Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

Sarad AV jtrjtrjtr2001 at yahoo.com
Thu Mar 25 04:33:22 PDT 2010 

Soghoian says they are releasing a Firefox add-on to notify users when a
sitebs certificate is issued from an authority in a different country than
the last certificate the userbs browser accepted from the site.


If you have any further information on it or any other countermeasures
implemented, please do keep us in loop. this attack is upsetting.

Sarad.

--- On Thu, 3/25/10, R.A. Hettinga <rah at shipwright.com> wrote:

> From: R.A. Hettinga <rah at shipwright.com>
> Subject: Fwd: [ PRIVACY Forum ]  Surveillance via bogus SSL certificates
> To: cypherpunks at al-qaeda.net
> Date: Thursday, March 25, 2010, 2:29 AM
> Begin forwarded message:
>
> > From: privacy at vortex.com
> > Date: March 24, 2010 3:53:44 PM AST
> > To: privacy-list at vortex.com
> > Subject: [ PRIVACY Forum ] Surveillance via bogus SSL
> certificates
> >
> >
> >
> > ----- Forwarded message from Dave Farber <dave at farber.net>
> -----
> >
> > Date: Wed, 24 Mar 2010 15:34:27 -0400
> > From: Dave Farber <dave at farber.net>
> > Subject: [IP] Surveillance via bogus SSL certificates
> > Reply-To: dave at farber.net
> > To: ip <ip at v2.listbox.com>
> >
> >
> >
> >
> >
> > Begin forwarded message:
> >
> >> From: Matt Blaze <mab at crypto.com>
> >> Date: March 24, 2010 3:09:19 PM EDT
> >> To: Dave Farber <dave at farber.net>
> >> Subject: Surveillance via bogus SSL certificates
> >>
> >
> >> Dave,
> >>
> >> For IP if you'd like.
> >>
> >> Over a decade ago, I observed that commercial
> certificate authorities
> >> protect you from anyone from whom they are
> unwilling to take money.
> >> That turns out to be wrong; they don't even do
> that.
> >>
> >> Chris Soghoian and Sid Stamm published a paper
> today that describes a
> >> simple "appliance"-type box, marketed to law
> enforcement and
> >> intelligence agencies in the US and elsewhere,
> that uses bogus
> >> certificates issued by *any* cooperative
> certificate authority to act as
> >> a "man-in-the-middle" for encrypted web traffic.
> >>
> >> Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf
> >>
> >> What I found most interesting (and surprising) is
> that this sort of
> >> surveillance is widespread enough to support
> fairly mature, turnkey
> >> commercial products.B  B  It carries some
> significant disadvantages for
> >> law enforcement -- most particularly it can be
> potentially can be
> >> detected.
> >>
> >> I briefly discuss the implications of this kind of
> surveillance at
> http://www.crypto.com/blog/spycerts/
> >>
> >> Also, Wired has a story here:
> http://www.wired.com/threatlevel/2010/03/packet-forensics/
> >>
> >>
> >> -matt
> >>
> >>
> >>
> >
> >
> >
> > -------------------------------------------
> > Archives: https://www.listbox.com/member/archive/247/=now
> > RSS Feed: https://www.listbox.com/member/archive/rss/247/
> > Powered by Listbox: http://www.listbox.com
> >
> > ----- End forwarded message -----
> > _______________________________________________
> > privacy mailing list
> > http://lists.vortex.com/mailman/listinfo/privacy

More information about the cypherpunks-legacy mailing list