NNSquad - Network Neutrality Squad
[ NNSquad ] Surveillance via bogus SSL certificates
----- Forwarded message from Dave Farber <dave@farber.net> ----- Date: Wed, 24 Mar 2010 15:34:27 -0400 From: Dave Farber <dave@farber.net> Subject: [IP] Surveillance via bogus SSL certificates Reply-To: dave@farber.net To: ip <ip@v2.listbox.com> Begin forwarded message: > From: Matt Blaze <mab@crypto.com> > Date: March 24, 2010 3:09:19 PM EDT > To: Dave Farber <dave@farber.net> > Subject: Surveillance via bogus SSL certificates > > Dave, > > For IP if you'd like. > > Over a decade ago, I observed that commercial certificate authorities > protect you from anyone from whom they are unwilling to take money. > That turns out to be wrong; they don't even do that. > > Chris Soghoian and Sid Stamm published a paper today that describes a > simple "appliance"-type box, marketed to law enforcement and > intelligence agencies in the US and elsewhere, that uses bogus > certificates issued by *any* cooperative certificate authority to act as > a "man-in-the-middle" for encrypted web traffic. > > Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf > > What I found most interesting (and surprising) is that this sort of > surveillance is widespread enough to support fairly mature, turnkey > commercial products. It carries some significant disadvantages for > law enforcement -- most particularly it can be potentially can be > detected. > > I briefly discuss the implications of this kind of surveillance at http://www.crypto.com/blog/spycerts/ > > Also, Wired has a story here: http://www.wired.com/threatlevel/2010/03/packet-forensics/ > > > -matt > > > ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com ----- End forwarded message -----