[Cryptography] MITM company acquires MITM tools

[grarpamp]

On Wed, Nov 1, 2017 at 12:18 AM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> This came up on another list, the Comodo CA and all of the roots it controls
> (which include a pile of other CAs unrelated to Comodo that it's bought up
> over the years) was recently acquired by Francisco Partners:
>
> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business
>
> who also have a stake in SonicWall, "the leader in Deep Packet Inspection
> (DPI) and we've got a lot going on in that space", Procera (same), and
> formerly had a stake in Blue Coat, whose products have been used by repressive
> regimes against their citizens.
>
> It's amusing that a perfect mechanism for performing MITM attacks is now
> controlled by a company who has other arms that actively perform MITM attacks.

It's amusing that root cert bundles are completely filled with
governments and corporations and all other manner of third
parties which you have no reason to assign any real trust to.

CA's are a scam, foisted upon the web industry by marketing,
upon users by the nag icon and popups, and upon browsers
for inclusion money, and other games... all for one purpose only...
the generation of rents over the TLS services back to the CA's
themselves, under threat of loss of revenue due to said panic nag
reaction if they don't pay up... pure genius. Hook, line, sinker.

Now of course the system is being exploited by the above
parties, rogues, spies, and criminal hackers alike.

TOFU combined with decentralized cert and revocation observatories
injected with the occaisional out of band verification, would have been
sufficient.

We even moreso now have that ability... where perhaps a transaction
on a blockchain is a website's cert fingerprint signed by its CEO, and
confirmations are perhaps each new matching TOFU from userland.