The NSA And U.S. Congress Have Destroyed All Web Security. We Must Rebuild It From The Ground Up.

The NSA has forged web security certificates. What’s worse, we knew that they could, and we still trusted certificate-based web security. Web security as we know it is dead and worthless – worse than worthless, even – and must be rebuilt from the ground up.

When you are going to a website that bills itself as secure, it uses a so-called “security certificate”. Such certificates on the web serve two purposes. One, they encrypt the session between your computer and the web server, so nobody else can listen in, and two, they identify the web server you are talking to and tell you whose web server it is. When you log onto your bank, you will see a little padlock next to the bank’s name in the address bar. The NSA and their ilk have effectively negated both of these security mechanisms.

This makes today’s Web security worse than worthless. It is not just worthless, as in not providing the claimed security whatsoever; it is worse than worthless, as it provides people at large with a thoroughly false sense of security. It’s like if all the front door locks in the world were dead easy to open for somebody who knew the magic word. Unless this lack of security is well understood – and being a technical issue, it won’t – people will keep thinking they’re secure. That’s horrible, frankly.

We should have seen this coming from far away – the mere possibility could have been anticipated for some time, although nobody probably thought the security services would want to break the entire world’s security model. Now we know they won’t hesitate to do so.

Many certificate suppliers are based in the USA. This, combined with the infamous National Security Letters (NSLs) that the U.S. Congress has created, is a death knell. There is nothing stopping the NSA from issuing such a letter compelling Verisign or any other U.S.-based certificate authority to issue a forged certificate to the NSA, and be forced by law to not tell anybody about it.

The mere possibility of this happening is enough to declare certificate-based web security stone dead as a technology – but we know now that the NSA has already used forged certificates to impersonate Google. That’s extra damning. Let’s take that again: the NSA forced web traffic intended for Google’s servers to take a route through the NSA’s servers, where the NSA presented themselves as Google and were able to wiretap traffic intended for Google’s servers, negating both functions of certificate-based security.

It’s extra damning as Google not only relies on the certificate itself to present the session as secure, but Google’s own browser also verifies that it’s not a Google certificate, but Google’s Google certificate. Apparently, NSA foiled this, too.

In an internet technical draft published earlier in response to the first NSA revelations, this practice is coined kleptography – to deliberately supply somebody with a weakened form of cryptography in order to wiretap them. The word is appropriate.

We can no longer rely on a model where one compromised node in the framework means the compromise of the framework as such, which is the case with certificate-based security. We need a much more resilient framework than that, where each client as well as the framework itself is able to detect and reject a compromised security provider, or group of security providers.

SSL is dead. Long live web security. We must rebuild it from the ground up.

One very simple solution could be to allow for self-created certificates and use the DNS framework to validate the certificate for a given website, which would at least give a degree of distributed resilience. While the DNS framework has its own centralization problems, it would be an easily implemented stopgap measure that would have the added bonus of erasing the entire certificate industry, which is artificial anyway. If the client checked a certificate’s signature with its own DNS server and with public DNS servers in five different jurisdictions – say, Canada, Switzerland, South Africa, Brazil, and Japan – getting a greenlight from all of them would be rather good confirmation of the self-created certificate being genuine.

Rick Falkvinge

Rick is the founder of the first Pirate Party and a low-altitude motorcycle pilot. He lives on Alexanderplatz in Berlin, Germany, roasts his own coffee, and as of right now (2019-2020) is taking a little break.


  1. -

    This article from over a year ago might explain something:

    Basically, all major US “cloud” companies, webmail providers and OS manufacturers (including Ubuntu) use a single, mostly unknown company to handle their DNS servers and provide whatever other “brand-protecting” and “firewall proxy” services.

    MarkMonitor just might be a “plausible deniability” front set up by NSA, DoD or something.

  2. Ano Nymous

    As usual, the Swedish news aren’t doing what they should. They go “The FRA is a key player in the NSA spy network bla bla bla”.

