New Research Suggests That Governments May Fake SSL Certificates

Dave Kleiman dave at
Thu Mar 25 08:05:26 EDT 2010

March 24th, 2010 New Research Suggests That Governments May Fake SSL Certificates
Technical Analysis by Seth Schoen

""Today two computer security researchers, Christopher Soghoian and Sid Stamm, released a draft of a forthcoming research paper in which theypresent evidence that certificate authorities (CAs) may be cooperating with government agencies to help them spy undetected on "secure" encrypted communications. (EFF sometimes advises Soghoian on responsible disclosure issues, including for this paper.) More details and reporting are available at Wired today. The draft paper includes marketing materials from Packet Forensics, an Arizona company, which suggests that government "users have the ability to import a copy of any legitimate keys they obtain (potentially by court order)" into Packet Forensics products in order to impersonate sites and trick users into "a false sense of security afforded by web, e-mail, or VoIP encryption". This would allow those governments to routinely bypass encryption without breaking it."".

""Soghoian and Stamm also observe that browsers trust huge numbers of CAs — and all of those organizations are trusted completely, so that the validity of any entity they approve is accepted without question.  Every organization on a browser's trusted list has the power to certify sites all around the world. Existing browsers do not consider whether a certificate was signed by a different CA than before; a laptop that has seen Gmail's site certified by a subsidiary of U.S.-based VeriSign thousands of times would raise no alarm if Gmail suddenly appeared to present a different key apparently certified by an authority in Poland, the United Arab Emirates, Turkey, or Brazil. Yet such a change would be an indication that the user's encrypted HTTP traffic was being intercepted.""



Dave Kleiman - - 

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410

More information about the cryptography mailing list