Did Stephane Dion hand over the secret keys to ClimateForChange.ca?
I keep coming back to the SSL certificate. Why is the SSL certificate for ClimateForChange.ca listed to be the certificate for stephanedion.ca? The more I think about it, the more uneasy I become. There is just no way that should have happened by accident. What I do understand of how certificates work suggests that this connection is a big deal.
In trying to understand the strange set of connections between ClimateForChange.ca, the non-profit non-partisan environmental group threatening to sue the Conservative government of Stephen Harper for not making Kyoto work, and the federal Liberal Party, I keep coming back to the SSL certificate:
IP Information for 64.26.141.35
IP Location: Canada Canada Ottawa Peter Pundy Consulting Inc
Resolve Host: lp1.campaigngear.net
IP Address: 64.26.141.35 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
SSL Cert: stephanedion.ca SSL Certificate has expired.
The domain name ClimateForChange.ca resolves to the IP addres 64.26.141.35. And there is the SSL certificate: stephanedion.ca. That site, the online home of Stephane Dion's leadership campaign, no longer exists, but is 301 redirected to the official website of the Liberal Party of Canada.
Another blogger points out that this shared key is seriously strange. So I decided to review the principle behind SSL certificates, as I was only vaguely aware of how they worked. I knew it depended on a pair of keys:
The encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key pair. This is sometime hard to understand, but believe me it works. The keys are similar in nature and can be used alternatively: what one key emcrypts, the other key pair can decrypt. The key pair is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt the message without the key pairs. The trick in a key pair is to keep one key secret (the private key) and to distribute the other key (the public key) to everybody. Anybody can send you an encrypted message, that only you will be able to decrypt. You are the only one to have the other key pair, right? In the opposite , you can certify that a message is only coming from you, because you have encrypted it with you private key, and only the associated public key will decrypt it correctly. Beware, in this case the message is not secured you have only signed it. Everybody has the public key, remember!
One of the problem left is to know the public key of your correspondent. Usually you will ask him to send you a non confidential signed message that will contains his publick key as well as a certificate.
Let's say I send an encrypted message to ClimateForChange.ca. The obvious would be an online donation that includes my credit card number, my mailing address, and my phone number. That information is encrypted using the public key that ClimateForChange.ca sent to my browser via the SSL certificate, which is tied to a website and managed by a third party. My personal data is encrypted using the public key extracted from that certificate and transmitted back to ClimateForChange.ca.
ClimateForChange.ca can decrypt that message and process my credit card donation because it has the private key.
No one else should have that private key. As long as ClimateForChange.ca is the only place that private key exists, I can be assured that anyone else who collects that message will only see gibberish.
But we know that the key is known to the people who ran the stephanedion.ca website. That means the Liberal Party, in principle, can decrypt any SSL-encrypted message sent to ClimateForChange.ca. Likewise, ClimateForChange.ca could decrypt any message sent to the Liberal Party, assuming the Liberal Party is still using that key (it is not clear whether it is -- the party donation page seems to use a different key, but who knows what other encrypted communications channels exist).
But none of this makes sense. How would ClimateForChange.ca have ever gotten hold of the stephanedion.ca key in the first place? Either the people who made the ClimateForChange.ca website were given the key by Stephane Dion's people directly, or the same people created both sites and just used the same key.
But I don't know that it is even as simple as that. They certificate has to be connected to the website. You just can't use a certificate on a website other than the one for which it was issued unless some sort of proactive transfer happens with a third party involved:
How do you know that you are dealing with the right person or rather the right web site. Well, someone has taken great length (if they are serious) to ensure that the web site owners are who they claim to be. This someone, you have to implicitly trust: you have his/her certificate loaded in your browser (a root Certificate). A certificate, contains information about the owner of the certificate, like e-mail address, owner's name, certificate usage, duration of validity, resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information. It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.
I think that means if the stephanedion.ca certificate was being used by ClimateForChange.ca, someone had to tell the third party that manages the certificates to ensure the integrity of the SSL system that ClimateForChange.ca was an authorized user. Presumably only the owner of the stephanedion.ca certificate can do that, and only by establishing that ClimateForChange.ca is just another site in a family of sites owned by the same organization and one of several sites that share information.
Maybe that last bit is a stretch, but it makes sense to me.
If I'm all wrong on this, can some expert on online security explain how this is supposed to work?
Skew my story on Skewz.com
Rate political news for their bias, read related stories, and leave your own skewed commentary
Search for more opinions from Canadian bloggers on these related keywords
ClimateForChange Stephane Dion Liberal Party Canada Stephen Harper Conservative Party environment Kyoto SSL encryption keys
Sphere presents related news articles and blog posts
Sphere It!
Comments
did you know that the G&M has an article about workingfamilies.ca??
Posted by: tori at August 23, 2007 04:11 PM
It's quite telling that you choose to be bothered by this rather than the Conservative's scheme that has them at odds with Election Canada.
Posted by: rob at August 23, 2007 04:41 PM
Angry is trying (on Buckler's instructions no doubt) to change the channel.
Unfortunately, a money-laundering scam is very hard to sideswipe :-)
Be brave Angry. Write about the Citizen piece. It will set you free. Liberty, freedom and all that.
Posted by: at August 23, 2007 05:09 PM
bzzzzt
I...do...not...know...Buckler.
I...do...not...know...Buckler.
end...of...transmission
bzzzzt
Seriously, as always, this story is mine. 100%. I don't know if the PMO folks have even seen it. I stumbled on the connection entirely on my own.