    Well, that IS news worth mentioning, like for example that many burglaries are taking place now.

    But the crypto scandal IS NEWS WORTH MENTIONING, like for example a mass scamming that is tricking many thousands of people to give away thousands of Euros each, and that is still going on …
    To approximately put the two on scale.

    That the FRA is a key player is a fact that is somewhat important to know, but one can not immediately do so much about.
    That the NSA (GCHQ, FRA?) are forging certificates and have backdoors everywhere is something that continously affects everyone’s privacy and may at any given time affect any given number of people’s privacy vastly more, affect their economy, and even their life and health. People need to know that very few forms of supposedly secure and safe forms of electronic services actually are, and to stop using the ones that are not.

    The media know it, they are just shutting up because they don’t want to shake the economy, they just hope everything will be alright for now… Maybe it will, but it will not be alright forever. Short term gain without thinking of consequences. Same thinking like putting in a nail instead of a fuse because the fuse blew too often.

  3. Anonymous

    If this isn’t fixed now the mess could be very big in the future, once more people catch up with all the vulnerabilities and creative ways to exploit them become more and more common.
    Who knows in how many ways all the personal information of people could be used for nefarious purposes, and who knows how long it would take to fix the mess if allowed to happen.
    Things like copyright and pattent trolls and porn lawsuits have affected a lot of people for a long time and only now they are starting to be taken seriously.
    Without enough pressure the authorities can take a very long time to deal with the issues they themselves allowed to happen.

    1. Idee

      It is even more worse!
      NIST, an US Government Office for Crypto Standards, can not recommend the Standards for Crypto anymore:
      here the text:

      It is like the hunt after the Millenium Bug. The Backdoors for intel services are implemented everywhere and it will last time to rekonfigure that.

      1. pwq

        Well, the real story is here:, and it gets even worse:

        And look in the comments of this post for the very severe implicatons – you’re may not safe even if you use your own crypto:

        This also implies that NIST probably was in on this thing (for one thing, this has similarities to the Clipper crypto that NIST was involved in before the scheme was scrapped), so this impies that not only do the certificates and algorithm needs to be fixed, but the whole software infrastucture needs to be cleaned up. Otherwise NSA may be able to recreate secure computers internal private keys, something not even the owner may be able to do.

  4. D

    All of these revelations seem to be leading to one thing to me. The utter abandonment of the internet. There is nothing about it that can be trusted anymore. Unless as you suggest it can be rebuilt, people will have to completely abandon electronic communication. Did the spy agencies even understand the pandora’s box they were going to open? Or did they just not care?

    1. Ben

      Most people have very little to no knowledge of the NSA’s wiretapping activity. Hell, I’ve had people tell me it’s a conspiracy theory! Nevermind the fact that our own president openly admitted to it and defended it.

      The people that do have knowledge of it have either a ‘nothing to hide, nothing to fear’ attitude, or think there’s nothing they can do to stop it anyways.

      Nobody is going to stop watching videos of cats and using social media over this.

    2. mentorian

      They did care. In fact, they cared about it so much that if they couldn’t read and control it all, nobody should be allowed to communicate. ‘One Ring to…’ Oh Well, or is it Or Well?

  5. phillipsjk

    I could not parse:
    “It’s extra damning as Google not only relies on the certificate itself to present the session as secure, but Google’s own browser also verifies that it’s not a Google certificate, but Google’s Google certificate. Apparently, NSA foiled this, too.”

    You seem to be implying that you tested this and Google’s browser said that the cert was issued by Google. You go on to imply that becuase the NSA is interceping the connection, this must be false. How do you know the NSA is monitoring *every* connection to Google?

    Google participates in PRISM , so there should be no need to intercept everything.

  6. Thomas

    Isn’t the DNS system itself in the hands of the US, ie. the ROOT servers?

