Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates
V. Alex Brennen
alexbrennen at gmail.com
Tue Apr 6 19:07:11 PDT 2010
Aside from a man in the middle attack, it's highly possible that
browser developers are not doing a very good job of managing and
auditing the root ca certificates that they ship included with the
browser releases. Further, it's possible that CA's aren't doing a
good job of keeping track of what certificates they submit to browser
developers.
Take a look at this discussion:
http://bit.ly/a7b04A
After reading that discussion, I'd be much less surprised to hear that
a bogus root ca certificate, even one that fraudulently identified its
source as a major trusted ca, was included in a series of browser
releases from at least one of the major developers.
- VAB
More information about the cypherpunks-legacy
mailing list