funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Law enforcement appliance subverts SSL

From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Wed, 31 Mar 2010 00:15:28 +0300 (EEST)
"Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, 
the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company
was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications
— without breaking the encryption — by using forged security certificates,
instead of the real ones that websites use to verify secure connections. 
To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted 
Certificate Authorities."

http://www.wired.com/threatlevel/2010/03/packet-forensics/

Research paper:
http://files.cloudprivacy.net/ssl-mitm.pdf

Juha-Matti

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: