Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

Wed Mar 31 01:15:20 PDT 2010

--- On Tue, 3/30/10, Rayservers <rayservers at gmail.com> wrote:

> From: Rayservers <rayservers at gmail.com>
> Subject: Re: Fwd: [ PRIVACY Forum ]  Surveillance via bogus SSL
certificates
> To: "Sarad AV" <jtrjtrjtr2001 at yahoo.com>
> Cc: cypherpunks at al-qaeda.net, teddks at gmail.com
> Date: Tuesday, March 30, 2010, 6:58 PM
> On 03/30/10 07:03, Sarad AV wrote:
> > Hello,
> >
> > thank you. there was a small typo in the link you
> posted. it is
> >
> > http://web.monkeysphere.info/
> >
> > some questions.
> >
> > Monkey sphere says:
> > Everyone who has used a web browser has been
> interrupted by the "Are you sure
> > you want to connect?" warning message, which occurs
> when the browser finds the
> > site's certificate unacceptable. But web browser
> vendors (e.g. Microsoft or
> > Mozilla) should not be responsible for determining
> whom (or what) the user
> > trusts to certify the authenticity of a website, or
> the identity of another
> > user online. The user herself should have the final
> say, and designation of
> > trust should be done on the basis of human
> interaction. The Monkeysphere
> > project aims to make that possibility a reality.
> >
> >
> > will try this out. in the meantime other questions
> related to browser
> > certificates
> >
> > 1. How do we know which CA's (root/intermediate) have
> certified a domain
> > xyz.com?
> >
> > 2. How do we know the CA trust chain. i.e. who all are
> the root CA's and who
> > are the intermediate CA's and which root CA is
> associated with a given
> > intermediate CA?
> >
> > 3. Can we make the browser notify us if a domain was
> certified by an
> > intermediate CA?
> >
> > 4. Say domain xyz.com is certified by CA 'A' and CA
> 'B' whose
> > (root/intermediate) certificates are available in the
> browser. if i find CA
> > 'B' to be malicious how can i get domain xyz.com
> certified by CA 'A'?
>
> I have proposed that we strip out ALL outside certificate
> authorities from an
> open source browser, and distribute such... and to practice
> what I preach, I
> just went into FF and nuked the bunch - and whee, I can
> connect, verify the cert
> and login :). The USER - a la monkey sphere - has to decide
> if she trusts the
> Certificate Authority - who the hell are they anyway? And
> to answer my own
> rhetorical question - those that issue the highest TRUST
> certificates to
> licensed scammers a.k.a. the banks. I do not trust a single
> one of the
> recommendations of official CAs. If I am forced, like one
> has to in this world -
> to visit a bank website, I can figure out how much I
> distrust them all by

> myself. All I want to know is "am I visiting the same site
> again"... and a "self
> signed" cert is all I need, "ssh style". And yes, I love
> the monkeysphere
> approach which would add meaningful levels of trust to that
> choice. And no -
> there is no difference in my trust level if the cert says
> "self signed" or
> "fairysign super duper" perhaps the former is better! - at
> least fairysign
> cannot go off and bless the MITM - especially of any sites
> I run!

Yes, that is a good idea.

Thanks,
Sarad.

