The most probable situation here (if it actually occurred) is that South Korea owns a certificate authority that is accepted by browsers and did a MITM attack with their own google cert.
Also, it's not clear that this is "run of the mill law enforcement". This is NIS, the S. Korean state intelligence service, which is admitting to having done this.
For your first point, if they own their own root CA that is trusted by browsers, then the capability is definitely in their hands. And that doesn't need any kind of special hacking capabilities, just signing a certificate that is for Google services. The whole SSL certificate trust hierarchy depends on CAs not being that evil, there is no tech keeping them non-evil. Of course Chrome does certificate pinning at least for their own services, but not the others.
But on you second point I agree. If they are prepared to use such capability, it would be really stupid to reveal their will to do such dirty tricks in some ordinary matter - better save it for a real need.
For what it worth, the support for this sort of MITM was the feature du jour among "unified security" appliance vendors back in 2003-04. Basically the idea was that the corporate IT department would install an additional CA certificate on all company's computers and this would enable the appliance to access raw data of SSL/TLS streams going in and out of company's networks. The purpose was benign and it was to scan downloads for viruses and malware.
I do not doubt for a second that any reasonable national cybersecurity agency has this functionality readily available, utilizing one of the CA certificates bundled with common OSes. Whether they are actually using it and to what extent is another question, which ties into political implications should someone detect the certificate forgery.
You've linked to a story about someone penetrating a fringe CA, and the galactic shitstorm that resulted, including the revocation of that CA's CA status in most Internet browsers.
tptacek|14 years ago
I do think it's highly improbable that they would use that capability for run-of-the-mill law enforcement cases.
marshray|14 years ago
They're not obvious attacker certs, but Ralph Holtz has found some very strange certs in S. Korea with SN:"Government of Korea" and CA:TRUE. http://www.mail-archive.com/cryptography@randombit.net/msg01...
Also, it's not clear that this is "run of the mill law enforcement". This is NIS, the S. Korean state intelligence service, which is admitting to having done this.
Maakuth|14 years ago
But on you second point I agree. If they are prepared to use such capability, it would be really stupid to reveal their will to do such dirty tricks in some ordinary matter - better save it for a real need.
huhtenberg|14 years ago
I do not doubt for a second that any reasonable national cybersecurity agency has this functionality readily available, utilizing one of the CA certificates bundled with common OSes. Whether they are actually using it and to what extent is another question, which ties into political implications should someone detect the certificate forgery.
andreyf|14 years ago
tptacek|14 years ago