Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates
Ted Smith
teddks at gmail.com
Thu Mar 25 09:35:56 PDT 2010
More promising (from my point of view) is killing X.509 and replacing it with OpenPGP, which is what www.mokeysphere.info is doing.
"Sarad AV" <jtrjtrjtr2001 at yahoo.com> wrote:
>Soghoian says they are releasing a Firefox add-on to notify users when a
>siteb�s certificate is issued from an authority in a different country than
>the last certificate the userb�s browser accepted from the site.
>
>
>If you have any further information on it or any other countermeasures
>implemented, please do keep us in loop. this attack is upsetting.
>
>Sarad.
>
>--- On Thu, 3/25/10, R.A. Hettinga <rah at shipwright.com> wrote:
>
>> From: R.A. Hettinga <rah at shipwright.com>
>> Subject: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates
>> To: cypherpunks at al-qaeda.net
>> Date: Thursday, March 25, 2010, 2:29 AM
>> Begin forwarded message:
>>
>> > From: privacy at vortex.com
>> > Date: March 24, 2010 3:53:44 PM AST
>> > To: privacy-list at vortex.com
>> > Subject: [ PRIVACY Forum ] Surveillance via bogus SSL
>> certificates
>> >
>> >
>> >
>> > ----- Forwarded message from Dave Farber <dave at farber.net>
>> -----
>> >
>> > Date: Wed, 24 Mar 2010 15:34:27 -0400
>> > From: Dave Farber <dave at farber.net>
>> > Subject: [IP] Surveillance via bogus SSL certificates
>> > Reply-To: dave at farber.net
>> > To: ip <ip at v2.listbox.com>
>> >
>> >
>> >
>> >
>> >
>> > Begin forwarded message:
>> >
>> >> From: Matt Blaze <mab at crypto.com>
>> >> Date: March 24, 2010 3:09:19 PM EDT
>> >> To: Dave Farber <dave at farber.net>
>> >> Subject: Surveillance via bogus SSL certificates
>> >>
>> >
>> >> Dave,
>> >>
>> >> For IP if you'd like.
>> >>
>> >> Over a decade ago, I observed that commercial
>> certificate authorities
>> >> protect you from anyone from whom they are
>> unwilling to take money.
>> >> That turns out to be wrong; they don't even do
>> that.
>> >>
>> >> Chris Soghoian and Sid Stamm published a paper
>> today that describes a
>> >> simple "appliance"-type box, marketed to law
>> enforcement and
>> >> intelligence agencies in the US and elsewhere,
>> that uses bogus
>> >> certificates issued by *any* cooperative
>> certificate authority to act as
>> >> a "man-in-the-middle" for encrypted web traffic.
>> >>
>> >> Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf
>> >>
>> >> What I found most interesting (and surprising) is
>> that this sort of
>> >> surveillance is widespread enough to support
>> fairly mature, turnkey
>> >> commercial products.B B It carries some
>> significant disadvantages for
>> >> law enforcement -- most particularly it can be
>> potentially can be
>> >> detected.
>> >>
>> >> I briefly discuss the implications of this kind of
>> surveillance at
>> http://www.crypto.com/blog/spycerts/
>> >>
>> >> Also, Wired has a story here:
>> http://www.wired.com/threatlevel/2010/03/packet-forensics/
>> >>
>> >>
>> >> -matt
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > -------------------------------------------
>> > Archives: https://www.listbox.com/member/archive/247/=now
>> > RSS Feed: https://www.listbox.com/member/archive/rss/247/
>> > Powered by Listbox: http://www.listbox.com
>> >
>> > ----- End forwarded message -----
>> > _______________________________________________
>> > privacy mailing list
>> > http://lists.vortex.com/mailman/listinfo/privacy
--
Sent from my Android phone with K-9. Please excuse lack of OpenPGP signature and brevity.
More information about the cypherpunks-legacy
mailing list