funsec mailing list archives
Re: Law enforcement appliance subverts SSL
From: "Young, Keith" <Keith.Young () montgomerycountymd gov>
Date: Tue, 30 Mar 2010 19:39:46 -0400
Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website's certificate to verify its authenticity. At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications - without breaking the encryption - by using forged security certificates, instead of the real ones that websites use to verify secure connections.
This is new? Don't people understand that they place trust (whether valid or not) in the certificate authorities within their web browsers? The only difference between now and the mid-1990's is that all root CAs are not listed in Internet Explorer but are instead downloaded "in real time"... --Keith Keith Young, Security Official Department of Technology Services Montgomery County, Maryland phone - (240) 777-2955 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Law enforcement appliance subverts SSL Juha-Matti Laurio (Mar 30)
- Re: Law enforcement appliance subverts SSL Young, Keith (Mar 30)