    Also, the DNS sytem already got some of its own security add-on, DNSSEC.
    From ; “DNSSEC can protect any data published in the DNS, including text records (TXT), mail exchange records (MX), and can be used to bootstrap other security systems that publish references to cryptographic certificates stored in the DNS such as Certificate Records (CERT records, RFC 4398), SSH fingerprints (SSHFP, RFC 4255), IPSec public keys (IPSECKEY, RFC 4025), and TLS Trust Anchors (TLSA, RFC 6698).”

    One could simply put the SSL signature in the DNS database, but as the DNS ROOT database is kinda compromised, it’s not gona be good enough by itself.

    And in the end, isn’t what you’re suggesting a “Web of trust” where you’re computer ask other computers if something is OK, but its hard to know who is saying its OK, since the powers that be, can simply flood the system with fake OK sayers?

    1. Rick Falkvinge

      And in the end, isn’t what you’re suggesting a “Web of trust” where you’re computer ask other computers if something is OK, but its hard to know who is saying its OK, since the powers that be, can simply flood the system with fake OK sayers?

      It’s easier than that. One criterion for a Man-In-The-Middle to succeed is that the end server is unaware of the attack (or else the server can warn visitors or even shut down). If the DNS is expected to say 0xDEADBEEFDEADBEEF as the cert fingerprint, and an intruder needs DNS to say something else entirely when a client asks, then that will also be detectable for the server operator, heavily mitigating the stealth factor of a MITM.

      1. Thomas

        A improvement would be a certified (yes, back to certificates, but self signed ones is ok ) web of trust. Where one trust the site, all sites a friend have trusted, all friends the friend have trusted. Its gona be a mess to administrate, but decentralisation has a price.

        As a example would be to trust a bank guild as a friend. One go to a bank AFK and ask for its guild certificate, to be able to visit all banks, or just simply the individuals banks certificate. Then back at home, the user while doing bank transactions, must keep track that the bank site is approved, preferably by both the bank guild, the banks, and preferably a friends certificate, that also has done the same legwork AKF for the certificates.
        (Oh crap, just realised, besides when cash and sensitive personal information is involved, most common users, (sadly me included most likely) will feel like the work is not worth it, I guess total anonymitysation will have to do for the rest.)

        Or maybe some kind of up-vote/down-vote like in some commentary systems, but for peoples trust.

        Also, if the server admin/owner is forced to agree to the MITM attack. The attacker can both force to tap directly into the server, or to force all needed participants to reroute the traffic to the MITM.

        The end result, we the users, the people, are screwed.

    2. Jungle Dave

      … Convergence, except centralized. Wait…

  7. Jonas

    It’s a nice idea you have at the end there by decentralizing the certificates by utilizing DNS. Sadly, it will not be a viable option. You do mention that they have their own centralization issues to deal with… DNS have way worse issues than with centralization. There are to many registars without proper routines for domain transfers and they issue transfers to almost anyone sending a fax claiming to be the owner of a domain. Not going to mention any registars that I know do this by name here but “trust me” (trust me kinda have lost concept to me now though). There are many CA servers still running DES or 3DES encryption for their own keys aswell which is retarded. Sionun Jones at Google+ went into detail aswell about some of the issues the CAs currently have… check it out at
    I have nothing to do with the person mentioned above, just found it interesting and thought you might aswell.

  8. Anonymous

    I said we should use PGP certificates, but nobody listened.

  9. Jared Hardy

    Unfortunately DNS providers are even more untrustworthy than SSL certificate providers (they are often the same legal entity!). I think the only realistic solution is a peer Web-of-Trust (WoT) system where the minimum possible friend-of-friend chains are used to verify any kind of data source — whether that data is a name, content, or identity. Private key pairs using post-quantum cryptography could be used to confirm vouchsafe chain links down the entire connection to each data resource. Identities within these chains could also later be used in realspace to expand social horizons, which would in turn further shrink the necessary trusted friend-of-friend links to arrive at any shared data set.

