18 September 2011
Deep Packet Spying Breaches Gmail and All Security
Date: Sat, 17 Sep 2011 20:37:56 -0500
From: Marsh Ray <marsh[at]extendedsubset.com>
To: Discussion of cryptography and related
Subject: [cryptography] Another data point on SSL "trusted" root CA reliability
Been seeing Twitter from [at]ralphholz, [at]KevinSMcArthur, and [at]eddy_nigg
about some goofy certs surfacing in S Korea with CA=true. via Reddit
It's not entirely clear that a trusted CA cert is being used in this attack,
however the article comes to the conclusion that HTTPS application data is
being decrypted so it's the most plausible assumption. Quoting extensively
here because I don't have a sense of how long "The Hankyoreh" keeps their
English language text around. - Marsh
cryptography mailing list cryptography[at]randombit.net
Date: Sun, 18 Sep 2011 12:11:59 +0200
From: Ralph Holz <holz[at]net.in.tum.de>
Subject: Re: [cryptography] Another data point on SSL "trusted" root CA
reliability (S Korea)
True, we found about 80 distinct certificates that had subject "Government
of Korea" and CA:TRUE .
In our full dataset from April 2011, however, we found about 30k certificates
with this property. None of them had valid chains to the NSS root store.
The numbers do not seem to change over time: in Nov 2009, it was about 30k,
and about the same in Sep 2010. In the EFF dataset of the full IPv4 space,
I find 773,512 such certificates. *Distinct* ones - and the EFF dataset has
5.5m distinct certs. It is a wide-spread problem.
For the case of Korea, [at]KevinSMcArthur found that the issuing certificates
have a pathlen of 0, which makes it impossible for the end-host cert to operate
as a CA *as long as the client actually checks that extension*. I don't know
which ones do, but it would be a question to ask the NSS developers.
As of now, I don't think these are really attacker certs, also because the
overall numbers seem to point more at some CA software that creates certs
with the CA flag on by default.
Although your article seems to indicate something bad is going on over there...
 If you want to check, CSVs at:
NIS admits to packet tapping Gmail
If proven, international fallout could occur over insecurity of the HTTP
By Noh Hyung-woong
It has come to light that the National Intelligence Service has been using
a technique known as packet tapping to spy on emails sent and
received using Gmail, Googles email service. This is expected to have
a significant impact, as it proves that not even Gmail, previously a popular
cyber safe haven because of its reputation for high levels of
security, is safe from tapping.
The NIS itself disclosed that Gmail tapping was taking place in the process
of responding to a constitutional appeal filed by 52-year-old former teacher
Kim Hyeong-geun, who was the object of packet tapping, in March this year.
As part of written responses submitted recently to the Constitutional Court,
the NIS stated, Mr. Kim was taking measures to avoid detection by
investigation agencies, such as using a foreign mail service [Gmail] and
mail accounts in his parents names, and deleting emails immediately
after receiving or sending them. We therefore made the judgment that gathering
evidence through a conventional search and seizure would be difficult, and
conducted packet tapping.
The NIS went on to explain, [Some Korean citizens] systematically attempt
so-called cyber asylum, in ways such as using foreign mail services
(Gmail, Hotmail) that lie beyond the boundaries of Koreas investigative
authority, making packet tapping an inevitable measure for dealing with
The NIS asserted the need to tap Gmail when applying to a court of law for
permission to also use communication restriction measures [packet tapping].
The court, too, accepted the NISs request at the time and granted
permission for packet tapping.
Unlike normal communication tapping methods, packet tapping is a technology
that allows a real-time view of all content coming and going via the Internet.
It opens all packets of a designated user that are transmitted via the Internet.
This was impossible in the early days of the Internet, but monitoring and
vetting of desired information only from among huge amounts of packet information
became possible with the development of deep packet inspection
technology. Deep packet inspection technology is used not only for censorship,
but also in marketing such as custom advertising on Gmail and Facebook.
The fact that the NIS taps Gmail, which uses HTTP Secure, a communication
protocol with reinforced security, means that it possesses the technology
to decrypt data packets transmitted via Internet lines after intercepting
Gmail has been using an encrypted protocol since 2009, when it was
revealed that Chinese security services had been tapping it, said one
official from a software security company. Technologically, decrypting
it is known to be almost impossible. If it turns out to be true [that the
NIS has been packet tapping], this could turn into an international
The revelation of the possibility that Gmail may have been tapped is
truly shocking, said Jang Yeo-gyeong, an activist at Jinbo.net. It
has shown once again that the secrets of peoples private lives can
be totally violated. Lawyer Lee Gwang-cheol of MINBYUN-Lawyers for
a Democratic Society, who has taken on Kims case, said, I think
it is surprising, and perhaps even good, that the NIS itself has revealed
that it uses packet tapping on Gmail. I hope the Constitutional Court will
use this appeal hearing to decide upon legitimate boundaries for investigations,
given that the actual circumstances of the NISs packet tapping have
not been clearly revealed.
Please direct questions or comments to [englishhani[at]hani.co.kr]