Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

Sarad AV jtrjtrjtr2001 at yahoo.com
Tue Mar 30 00:03:28 PDT 2010 

Hello,

thank you. there was a small typo in the link you posted. it is

http://web.monkeysphere.info/

some questions.

Monkey sphere says:
Everyone who has used a web browser has been interrupted by the "Are you sure
you want to connect?" warning message, which occurs when the browser finds the
site's certificate unacceptable. But web browser vendors (e.g. Microsoft or
Mozilla) should not be responsible for determining whom (or what) the user
trusts to certify the authenticity of a website, or the identity of another
user online. The user herself should have the final say, and designation of
trust should be done on the basis of human interaction. The Monkeysphere
project aims to make that possibility a reality.


will try this out. in the meantime other questions related to browser
certificates

1. How do we know which CA's (root/intermediate) have certified a domain
xyz.com?

2. How do we know the CA trust chain. i.e. who all are the root CA's and who
are the intermediate CA's and which root CA is associated with a given
intermediate CA?

3. Can we make the browser notify us if a domain was certified by an
intermediate CA?

4. Say domain xyz.com is certified by CA 'A' and CA 'B' whose
(root/intermediate) certificates are available in the browser. if i find CA
'B' to be malicious how can i get domain xyz.com certified by CA 'A'?


Thank you,
Sarad.



--- On Thu, 3/25/10, Ted Smith <teddks at gmail.com> wrote:

> From: Ted Smith <teddks at gmail.com>
> Subject: Re: Fwd: [ PRIVACY Forum ]  Surveillance via bogus SSL
certificates
> To: "Sarad AV" <jtrjtrjtr2001 at yahoo.com>, "R.A. Hettinga"
<rah at shipwright.com>
> Cc: cypherpunks at al-qaeda.net
> Date: Thursday, March 25, 2010, 10:05 PM
> More promising (from my point of
> view) is killing X.509 and replacing it with OpenPGP, which
> is what www.mokeysphere.info is doing.
>
> "Sarad AV" <jtrjtrjtr2001 at yahoo.com>
> wrote:
>
> >Soghoian says they are releasing a Firefox add-on to
> notify users when a
> >sitebs certificate is issued from an authority in a
> different country than
> >the last certificate the userbs browser accepted from
> the site.
> >
> >
> >If you have any further information on it or any other
> countermeasures
> >implemented, please do keep us in loop. this attack is
> upsetting.
> >
> >Sarad.
> >
> >--- On Thu, 3/25/10, R.A. Hettinga <rah at shipwright.com>
> wrote:
> >
> >> From: R.A. Hettinga <rah at shipwright.com>
> >> Subject: Fwd: [ PRIVACY Forum ]  Surveillance
> via bogus SSL certificates
> >> To: cypherpunks at al-qaeda.net
> >> Date: Thursday, March 25, 2010, 2:29 AM
> >> Begin forwarded message:
> >>
> >> > From: privacy at vortex.com
> >> > Date: March 24, 2010 3:53:44 PM AST
> >> > To: privacy-list at vortex.com
> >> > Subject: [ PRIVACY Forum ] Surveillance via
> bogus SSL
> >> certificates
> >> >
> >> >
> >> >
> >> > ----- Forwarded message from Dave Farber
> <dave at farber.net>
> >> -----
> >> >
> >> > Date: Wed, 24 Mar 2010 15:34:27 -0400
> >> > From: Dave Farber <dave at farber.net>
> >> > Subject: [IP] Surveillance via bogus SSL
> certificates
> >> > Reply-To: dave at farber.net
> >> > To: ip <ip at v2.listbox.com>
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Begin forwarded message:
> >> >
> >> >> From: Matt Blaze <mab at crypto.com>
> >> >> Date: March 24, 2010 3:09:19 PM EDT
> >> >> To: Dave Farber <dave at farber.net>
> >> >> Subject: Surveillance via bogus SSL
> certificates
> >> >>
> >> >
> >> >> Dave,
> >> >>
> >> >> For IP if you'd like.
> >> >>
> >> >> Over a decade ago, I observed that
> commercial
> >> certificate authorities
> >> >> protect you from anyone from whom they
> are
> >> unwilling to take money.
> >> >> That turns out to be wrong; they don't
> even do
> >> that.
> >> >>
> >> >> Chris Soghoian and Sid Stamm published a
> paper
> >> today that describes a
> >> >> simple "appliance"-type box, marketed to
> law
> >> enforcement and
> >> >> intelligence agencies in the US and
> elsewhere,
> >> that uses bogus
> >> >> certificates issued by *any* cooperative
> >> certificate authority to act as
> >> >> a "man-in-the-middle" for encrypted web
> traffic.
> >> >>
> >> >> Their paper is available at
http://files.cloudprivacy.net/ssl-mitm.pdf
> >> >>
> >> >> What I found most interesting (and
> surprising) is
> >> that this sort of
> >> >> surveillance is widespread enough to
> support
> >> fairly mature, turnkey
> >> >> commercial products.B  B  It
> carries some
> >> significant disadvantages for
> >> >> law enforcement -- most particularly it
> can be
> >> potentially can be
> >> >> detected.
> >> >>
> >> >> I briefly discuss the implications of
> this kind of
> >> surveillance at
> >> http://www.crypto.com/blog/spycerts/
> >> >>
> >> >> Also, Wired has a story here:
> >> http://www.wired.com/threatlevel/2010/03/packet-forensics/
> >> >>
> >> >>
> >> >> -matt
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> >
> >> > -------------------------------------------
> >> > Archives: https://www.listbox.com/member/archive/247/=now
> >> > RSS Feed: https://www.listbox.com/member/archive/rss/247/
> >> > Powered by Listbox: http://www.listbox.com
> >> >
> >> > ----- End forwarded message -----
> >> >
> _______________________________________________
> >> > privacy mailing list
> >> > http://lists.vortex.com/mailman/listinfo/privacy
>
> --
> Sent from my Android phone with K-9. Please excuse lack of
> OpenPGP signature and brevity.

More information about the cypherpunks-legacy mailing list