    The main point of all this is that we need systems that allow us to individually choose who we trust on any given topic. Forcing us all to trust the same big faceless and immortal corporations is never going to work.

    1. Anonymous

      So instead we should trust a faceless web of trust that the technically illiterate are allowed to contribute to?

      Computing technology always lends itself to the lowesst common denominator, or the richest and most powerful. The only way to solve that problem is to not give power to anyone but yourself.

      Run your own DNS checks, run your own encryption certificate verification, and publish your own stuff- don’t have some faceless body of people give you a “99.9% security track record- guarenteed!”

      1. Jared Hardy

        No Web of Trust ever needs to be faceless. That’s exactly the point of it. You only have to trust people you physically meet with face to face, enough to partially trust those that they perform the same confirmation with elsewhere. If this chain of trust only extends to the technically adept, then it is too limited for real world use. It is up to the technically literate like us to create systems that make it easier to exchange and confirm public keys in person, and keep it all open source so that trusted security advisors all over the world can confirm these functional tools. SSL and related certification schemes do not qualify at any of this. PGP is the only PKI approaching qualification — it just needs better tools and more comprehensive use cases.

  10. Quinn

    I agree completely that it needs rebuilt.

    Not patched, not added to, not given tools like Tor and VPNs. Rebuilt- from scratch.

    1. scandinavianpirate

      Yes, and needs to be open source and get as many volunteers as to keep up with any attempts to plant backdoors in it. Also it is needed that those volunteers can’t be spied on and/or saboutaged while using compromised software during the development process.

  11. Ingo

    SSL (TLS!) doesn’t need to be replaced, public key certificates with signatures from other parties is the only reasonable model for widespread secure connections. The problem is the centralised trust, which needs to be distributed instead. Monkeysphere is one way of doing it, which uses the existing PGP web of trust to certify SSL and SSH connections.

    Even better would be mandatory or opportunistic encryption at the IP or TCP level, but that is a much larger project.

  12. coldtoon

    we are already rebuilding it please help spread it
    by the way you should team up with

  13. David Collier-Brown

    A subtle trick here: we talk about “certificates” as if someone was certifying that public key X belongs to person Y. In practice a certificate-seller creates the private and public key and sells the private to the customer, then certifies they did so.

    Being in the certificate business means
    1) you can sell fake certificates, an intercept sessions on the fly
    but if you’re also selling keys, you can
    2) sell copies of the customers’ keys, and in principle decrypt past sessions

    I can’t address (1). but a prohibition against certificate authorities selling keypairs would be a good first step against (2), and would flow through the economy within a few years as new certificates are sold.

    I’d love to hear discussion about how to counteract (1), but even an RFC about proper certification practices would be a contribution to reducing (2).


  14. Nick

    As far as stop-gaps go, “DNSSEC-signed records in the DNS telling you which certificates are valid for a particular domain” is a Thing. It’s called DANE, and the standard was finalised recently. Until an alternative is viable, everyone should deploy DNSSEC + DANE ASAP, in all server and client software and deployments under your control.

    It’s a bit awkward at the moment, especially if you’re starting from scratch, but it *is* possible. It took me less than a day to get it all working.

    Longer-term, hierarchical models in general are likely to remain problematic, and the only alternative we know of right now is web-of-trust. But web-of-trust requires significant investment of user’s time, for a fundamentally quite unquantifiable metric. Hybrid mechanisms, or something completely new, are requried before hierarchical trust can be replaced, I’d suggest.

  15. Filino

    We need GNUNET ou MESHNET:

    1. Idee

      The backdoors of intel services are implemented in soft and hardware. It will take years to reconfigure it and sometime you can’t reconfigure it. Just imagine old aged users let allone with all these technic. They are happy when they can write e-mails and skype-chat for their social needs while they are immobile in their beds/homes. They are happy when they can do home banking even it is the last they can do when “skript kiddies” passing by with a network scan and intruder software.

