Soghoian says they are releasing a Firefox add-on to notify users when a sitebs certificate is issued from an authority in a different country than the last certificate the userbs browser accepted from the site. If you have any further information on it or any other countermeasures implemented, please do keep us in loop. this attack is upsetting. Sarad. --- On Thu, 3/25/10, R.A. Hettinga <rah@shipwright.com> wrote:

From: R.A. Hettinga <rah@shipwright.com> Subject: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates To: cypherpunks@al-qaeda.net Date: Thursday, March 25, 2010, 2:29 AM Begin forwarded message:

...

From: privacy@vortex.com Date: March 24, 2010 3:53:44 PM AST To: privacy-list@vortex.com Subject: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

----- Forwarded message from Dave Farber <dave@farber.net>

---

...

Date: Wed, 24 Mar 2010 15:34:27 -0400 From: Dave Farber <dave@farber.net> Subject: [IP] Surveillance via bogus SSL certificates Reply-To: dave@farber.net To: ip <ip@v2.listbox.com>

Begin forwarded message:

...

From: Matt Blaze <mab@crypto.com> Date: March 24, 2010 3:09:19 PM EDT To: Dave Farber <dave@farber.net> Subject: Surveillance via bogus SSL certificates

...

Dave,

For IP if you'd like.

Over a decade ago, I observed that commercial

...

...

protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do

...

...

Chris Soghoian and Sid Stamm published a paper

today that describes a

...

simple "appliance"-type box, marketed to law enforcement and intelligence agencies in the US and elsewhere,

...

...

certificates issued by *any* cooperative certificate authority to act as a "man-in-the-middle" for encrypted web traffic.

Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf

What I found most interesting (and surprising) is

...

...

surveillance is widespread enough to support fairly mature, turnkey commercial products.B B It carries some significant disadvantages for law enforcement -- most particularly it can be

certificate authorities that. that uses bogus that this sort of potentially can be

...

...

detected.

I briefly discuss the implications of this kind of surveillance at http://www.crypto.com/blog/spycerts/

Also, Wired has a story here: http://www.wired.com/threatlevel/2010/03/packet-forensics/

-matt

------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com

----- End forwarded message ----- _______________________________________________ privacy mailing list http://lists.vortex.com/mailman/listinfo/privacy