Surveillance via bogus SSL certificates

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: Matt Blaze <mab () crypto com>
> Date: March 24, 2010 3:09:19 PM EDT
> To: Dave Farber <dave () farber net>
> Subject: Surveillance via bogus SSL certificates

> Dave,
>
> For IP if you'd like.
>
> Over a decade ago, I observed that commercial certificate  
> authorities protect you from anyone from whom they are unwilling to  
> take money.  That turns out to be wrong; they don't even do that.
>
> Chris Soghoian and Sid Stamm published a paper today that describes  
> a simple "appliance"-type box, marketed to law enforcement and  
> intelligence agencies in the US and elsewhere, that uses bogus  
> certificates issued by *any* cooperative certificate authority to  
> act as a "man-in-the-middle" for encrypted web traffic.
>
> Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf
>
> What I found most interesting (and surprising) is that this sort of  
> surveillance is widespread enough to support fairly mature, turnkey  
> commercial products.    It carries some significant disadvantages  
> for law enforcement -- most particularly it can be potentially can  
> be detected.
>
> I briefly discuss the implications of this kind of surveillance at http://www.crypto.com/blog/spycerts/
>
> Also, Wired has a story here: http://www.wired.com/threatlevel/2010/03/packet-forensics/
>
>
> -matt



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com