NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] A Certificate Authority "Man-in-the-middle" attack corporate attack in the wild


----- Forwarded message from Dave Farber <dave@farber.net> -----

Date: Tue, 7 Feb 2012 16:55:59 -0500
From: Dave Farber <dave@farber.net>
Subject: [IP] Fwd: A Certificate Authority "Man-in-the-middle" attack
	corporate attack in the wild
Reply-To: dave@farber.net
To: ip <ip@listbox.com>

---------- Forwarded message ----------
From: "Jim Ausman" <ausman@well.com>
Date: Feb 7, 2012 4:49 PM
Subject: A Certificate Authority "Man-in-the-middle" attack corporate
attack in the wild
To: <dave@farber.net>

Dave,

For IP, if you wish

Trustwave, a CA authority, issued a certificate that allowed the owner
to issue any valid certificate to facilitate man-in-the-middle attacks
on their employees.

http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html

They say that they used a special hardware container to ensure that
this could not be used for anything other than the intended purpose,
but this still indicates that a long-suspected weakness in the CA
infrastructure is being exploited to eavesdrop on traffic.

http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html

EFF sent out an alert about the fact that Iran was doing this a few
months ago, but this is the first I have heard of a corporation doing
it.

https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google

Cheers,
Jim


-------------------------------------------

----- End forwarded message -----
_______________________________________________
nnsquad mailing list
http://lists.nnsquad.org/mailman/listinfo/nnsquad