funsec mailing list archives
Law enforcement appliance subverts SSL
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Wed, 31 Mar 2010 00:15:28 +0300 (EEST)
"Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the websites certificate to verify its authenticity. At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications without breaking the encryption by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities." http://www.wired.com/threatlevel/2010/03/packet-forensics/ Research paper: http://files.cloudprivacy.net/ssl-mitm.pdf Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Law enforcement appliance subverts SSL Juha-Matti Laurio (Mar 30)
- Re: Law enforcement appliance subverts SSL Young, Keith (Mar 30)