Re: Law enforcement appliance subverts SSL

["Young, Keith" <Keith.Young () montgomerycountymd gov>]

> Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay,
> the browser examines the website's certificate to verify its authenticity.
> At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company
> was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications
> - without breaking the encryption - by using forged security certificates,
> instead of the real ones that websites use to verify secure connections.
 
This is new? Don't people understand that they place trust (whether valid or not) in the certificate authorities within 
their web browsers? The only difference between now and the mid-1990's is that all root CAs are not listed in Internet 
Explorer but are instead downloaded "in real time"...

--Keith

 

Keith Young, Security Official

Department of Technology Services

Montgomery County, Maryland

phone - (240) 777-2955 





_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.