--- On Tue, 3/30/10, Rayservers <rayservers@gmail.com> wrote:
Hello,
thank you. there was a small typo in the link you
From: Rayservers <rayservers@gmail.com> Subject: Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates To: "Sarad AV" <jtrjtrjtr2001@yahoo.com> Cc: cypherpunks@al-qaeda.net, teddks@gmail.com Date: Tuesday, March 30, 2010, 6:58 PM On 03/30/10 07:03, Sarad AV wrote: posted. it is
some questions.
Monkey sphere says: Everyone who has used a web browser has been
you want to connect?" warning message, which occurs when the browser finds the site's certificate unacceptable. But web browser vendors (e.g. Microsoft or Mozilla) should not be responsible for determining whom (or what) the user trusts to certify the authenticity of a website, or
user online. The user herself should have the final say, and designation of trust should be done on the basis of human interaction. The Monkeysphere project aims to make that possibility a reality.
will try this out. in the meantime other questions related to browser certificates
1. How do we know which CA's (root/intermediate) have certified a domain xyz.com?
2. How do we know the CA trust chain. i.e. who all are
interrupted by the "Are you sure the identity of another the root CA's and who
are the intermediate CA's and which root CA is associated with a given intermediate CA?
3. Can we make the browser notify us if a domain was certified by an intermediate CA?
4. Say domain xyz.com is certified by CA 'A' and CA 'B' whose (root/intermediate) certificates are available in the browser. if i find CA 'B' to be malicious how can i get domain xyz.com certified by CA 'A'?
I have proposed that we strip out ALL outside certificate authorities from an open source browser, and distribute such... and to practice what I preach, I just went into FF and nuked the bunch - and whee, I can connect, verify the cert and login :). The USER - a la monkey sphere - has to decide if she trusts the Certificate Authority - who the hell are they anyway? And to answer my own rhetorical question - those that issue the highest TRUST certificates to licensed scammers a.k.a. the banks. I do not trust a single one of the recommendations of official CAs. If I am forced, like one has to in this world - to visit a bank website, I can figure out how much I distrust them all by
myself. All I want to know is "am I visiting the same site again"... and a "self signed" cert is all I need, "ssh style". And yes, I love the monkeysphere approach which would add meaningful levels of trust to that choice. And no - there is no difference in my trust level if the cert says "self signed" or "fairysign super duper" perhaps the former is better! - at least fairysign cannot go off and bless the MITM - especially of any sites I run!
Yes, that is a good idea. Thanks, Sarad.
The basic error of all these cryptographers is to confound security/encryption with identity. It is a very costly error to make, especially for the people who blindly use such technology, and one that history shall record as the thing that facilitated pervasive surveillance and the thought police [warning you are about to connect to a secure site!] and rampant electronic fraud - the fraud of misrepresentation by sleight of hand that bank liabilities are non-distinguishable from legal tender by the official scammers of this planet - the second layer of circular fraud piled upon the primary circular fraud of legal tender.
It is quite a spectacle really.
Cheers,
---Venkat.
Thank you, Sarad.
--- On Thu, 3/25/10, Ted Smith <teddks@gmail.com>
wrote:
From: Ted Smith <teddks@gmail.com> Subject: Re: Fwd: [ PRIVACY Forum ]
certificates
To: "Sarad AV" <jtrjtrjtr2001@yahoo.com>, "R.A. Hettinga" <rah@shipwright.com> Cc: cypherpunks@al-qaeda.net Date: Thursday, March 25, 2010, 10:05 PM More promising (from my point of view) is killing X.509 and replacing it with OpenPGP, which is what www.mokeysphere.info is doing.
"Sarad AV" <jtrjtrjtr2001@yahoo.com> wrote:
Soghoian says they are releasing a Firefox add-on to notify users when a sitebs certificate is issued from an authority in a different country than the last certificate the userbs browser accepted from the site.
If you have any further information on it or any other countermeasures implemented, please do keep us in loop. this attack is upsetting.
Sarad.
--- On Thu, 3/25/10, R.A. Hettinga <rah@shipwright.com> wrote:
From: R.A. Hettinga <rah@shipwright.com> Subject: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates To: cypherpunks@al-qaeda.net Date: Thursday, March 25, 2010, 2:29 AM Begin forwarded message:
From: privacy@vortex.com Date: March 24, 2010 3:53:44 PM AST To: privacy-list@vortex.com Subject: [ PRIVACY Forum ] Surveillance via bogus SSL certificates
----- Forwarded message from Dave Farber <dave@farber.net>
Date: Wed, 24 Mar 2010 15:34:27 -0400 From: Dave Farber <dave@farber.net> Subject: [IP] Surveillance via bogus
SSL certificates
Reply-To: dave@farber.net To: ip <ip@v2.listbox.com>
Begin forwarded message:
> From: Matt Blaze <mab@crypto.com> > Date: March 24, 2010 3:09:19 PM EDT > To: Dave Farber <dave@farber.net> > Subject: Surveillance via bogus SSL certificates >
> Dave, > > For IP if you'd like. > > Over a decade ago, I observed
commercial
certificate authorities
> protect you from anyone from whom
are
> That turns out to be wrong; they don't even do
unwilling to take money. that.
> > Chris Soghoian and Sid Stamm
> simple "appliance"-type box, marketed to law enforcement and > intelligence agencies in the US and elsewhere,
today that describes a that uses bogus
> certificates issued by *any* cooperative certificate authority to act as > a "man-in-the-middle" for encrypted web
paper traffic.
> > Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf > > What I found most interesting (and surprising) is that this sort of > surveillance is widespread enough to support fairly mature, turnkey > commercial products.B B It carries some significant disadvantages for > law enforcement -- most
Surveillance via bogus SSL that they published a particularly it
potentially can be
> detected. > > I briefly discuss the implications of
can be this kind of
surveillance at http://www.crypto.com/blog/spycerts/
> > Also, Wired has a story here: http://www.wired.com/threatlevel/2010/03/packet-forensics/ > > > -matt > > >
Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
----- End forwarded message -----
privacy mailing list http://lists.vortex.com/mailman/listinfo/privacy
-- Sent from my Android phone with K-9. Please excuse lack of OpenPGP signature and brevity.