GoDaddy Revokes Lavabit's Security Certificate After Reading About How The Feds Got It
from the post-facto dept
By now the details of the shutdown of secure email provider Lavabit are fairly well known. Seeking to spy on Ed Snowden's communications, the feds demanded Lavabit give them access to Snowden's account. After some back and forth, they further demanded the site's private SSL keys. Lavabit's Ladar Levison first provided it to them printed out in illegible 4 point type, and when the court found that unacceptable, he shut down the entire service while simultaneously handing over the key. Here's an interesting side note to all of that, dug up by Kashmir Hill over at Forbes: After the details of what happened were unsealed by the court a week ago, GoDaddy revoked the security certificate it had provided for Lavabit, saying that there's now proof Levison provided them to a third party, violating the policy on a secure cert:“[W]e're compelled by industry policies to revoke certs when we become aware that the private key has been communicated to a 3rd-party and thus could be used by that party to intercept and decrypt communications,” says GoDaddy spokesperson Elizabeth L. Driscoll, in response to an inquiry about Lavabit's keys being revoked.Of course, since the service is already shut down, this move has no direct impact on anything, but makes a fairly strong symbolic statement. Many have been wondering, if the feds are ordering Lavabit to hand over its SSL keys, it's quite likely the same demand has been made of many other companies as well, most of which likely complied. So, this raises the question of whether or not certificate authorities are going to start looking for the possibility of other compromised certs and revoking them....
Separately, as Hill notes, this could also aid Levison in his legal case, as he can now legitimately argue another way in which being forced to turn over the keys could create an unreasonable burden on his business by having the keys revoked.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: compromised, email, fbi, revoked, security, security certificate
Companies: godaddy, lavabit
Reader Comments
Subscribe: RSS
View by: Time | Thread
A lot of people don't understand the point of CAs
There are different classes of certification, and the highest class comes with all sorts of guarantees that the person using the SSL certificate is the one that is supposed to.
A proper CA must ensure that if an SSL cert falls into the wrong hands, that it be promptly revoked, as they can no longer guarantee the owner of the cert is the sole person that they have verified.
[ link to this | view in thread ]
[ link to this | view in thread ]
Possible out
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Going to the source
The rules for Mozilla (Firefox) are at https://www.mozilla.org/projects/security/certs/policy/. Following the links, you can find things like:
"If the CA or any of its designated RAs become aware that a Subscriber’s Private Key has been communicated to an unauthorized person or an organization not affiliated with the Subscriber, then the CA shall revoke all certificates that include the Public Key corresponding to the communicated Private Key."
The other browsers should have similar requirements.
If a CA does not want to be removed from the browsers' root trust stores, they have to revoke any certificate where the private key has been revealed to anyone else. There is no "law enforcement" exception.
[ link to this | view in thread ]
Re: Going to the source
What is creating a glaring hole here, is that courts can order a key to be handed over at all. The system cannot keep any credibility as soon as a key is compromised. I am not sure how NSA argues the system can work under these conditions? Guess it is the same as their coded backdoors: They are far outside the normal laws and lack the integrity to make the oversight aware of the consequences of their endevours!
[ link to this | view in thread ]
How exactly will GoDaddy find out about these compromised CAs? I mean Lavabit is only the latest in a whole series of email providers who have been compromised, all of whom you can bet have been given gag orders in one form or another.
And how about the rest of the CA issuers? Are they going to follow suit too?
The more that comes out about this NSA business the nastier it looks.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Presumably, even secret court orders can not force service providers to commit perjury?
[ link to this | view in thread ]
Re: Going to the source
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Possible out
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Going to the source
[ link to this | view in thread ]
Re:
FWIW, nearly every member of senior management at GoDaddy has been replaced since the SOPA/PIPA debacle.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Footnotes
[ link to this | view in thread ]
Re: Re: Going to the source
https://i.imgur.com/DqCrxm3.png
That's hardly an external issue when you are depending on them being free of malware and security issues. Having that trust lost to the public very much has results.
http://www.techdirt.com/articles/20110830/13243615741/evidence-suggests-diginotar-who-issued -fraudulent-google-certificate-was-hacked-years-ago.shtml#comments
[ link to this | view in thread ]
Re:
Well now... This could be quite interesting...
In regards to the article, GoDaddy did the correct thing (besides, it's not like Lavabit is going to be using that cert any more). In addition, this could perhaps assist future businesses hit with a similar order (those that wish to resist it, that is). I'm not entirely sure to the extent a federal agency can force a business to act as a baffle (effectively that's what using a business' cert is; not unlike forcing a store to employ an undercover cop as a cashier), but "this will cause my business to be unable to function" surely should strengthen a defense.
[ link to this | view in thread ]
Re: Re: Re: Going to the source
I guess, given public ignorance, browsers matter.
Hows that?
[ link to this | view in thread ]
It doesn't matter in this case since Lavabit won't be using their cert anymore. I'm just wondering if anyone really checks for revocation for the sites they visit. I tried enabling CRL checking in Chrome on a reasonably fast computer, and it made visiting HTTPS URLs unbearably slow, with many sites timing out.
[ link to this | view in thread ]
Re: Possible out
[ link to this | view in thread ]
Sadly a bunch of morons will look at this action and think GoDaddy is going to bat for them. Anyone with an elementary understanding of what happened will know just how much this reeks of complete bullshit.
GoDaddy has accomplished absolutely nothing. It's a damn shame because they have the power to do so much in this area.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Going to the source
[ link to this | view in thread ]
Re:
Is that like saying: "I know wrong when I see it!"?
[ link to this | view in thread ]
The negative answer solution
"Confirm that your certificate remains secure, and to your knowledge your private key has not been provided to or accessed by any third party".
A separate annual email would ask the chief executive to:
"Confirm that all certificates issued to you, including those that have now expired, remain secure, and confirm that to your knowledge no private key issued to you has been provided to or accessed by any third party".
These questions would exclude any certificates that are known to have been leaked, but there would need to be an extra question about what arrangements have been made to protect any data that is insecure because of lost certificates.
The way these questions are phrased, chief executives could indicate by refusing to answer them that they have been forced to hand over private keys. They don't need to disclose anything that is prevented by super-secret "we cut off your balls" court orders.
[ link to this | view in thread ]
Re: Re: Possible out
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
That's exactly what the NSA often say. Such a shame they never look in the fucking mirror.
[ link to this | view in thread ]
replay
It's not paranoia when they're really out to get you.
[ link to this | view in thread ]