Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

Sarad AV jtrjtrjtr2001 at yahoo.com
Fri Apr 9 22:07:02 PDT 2010 

my bad.i meant disable/remove the certificate from the browser and not
'revoke' as such.

Also curious, what is the browser's audit mechanism of the CA? what safeguards
do the audit provide end users like us from malicious CA's and how is the
audit carried out?

    Is a non disclosure agreement signed between the browser and the CA?

    Doesn't the following attack model also work. Say we have rouge
intermediate CA X(trusted by the bowser) itself issuing a certificate to
BankofA.com. Note: BankofA.com never requested this certificate from CA X.
BankofA has its legitimate certificate issued by (say for example Verisign).
Now, say that is possible to carry out a MITM attack at the end user (bank's
client) ISP.

When the end user opens BankofA.com on the browser, with the MITM in place -
the fake certificate issued by CA X will be presented to the end user. The end
user's browser trusts CA X and no red flags are raised. If any monetary
transactions are carried out, all the money can be funneled out.


Thank you,
Sarad AV


> From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
> Subject: Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates
> To: alexbrennen at gmail.com, jtrjtrjtr2001 at yahoo.com
> Cc: cypherpunks at al-qaeda.net
> Date: Saturday, April 10, 2010, 5:14 AM
> Sarad AV <jtrjtrjtr2001 at yahoo.com>
> writes:
>
> >i also wonder what the browser policy for major
> browsers are when a root CA
> >company is acquired by another company. Is trust
> automatically transfered to
> >the new company?
>
> Yes.  When your CA goes bankrupt its only significant
> asset is often the root
> CA cert(s) it owns, which get onsold to the highest bidder
> by the receivers.
> This has occurred numerous times in the past, and some
> roots have been onsold
> multiple times, since it's both a means of monetising the
> CA's remaining
> assets and (usually) the cheapest way for a new CA to get
> their own cert.
>
> >Will the browser keep or revoke these certificates?
>
> Keep.
>
> (I'm not sure whether the browser vendor will even know if
> it's been on-sold,
> or how the vendor is supposed to know unless the new owner
> volunteers the
> information.  Also you can't really "revoke" a root,
> and the browser vendors
> certainly can't do it, the best they can do is
> disable/remove it in the next
> release).
>
> Peter.

More information about the cypherpunks-legacy mailing list