>
> The basic error of all these cryptographers is to confound
> security/encryption
> with identity. It is a very costly error to make,
> especially for the people who
> blindly use such technology, and one that history shall
> record as the thing that
> facilitated pervasive surveillance and the thought police
> [warning you are about
> to connect to a secure site!] and rampant electronic fraud
> - the fraud of
> misrepresentation by sleight of hand that bank liabilities
> are
> non-distinguishable from legal tender by the official
> scammers of this planet -
> the second layer of circular fraud piled upon the primary
> circular fraud of
> legal tender.
>
> It is quite a spectacle really.
>
> Cheers,
>
> ---Venkat.
>
>
>
> >
> >
> > Thank you,
> > Sarad.
> >
> >
> >
> > --- On Thu, 3/25/10, Ted Smith <teddks at gmail.com>
> wrote:
> >
> >> From: Ted Smith <teddks at gmail.com>
> >> Subject: Re: Fwd: [ PRIVACY Forum ] 
> Surveillance via bogus SSL
> > certificates
> >> To: "Sarad AV" <jtrjtrjtr2001 at yahoo.com>,
> "R.A. Hettinga"
> > <rah at shipwright.com>
> >> Cc: cypherpunks at al-qaeda.net
> >> Date: Thursday, March 25, 2010, 10:05 PM
> >> More promising (from my point of
> >> view) is killing X.509 and replacing it with
> OpenPGP, which
> >> is what www.mokeysphere.info is doing.
> >>
> >> "Sarad AV" <jtrjtrjtr2001 at yahoo.com>
> >> wrote:
> >>
> >>> Soghoian says they are releasing a Firefox
> add-on to
> >> notify users when a
> >>> sitebs certificate is issued from an authority
> in a
> >> different country than
> >>> the last certificate the userbs browser
> accepted from
> >> the site.
> >>>
> >>>
> >>> If you have any further information on it or
> any other
> >> countermeasures
> >>> implemented, please do keep us in loop. this
> attack is
> >> upsetting.
> >>>
> >>> Sarad.
> >>>
> >>> --- On Thu, 3/25/10, R.A. Hettinga <rah at shipwright.com>
> >> wrote:
> >>>
> >>>> From: R.A. Hettinga <rah at shipwright.com>
> >>>> Subject: Fwd: [ PRIVACY Forum ] 
> Surveillance
> >> via bogus SSL certificates
> >>>> To: cypherpunks at al-qaeda.net
> >>>> Date: Thursday, March 25, 2010, 2:29 AM
> >>>> Begin forwarded message:
> >>>>
> >>>>> From: privacy at vortex.com
> >>>>> Date: March 24, 2010 3:53:44 PM AST
> >>>>> To: privacy-list at vortex.com
> >>>>> Subject: [ PRIVACY Forum ]
> Surveillance via
> >> bogus SSL
> >>>> certificates
> >>>>>
> >>>>>
> >>>>>
> >>>>> ----- Forwarded message from Dave
> Farber
> >> <dave at farber.net>
> >>>> -----
> >>>>>
> >>>>> Date: Wed, 24 Mar 2010 15:34:27 -0400
> >>>>> From: Dave Farber <dave at farber.net>
> >>>>> Subject: [IP] Surveillance via bogus
> SSL
> >> certificates
> >>>>> Reply-To: dave at farber.net
> >>>>> To: ip <ip at v2.listbox.com>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> Begin forwarded message:
> >>>>>
> >>>>>> From: Matt Blaze <mab at crypto.com>
> >>>>>> Date: March 24, 2010 3:09:19 PM
> EDT
> >>>>>> To: Dave Farber <dave at farber.net>
> >>>>>> Subject: Surveillance via bogus
> SSL
> >> certificates
> >>>>>>
> >>>>>
> >>>>>> Dave,
> >>>>>>
> >>>>>> For IP if you'd like.
> >>>>>>
> >>>>>> Over a decade ago, I observed
> that
> >> commercial
> >>>> certificate authorities
> >>>>>> protect you from anyone from whom
> they
> >> are
> >>>> unwilling to take money.
> >>>>>> That turns out to be wrong; they
> don't
> >> even do
> >>>> that.
> >>>>>>
> >>>>>> Chris Soghoian and Sid Stamm
> published a
> >> paper
> >>>> today that describes a
> >>>>>> simple "appliance"-type box,
> marketed to
> >> law
> >>>> enforcement and
> >>>>>> intelligence agencies in the US
> and
> >> elsewhere,
> >>>> that uses bogus
> >>>>>> certificates issued by *any*
> cooperative
> >>>> certificate authority to act as
> >>>>>> a "man-in-the-middle" for
> encrypted web
> >> traffic.
> >>>>>>
> >>>>>> Their paper is available at
> > http://files.cloudprivacy.net/ssl-mitm.pdf
> >>>>>>
> >>>>>> What I found most interesting
> (and
> >> surprising) is
> >>>> that this sort of
> >>>>>> surveillance is widespread enough
> to
> >> support
> >>>> fairly mature, turnkey
> >>>>>> commercial products.B 
> B  It
> >> carries some
> >>>> significant disadvantages for
> >>>>>> law enforcement -- most
> particularly it
> >> can be
> >>>> potentially can be
> >>>>>> detected.
> >>>>>>
> >>>>>> I briefly discuss the implications
> of
> >> this kind of
> >>>> surveillance at
> >>>> http://www.crypto.com/blog/spycerts/
> >>>>>>
> >>>>>> Also, Wired has a story here:
> >>>> http://www.wired.com/threatlevel/2010/03/packet-forensics/
> >>>>>>
> >>>>>>
> >>>>>> -matt
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> -------------------------------------------
> >>>>> Archives: https://www.listbox.com/member/archive/247/=now
> >>>>> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> >>>>> Powered by Listbox: http://www.listbox.com
> >>>>>
> >>>>> ----- End forwarded message -----
> >>>>>
> >> _______________________________________________
> >>>>> privacy mailing list
> >>>>> http://lists.vortex.com/mailman/listinfo/privacy
> >>
> >> --
> >> Sent from my Android phone with K-9. Please excuse
> lack of
> >> OpenPGP signature and brevity.