Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates
R.A. Hettinga
rah at shipwright.com
Wed Mar 24 13:59:00 PDT 2010
Begin forwarded message:
> From: privacy at vortex.com
> Date: March 24, 2010 3:53:44 PM AST
> To: privacy-list at vortex.com
> Subject: [ PRIVACY Forum ] Surveillance via bogus SSL certificates
>
>
>
> ----- Forwarded message from Dave Farber <dave at farber.net> -----
>
> Date: Wed, 24 Mar 2010 15:34:27 -0400
> From: Dave Farber <dave at farber.net>
> Subject: [IP] Surveillance via bogus SSL certificates
> Reply-To: dave at farber.net
> To: ip <ip at v2.listbox.com>
>
>
>
>
>
> Begin forwarded message:
>
>> From: Matt Blaze <mab at crypto.com>
>> Date: March 24, 2010 3:09:19 PM EDT
>> To: Dave Farber <dave at farber.net>
>> Subject: Surveillance via bogus SSL certificates
>>
>
>> Dave,
>>
>> For IP if you'd like.
>>
>> Over a decade ago, I observed that commercial certificate authorities
>> protect you from anyone from whom they are unwilling to take money.
>> That turns out to be wrong; they don't even do that.
>>
>> Chris Soghoian and Sid Stamm published a paper today that describes a
>> simple "appliance"-type box, marketed to law enforcement and
>> intelligence agencies in the US and elsewhere, that uses bogus
>> certificates issued by *any* cooperative certificate authority to act as
>> a "man-in-the-middle" for encrypted web traffic.
>>
>> Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf
>>
>> What I found most interesting (and surprising) is that this sort of
>> surveillance is widespread enough to support fairly mature, turnkey
>> commercial products. It carries some significant disadvantages for
>> law enforcement -- most particularly it can be potentially can be
>> detected.
>>
>> I briefly discuss the implications of this kind of surveillance at
http://www.crypto.com/blog/spycerts/
>>
>> Also, Wired has a story here:
http://www.wired.com/threatlevel/2010/03/packet-forensics/
>>
>>
>> -matt
>>
>>
>>
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com
>
> ----- End forwarded message -----
> _______________________________________________
> privacy mailing list
> http://lists.vortex.com/mailman/listinfo/privacy
More information about the cypherpunks-legacy
mailing list