Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

There are now tons of Certification Authorities (CAs) that are trusted by defaul

ID: 658300 • Letter: T

Question

There are now tons of Certification Authorities (CAs) that are trusted by default in major OS's, many of which are unrecognizable without online lookup or reference.

While there have been attempts by the NSA and others to "hack" or otherwise exploit root certicate authorities; is there anything preventing the NSA from becoming a Root CA itself?

It certainly has the resources and expertise, and could "suggest" to major OS vendors to add its Root CA to the default trust store list (which is large enough that it may not be noticed by anyone..?)

If it is feasible, what would the implications be? Could they essentially Man-in-the-Middle attack most HTTPS connections without a warning? (Perhaps not Dragnet-type interception, but close?) Or create a fake commercial root CA as obviously people would be suspicious if it had NSA plastered all over it?

Explanation / Answer

The NSA could and probably already has gone -- using a USA PATRIOT Act demand letter, or other similar legislative tool -- to all the major CAs in the United States (e.g. VeriSign, GeoTrust, etc.) and demanded that they remit their private root keys to "No Such Agency", "for purposes of 'national security'".

Of course, all such requests must (per PATRIOT Act law) be kept secret, and the CAs must lie to the public about their having complied with the request, or the chief executive officers of the CAs (and any of their underlings involved) are subject to long prison terms (with the trial, if any, conducted in camera in secret courts).

None of the above is unfounded speculation; it is based on well-known U.S. laws, which two successive U.S. administrations (Bush and Obama) have refused to change in any meaningful way, and in view of the Snowden revelations it would be extremely foolish to assume that this scenario hasn't already happened.

So yes -- the simple answer is, "the NSA doesn't need to do anything special to set up a root CA; because it can easily impersonate any of the existing (American) ones, at will".

Related Questions

There are many ways to get a feel for the events of the 20th Century. One way is
Question #3494376
There are many ways to grow a small business. For those having difficulty trying
Question #368320
There are many ways to produce crooked dice. To load a die so that 6 comes up to
Question #2930957
There are many ways to produce crooked dice. To load a die so that 6 comes up to
Question #3129793
There are many ways to produce crooked dice. To load a die so that 6 comes up to
Question #3202556
There are many ways to produce crooked dice. To load a die so that 6 comes up to
Question #3208116
There are many ways to produce crooked dice. To load a die so that 6 comes up to
Question #3334549
There are many ways to provide encryption services. Pretty Good Privacy (PGP) is
Question #3746263
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
There are now 10 sales associates working for the Roadrunner Automobile Club (RA
Next
There are numerous database vendors in the world each with their own brand of SQ

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.