advertising and alerts.

I think this is all about improving Enhanced GPS services. My guess (and it is just a guess at this point) is that the phones are reporting back GPS location, Cell tower IDs and signal strength, and all visible WiFi base stations and signal strengths. Given enough of these sets of measurements, they can provide extremely accurate location information given only WiFi information (which takes much less power than GPS and also works indoors). It has been well established that multiple companies, including Google, are building such databases from trucks driving around the world (see my last post).

One purely anecdotal data point I have is from my WiFi only iPad. For background, I live on a fairly large lot and the only WiFi I can detect is my own. One of the first things I did with the new iPad was to open up the map application. It almost instantly centered the location reticule on my house. The only available location information was from the WiFi. I know that the Street View truck has never been through my neighborhood, and doubt that any others have been. My suspicion is that phones used within my house have been providing the correlating data between my physical location and my personal WiFi base station hardware ID.

Cnet (among others) reports on Google’s interception of personal information from open WiFi nodes, including passwords and e-mail.

Clearly it was poor practice for Google to be capturing and recording such information as they drove around, but the real news should be that the information was there to be captured. The intent of the monitoring of WiFi seems to be collecting the locations of WiFi base stations to improve enhanced GPS location services. This works by having your device upload a list of all the WiFi base stations it can see (along with signal strength) which the service then looks up in a database to determine your location. This requires the service to have a database of the physical location of an enormous number of WiFi base stations.

To do this, all Google would have needed to capture was the hardware address of each device. Instead they captured some of the actual data being sent back and forth as well.

It turns out that this is incredibly easy. With many of the WiFi chipsets built in to personal computers, laptops and USB adapters, one can easily download free software that will start intercepting open WiFi traffic with a single click.

The shocking news should not be that Google accidentally got this information but that anyone with bad intent could do it to you. Anonymizer will soon be releasing a video we did a few weeks back showing how someone could take control of your Facebook account using an open WiFi and almost no technical expertise at all.

If the connection between you and a website, email server, or other service is un-encrypted, then anyone near you can intercept it if you are using an open WiFi.

To be clear, open WiFi means that the underlying connection is un-encrypted. Many public WiFi sites have a login page. This is to manage usage, and provides no security to you at all.

If you get a connection before you type in a password, especially if you see a web page before you type a password, then you should assume you are on an insecure connection and therefor vulnerable.

WikiLeaks seeded its database of documents by intercepting traffic through a TOR node they were operating.

This article at Wired highlights an almost buried section of this New Yorker interview with one of the founders of WikiLeaks.

Before the WikiLeaks site went live, the founders noticed that hackers were transferring stolen government documents over the TOR network. They captured over a million of these documents to form the initial core of the WikiLeaks archive.

This shows once again what I have been saying for a long time. Any privacy system that allows any untrusted and unknown person to become part of the infrastructure and have access to cleartext information is fundamentally flawed.

Any person with malicious intent can easily set up a TOR node and begin exactly the same kind of data collection that the WikiLeaks folks practiced.

Reputation is everything in this business. It is not practical for typical individuals to properly vet their providers. Track record, reputation, and respected third party endorsements are your best bet when choosing a privacy or security provider. Look for those for everyone who has access to your information.

John Gruber at Daring Fireball posted this interesting article on the growing practice of websites intercepting your attempts to copy text from their pages. They are actually modifying the contents of your clipboard and tracking the fact that you have clipped the information.

The referenced cases seem to be doing it for marketing and informational purposes, but there are many ways this could be used in more aggressive ways.

Imagine a site with sample code which (when copied) inserted some damaging code in to the middle of a large block.

I am worried that this capability exists at all within browsers. It seems like a major security vulnerability to me.