Posted by: Steve Janke at August 23, 2007 05:19 PM
Looks to me that "rob" and the brave annon poster are themselves trying to "change the channel" from this latest example of Liberal corruption.
Posted by: Paul M at August 23, 2007 05:43 PM
Nice job btw Steve!
Posted by: Paul M at August 23, 2007 05:44 PM
Me thinks Stephan's gremlins were dispatched to try and change the channel on your discovery, Steve.
Prepare for some kind of digital attack on your site. The slimy Liberals invented dirty tricks, they wont stop now.
Posted by: zilla at August 23, 2007 05:47 PM
Sorry to hi-jack but will the investigation on the personnel files "left by the movers"that were trundled out by the Libs be completed before the end of the year
Posted by: at August 23, 2007 05:49 PM
I've taken a brief look at the site.
If you try to make a donation, your information is sent to https://secure.fasttransact.com - where they are using a proper & valid cert. The credit card merchant name is 'Canadian Centre for Policy Ingenuity' (btw - your ip address, dns name and browser version are all logged).
However, the stephanedion.ca cert could not have been put on the server without having control of the cert. Perhaps it is just a left-over from when sd.ca was on this server. It could have been moved, and then cfc.ca run on the same server instance.
Posted by: Mike F at August 23, 2007 06:18 PM
However, the stephanedion.ca cert could not have been put on the server without having control of the cert. Perhaps it is just a left-over from when sd.ca was on this server. It could have been moved, and then cfc.ca run on the same server instance.
Thanks for that, Mike. A question, though. Isn't a certificate associated with a site, not a server? Why would a query report that SD certificate for CfC? Each site would its own certificate, wouldn't it? Multiple certificates on one server hosting multiple sites. My understanding could be off, but either a certificate is associated with a site or it is not.
Posted by: Steve Janke at August 23, 2007 06:26 PM
Hey Steve,
The Private Key is a file that sits on the server. It need not belong to the same domain "name", but if it doesn't, it must resolve to the same IP (which typically means, the same hosting location). There doesn't =have= to be a conscious handover of the cert.
However, if this is hosted by a provider, they are sloppy and unprofessional to leave a private key kicking around for other organizations to see & use.
This also reflects poorly on the IT people that help the liberals, why wouldn't they pony up the cache to be a signing authority and create their own keys? Oh ya, that's right, they're broke! *giggles* It'd've only cost them a few bucks to not leave this trail at all... sloppy...
Posted by: Lore_Weaver at August 23, 2007 07:33 PM
I had a feeling my understanding of keys and certificates was faulty.
The fact that there is no proactive handover bothers me. But then I'm not a network architect, so maybe this represents the best that could be done.
Posted by: Steve Janke at August 23, 2007 07:54 PM
When you assign a SSL certificate to a website, you first generate a certificate signing request (CSR) from the webserver which will be serving the pages. During this process you provide information such as url, organization etc etc. The fact that this site is showing that URL associated with it, means that the person running the webserver has administrative access to the web server of both sites, and either purposfully or accidently assigned the certificate for **dion.ca to **change.ca. When you are prompted to accept the certificate there is also an option to view the cert, which may provide further information.
Long and short, the person in change of the web server, or the website itself depending on the provider had access to both. The **dion cert would have been created first, and then assigned to the **change site.
Posted by: IT dude at August 23, 2007 09:53 PM
That IT dude. It sounds like we're back to the same people behind both sites.
Posted by: Steve Janke at August 23, 2007 10:27 PM
"It sounds like we're back to the same people behind both sites."
Let's be clear: the same sysadmins behind both sites. To me, this isn't proof positive of astroturfing. It merely proves that the climateforchange.ca people are using the same web server and sysadmins as some Liberals. Could be a coincidence, or maybe not.
Posted by: Dirk at August 23, 2007 11:00 PM
I said as much in my first addendum in my previous post. But the known links between the two organizations, and the presence of the CfC site on a server that seems to otherwise be solely for the use of Liberal Party websites, and the question of the SSL certificate together suggest something stronger. Enough for a warrant, but not a conviction, in a legal sense. In other words, enough to justify a few pointed questions from journalists, I think.
Posted by: Steve Janke at August 23, 2007 11:55 PM
It would be "enough to justify a few pointed questions from journalists" but we're talking about Liberals here, thus no interest.
Posted by: Libby at August 25, 2007 10:24 AM
I do this kind of stuff for a living, normally, the private key is protected by a password. This is to prevent it's fraudulant re-use if somebody gets ahold of it. It is not normal for the private key to be stored in the clear but it does happen. Whether or not it is stored encrypted (ie. protected by a password) or in the clear is, initially, decided by whomever requests the certificate.
The server won't start (with the specified certificate installed) unless it has access to the corresponding private key.
I imagine the same crew who managed the sd.ca site also manage the change.ca site and were either too lazy or cheap to request a new cert (certs cost $).
Either way, they are likely breaking the agreement they made with whomever issued them their cert. Nothing new for the Libs though... breaking an agreement, taking the easy way out etc etc.
Posted by: Mike C at August 25, 2007 03:54 PM
FYI, I have just sent a request to both Starfield and Valicert (the two superior certificate authorities in the certificate chain) requesting that the server certificate for stephanedion.ca be revoked for contravening their CA's subscriber agreement.
Posted by: Mike C at August 25, 2007 04:08 PM
 
|
|
