NNSquad - Network Neutrality Squad
[ NNSquad ] A Certificate Authority "Man-in-the-middle" attack corporate attack in the wild
----- Forwarded message from Dave Farber <dave@farber.net> ----- Date: Tue, 7 Feb 2012 16:55:59 -0500 From: Dave Farber <dave@farber.net> Subject: [IP] Fwd: A Certificate Authority "Man-in-the-middle" attack corporate attack in the wild Reply-To: dave@farber.net To: ip <ip@listbox.com> ---------- Forwarded message ---------- From: "Jim Ausman" <ausman@well.com> Date: Feb 7, 2012 4:49 PM Subject: A Certificate Authority "Man-in-the-middle" attack corporate attack in the wild To: <dave@farber.net> Dave, For IP, if you wish Trustwave, a CA authority, issued a certificate that allowed the owner to issue any valid certificate to facilitate man-in-the-middle attacks on their employees. http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html They say that they used a special hardware container to ensure that this could not be used for anything other than the intended purpose, but this still indicates that a long-suspected weakness in the CA infrastructure is being exploited to eavesdrop on traffic. http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html EFF sent out an alert about the fact that Iran was doing this a few months ago, but this is the first I have heard of a corporation doing it. https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google Cheers, Jim ------------------------------------------- ----- End forwarded message ----- _______________________________________________ nnsquad mailing list http://lists.nnsquad.org/mailman/listinfo/nnsquad