  16. Anonymous

    has anyone really noticed how every time there is something untoward happening, it’s almost always, without fail, the freakin’ USG that’s behind it? has anyone really bothered to think let alone discuss what they are really up to? how long it will be before they achieve what their aim is or actually make that big play for it, before either someone figures it out or makes a play for it themselves? in my opinion, that ‘thing’ is to take complete control of the Internet, making sure that there is nothing and i mean nothing posted that hasn’t first been scrutinised for hours to ensure it isn’t going to harm the USG or any company that is owned/run/based in the USA. everyone else can take a hike because they wont matter! what happens to them wont matter either and after they have eliminated everyone from everywhere, under their paranoid belief that everyone wants to eliminate them, they will simply move over to wherever they like and start again. there has been no thought though that the ‘moving and starting again’ thing will lead to a recurrence of what just happened but next time will be going the other way!

    1. Zen Programmer

      I think the saying “Just because you’re paranoid doesn’t mean everyone isn’t out to get you” might apply a little.

  17. Idee

    The backdoors in the certificate things are really bad. Since years Chaos Computer Club announced “Entenhausen will get alive.” When you get a proper certificate key you can be Donald Duck or Micky Mouse etc. with a real and fully working identity card:
    The set of these videos starts with:
    Sorry, it is german language.

  18. Max Pont

    This will most likely trigger large countries that have shown independence towards the US to break away from the tainted and compromised US-based “internet” and develop their own hierarchy/web of trust.

    If for example Germany would offer an alternative I think that many non-US based companies would rather trust the German government than the US/Pentagon for their payment systems and confidential internal communication. The same goes for most non-US based banks and financial institutions. Other large countries such as Russia, Brazil, Japan, South Africa and China will most likely also break away completely from NSA’s “internet” after this. This is a more likely to succeed than an open source “hacker” based P2P bottom-up solution.

    The medium term damage to US based tech companies will be massive. Customers will punish them hard.

    The only way for Google, Apple , Oracle, Facebook, Microsoft, Yahoo etc. to avoid this fate would be to immediately move their company HQ out of the US and go into exile to escape the US jurisdiction.

    1. Zen Programmer

      I think it’s going to devastate the US tech industry.

  19. Anonymous

    Are there any browsers or plugins which permanently store sites’ SSL certificates after visiting the site for the first time? That way the certificate authority wouldn’t need to be used on repeated visits to the site, and if the certificate stops working and needs to be changed, it would display a warning before downloading the new one from the cert authority.

  20. Ano Nymous

    Could this be the explaination for a thing I read a long time ago? I read about some “paranormal” thing going on with random number generators, when a big disaster struck the world, the “collective conciousness” or something of all humans affected them to be not-so-random.

    Maybe what affected them was the “enable backdoor”-signal from the NSA when they wanted to listen in on the culprits…

    Sure makes more sense than the “collective conciousness” thing.

  21. Linda

    Everything now indicates that we really do need to rebuild the Internet from the ground up, starting with simple things, like new transparent ethernet cables (ref Jacob A.), secure processor chips and peripherals (Glen G./Snowden) and the infrastructure mentioned above.

    Globally, there is more than enough talent to do this, and dare I say it, demand for these new, provably secure products will be insatiable. What we really need is the means to pay the developers to do it, and I’m not talking about Kickstarter.

    There are billions in Bitcoin just sitting in wallets doing nothing – this is money that could be spent on FOSS solutions to all these problems.

  22. […] med dom medspelare man har bland it-företagen så är det nog ingen större tvekan om att NSA:s fördärvliga inflytande betyder Ragnarök för säkerheten på […]

  23. […] på att den amerikanska administrationen har några som helst planer på att sätta broms på NSA:s globala underminering av it-säkerheten men däremot tecken som tyder på […]

Comments are closed.