Law Enforcement Appliance Subverts SSL
dan at geer.org
dan at geer.org
Thu Mar 25 08:58:33 EDT 2010
Rui Paulo writes:
-+---------------
| http://www.wired.com/threatlevel/2010/03/packet-forensics/
|
| "At a recent wiretapping convention however, security researcher Chris =
| Soghoian discovered that a small company was marketing internet spying =
| boxes to the feds designed to intercept those communications, without =
| breaking the encryption, by using forged security certificates, instead =
| of the real ones that websites use to verify secure connections. To use =
| the appliance, the government would need to acquire a forged certificate =
| from any one of more than 100 trusted Certificate Authorities."
|
I rather like Cormac Herley's paper:
http://preview.tinyurl.com/yko7lhg
So Long, And No Thanks for the Externalities:
The Rational Rejection of Security Advice by Users
which I cite here for this line:
It is hard to blame users for not being interested in SSL
and certificates when (as far as we can determine) 100% of
all certificate errors seen by users are false positives.
--dan
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list