Let's imagine for a while that Let's Encrypt is an NSA project, and let's imagine that soon, almost everyone will be using it. Would the NSA have any cryptographic advantage because of that, when analyzing SSL/TLS communication?
-
1do you have anything(hints atleast) to backup this claim?. If it is an NSA project, then yes. they can see everything. – JOW Oct 10 '16 at 16:04
-
1I'm not claiming anything. I'm just asking. – Łukasz Zaroda Oct 10 '16 at 16:04
-
1Also, I think that any even potential centralization of the security systems is kind of a hint, and a good thing to be concerned about :) . – Łukasz Zaroda Oct 10 '16 at 16:26
2 Answers
Very short answer:
Would NSA have any cryptographic advantage because of that,
Yes. And that applies to any certificate authority: Whomever your users trust to authenticate your website is able to forge a valid certificate. Verisign, Let's Encrypt, doesn't matter. They have everything they need to make your user complacently be subject to a man-in-the-middle attack.
Note that it is known that some CAs that are trusted by default on many systems/browsers/clients are subject to laws requiring access to the signing keys. And as far as I remember, there's also already publicized cases where law enforcement used that.
when analyzing SSL/TLS communication?
Aside from the MITM scenario explained above, in theory, no. A CA just signs your public key, it doesn't get any more insight into the encrypted streams.
- 5,863
- 2
- 17
- 28
-
So, data cannot be recovered retro-actively and can be only obtained during MITM attack? – Łukasz Zaroda Oct 10 '16 at 16:07
-
7
-
The CA private key will not help with retro-active data decryption. It might be possible with theft of the webserver's internal private key, but [I'm not sure](http://security.stackexchange.com/questions/139343/does-theft-of-the-webservers-private-key-allow-retro-active-decryption-of-previ). – 700 Software Oct 10 '16 at 16:16
-
3@ŁukaszZaroda - That depends whether you have [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy). The SSL cipher suites with DHE (Diffie-Hellman Ephemeral) provide that. Beware that Diffie-Hellan has had [its own problems](https://weakdh.org/). – paj28 Oct 10 '16 at 16:18
-
3A few CAs "helpfully" offer to generate your private key on their servers and send it to you. Let's Encrypt is not one of them, though you are likely running their software locally. – Matt Nordhoff Oct 10 '16 at 18:40
-
2I was going to downvote this answer (since No isn't valid answer based on arguments this answer provides - rest of answer says they can't do anything). But then I remembered: Let's encrypt uses agent to change keys - if agent went rogue, then servers could become hijacked. This is valid argument why answer can be YES. – axapaxa Oct 11 '16 at 00:15
-
But usually the NSA could just create a certificate for your domain using Let's Encrypt, **even if you use another CA** and clients will happily accept it. – Josef Dec 11 '18 at 11:13
NO (but maybe yes).
Short answer is sound no, because your web site private key is never sent to letsencypt, and thus encrypted communication between clients and server cannot be decrypted any easier that if you were using any other certificate authority.
The worst NSA could do is same they could do with other CAs (and more easily too with other CAs - because letsencrpyt provides transparency report for all certs issued), and that is force CA to issue fake certificate for your website so they can perform MiTM attack. But that would be bad PR for them.
Or they could of course know protocol weaknessess or TLS implementation bugs, and exploit that -- but that would again work for any other CA as well.
However, it might be possible in general case that letsencypt is more vulnerable - as for letsencypt to work (as opposed to other CAs) you have to use the client software to generate certificates (every 3 months at least) and that software could have (intentionally or not) hidden bugs which might theoretically allow NSA (or other parties) to break into your server and retrieve your private keys (and other data) at which point it is game over. Especially as most of clients need elevated privileges (and official one runs as root IIRC).
Note however there are dozens of letsencypt clients, and it is not even too big problem to write your own, so you can choose one in which security you trust.
- 2,265
- 13
- 19