Interesting People mailing list archives
Surveillance via bogus SSL certificates
From: Dave Farber <dave () farber net>
Date: Wed, 24 Mar 2010 15:34:27 -0400
Begin forwarded message:
From: Matt Blaze <mab () crypto com> Date: March 24, 2010 3:09:19 PM EDT To: Dave Farber <dave () farber net> Subject: Surveillance via bogus SSL certificates
Dave, For IP if you'd like.Over a decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that.Chris Soghoian and Sid Stamm published a paper today that describes a simple "appliance"-type box, marketed to law enforcement and intelligence agencies in the US and elsewhere, that uses bogus certificates issued by *any* cooperative certificate authority to act as a "man-in-the-middle" for encrypted web traffic.Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdfWhat I found most interesting (and surprising) is that this sort of surveillance is widespread enough to support fairly mature, turnkey commercial products. It carries some significant disadvantages for law enforcement -- most particularly it can be potentially can be detected.I briefly discuss the implications of this kind of surveillance at http://www.crypto.com/blog/spycerts/ Also, Wired has a story here: http://www.wired.com/threatlevel/2010/03/packet-forensics/ -matt
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Surveillance via bogus SSL certificates Dave Farber (Mar 24)
- <Possible follow-ups>
- Surveillance via bogus SSL certificates Dave Farber (Mar 24)
- Re: Surveillance via bogus SSL certificates David Farber (Mar 24)
- Re: Surveillance via bogus SSL certificates David Farber (Mar 24)
- Re: Surveillance via bogus SSL certificates David Farber (Mar 24)
- Re: Surveillance via bogus SSL certificates Dave Farber (Mar 25)