Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

30 Mar 2010

      On 03/30/10 07:03, Sarad AV wrote:
...
Hello,
thank you. there was a small typo in the link you posted. it is
http://web.monkeysphere.info/
some questions.
Monkey sphere says:
Everyone who has used a web browser has been interrupted by the "Are you sure
you want to connect?" warning message, which occurs when the browser finds the
site's certificate unacceptable. But web browser vendors (e.g. Microsoft or
Mozilla) should not be responsible for determining whom (or what) the user
trusts to certify the authenticity of a website, or the identity of another
user online. The user herself should have the final say, and designation of
trust should be done on the basis of human interaction. The Monkeysphere
project aims to make that possibility a reality.
will try this out. in the meantime other questions related to browser
certificates
1. How do we know which CA's (root/intermediate) have certified a domain
xyz.com?
2. How do we know the CA trust chain. i.e. who all are the root CA's and who
are the intermediate CA's and which root CA is associated with a given
intermediate CA?
3. Can we make the browser notify us if a domain was certified by an
intermediate CA?
4. Say domain xyz.com is certified by CA 'A' and CA 'B' whose
(root/intermediate) certificates are available in the browser. if i find CA
'B' to be malicious how can i get domain xyz.com certified by CA 'A'?
I have proposed that we strip out ALL outside certificate authorities from an
open source browser, and distribute such... and to practice what I preach, I
just went into FF and nuked the bunch - and whee, I can connect, verify the cert
and login :). The USER - a la monkey sphere - has to decide if she trusts the
Certificate Authority - who the hell are they anyway? And to answer my own
rhetorical question - those that issue the highest TRUST certificates to
licensed scammers a.k.a. the banks. I do not trust a single one of the
recommendations of official CAs. If I am forced, like one has to in this world -
to visit a bank website, I can figure out how much I distrust them all by
myself. All I want to know is "am I visiting the same site again"... and a "self
signed" cert is all I need, "ssh style". And yes, I love the monkeysphere
approach which would add meaningful levels of trust to that choice. And no -
there is no difference in my trust level if the cert says "self signed" or
"fairysign super duper" perhaps the former is better! - at least fairysign
cannot go off and bless the MITM - especially of any sites I run!

The basic error of all these cryptographers is to confound security/encryption
with identity. It is a very costly error to make, especially for the people who
blindly use such technology, and one that history shall record as the thing that
facilitated pervasive surveillance and the thought police [warning you are about
to connect to a secure site!] and rampant electronic fraud - the fraud of
misrepresentation by sleight of hand that bank liabilities are
non-distinguishable from legal tender by the official scammers of this planet -
the second layer of circular fraud piled upon the primary circular fraud of
legal tender.

It is quite a spectacle really.

Cheers,

---Venkat.
...
Thank you,
Sarad.
--- On Thu, 3/25/10, Ted Smith  wrote:
...
From: Ted Smith 
Subject: Re: Fwd: [ PRIVACY Forum ]  Surveillance via bogus SSL
certificates
To: "Sarad AV" , "R.A. Hettinga"

Cc: cypherpunks@al-qaeda.net
Date: Thursday, March 25, 2010, 10:05 PM
More promising (from my point of
view) is killing X.509 and replacing it with OpenPGP, which
is what www.mokeysphere.info is doing.
"Sarad AV" 
wrote:
...
Soghoian says they are releasing a Firefox add-on to
notify users when a
sitebs certificate is issued from an authority in a
different country than
the last certificate the userbs browser accepted from
the site.
If you have any further information on it or any other
countermeasures
implemented, please do keep us in loop. this attack is
upsetting.
Sarad.
--- On Thu, 3/25/10, R.A. Hettinga 
wrote:
...
From: R.A. Hettinga 
Subject: Fwd: [ PRIVACY Forum ]  Surveillance
via bogus SSL certificates
To: cypherpunks@al-qaeda.net
Date: Thursday, March 25, 2010, 2:29 AM
Begin forwarded message:
...
From: privacy@vortex.com
Date: March 24, 2010 3:53:44 PM AST
To: privacy-list@vortex.com
Subject: [ PRIVACY Forum ] Surveillance via
bogus SSL
certificates
----- Forwarded message from Dave Farber

...
Date: Wed, 24 Mar 2010 15:34:27 -0400
From: Dave Farber 
Subject: [IP] Surveillance via bogus SSL
...
Reply-To: dave@farber.net
To: ip 
Begin forwarded message:
...
From: Matt Blaze 
Date: March 24, 2010 3:09:19 PM EDT
To: Dave Farber 
Subject: Surveillance via bogus SSL
certificates
...
Dave,
For IP if you'd like.
Over a decade ago, I observed that
commercial
certificate authorities
protect you from anyone from whom they
are
unwilling to take money.
That turns out to be wrong; they don't
even do
...
...
Chris Soghoian and Sid Stamm published a
...
...
simple "appliance"-type box, marketed to
law
enforcement and
intelligence agencies in the US and
elsewhere,
...
...
certificates issued by *any* cooperative
certificate authority to act as
a "man-in-the-middle" for encrypted web
...
...
Their paper is available at
http://files.cloudprivacy.net/ssl-mitm.pdf
...
What I found most interesting (and
surprising) is
...
...
surveillance is widespread enough to
support
fairly mature, turnkey
commercial products.B  B  It
carries some
significant disadvantages for
law enforcement -- most particularly it
can be
...
...
detected.
I briefly discuss the implications of
certificates
that.
paper
today that describes a
that uses bogus
traffic.
that this sort of
potentially can be
this kind of
surveillance at
http://www.crypto.com/blog/spycerts/
...
...
Also, Wired has a story here:
http://www.wired.com/threatlevel/2010/03/packet-forensics/
...
-matt
-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
----- End forwarded message -----

...
...
...
privacy mailing list
http://lists.vortex.com/mailman/listinfo/privacy
--
Sent from my Android phone with K-9. Please excuse lack of
OpenPGP signature and brevity.

Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

Rayservers