Law Enforcement Appliance Subverts SSL

dan at dan at
Thu Mar 25 08:58:33 EDT 2010

Rui Paulo writes:
 | "At a recent wiretapping convention however, security researcher Chris =
 | Soghoian discovered that a small company was marketing internet spying =
 | boxes to the feds designed to intercept those communications, without =
 | breaking the encryption, by using forged security certificates, instead =
 | of the real ones that websites use to verify secure connections. To use =
 | the appliance, the government would need to acquire a forged certificate =
 |  from any one of more than 100 trusted Certificate Authorities."

I rather like Cormac Herley's paper:
  So Long, And No Thanks for the Externalities:
  The Rational Rejection of Security Advice by Users

which I cite here for this line:

  It is hard to blame users for not being interested in SSL
  and certificates when (as far as we can determine) 100% of
  all certificate errors seen by users are false positives.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list