Re: Surveillance via bogus SSL certificates

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Ed Gerck, Ph.D." <egerck () nma com>
Date: March 24, 2010 4:29:40 PM EDT
To: dave () farber net
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] Surveillance via bogus SSL certificates


> > Chris Soghoian and Sid Stamm published a paper today that describes a simple "appliance"-type box, marketed to law 
> > enforcement and intelligence agencies in the US and elsewhere, that uses bogus certificates issued by *any* 
> > cooperative certificate authority to act as a "man-in-the-middle" for encrypted web traffic.


This may have a political flair but is not new technical information, in spite of the authors' claim. For example, it 
was mentioned early this year in this list (see "rogue certificates" in the "SSL would prevent it" thread) and ten 
years ago I presented a paper at the Red Hat Conference, that said: "The CA paradigm is thus, essentially, to rely on 
an authentication chain that ends in a ... CA that eventually certifies itself. Therefore, the validity problem is 
shifted from a local perspective to a global perspective, with the whole chain depending on one final link. At the end, 
ignorance (and the possibility of fraud) is leveraged to a high degree, in which one weak link may compromise a whole 
chain of certificates." with copy online at http://mcwg.org/mcg-mirror/cert.htm

Best regards,
Ed Gerck




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com