[Cryptography] Opening Discussion: Speculation on "BULLRUN"
Perry E. Metzger
perry at piermont.com
Tue Sep 10 17:51:43 EDT 2013
On Tue, 10 Sep 2013 17:04:51 -0400 Joe Abley <jabley at hopcount.ca>
wrote:
> On 2013-09-09, at 12:04, "Salz, Rich" <rsalz at akamai.com> wrote:
>
> > then maybe it's not such a "silly accusation" to think that
> > root CAs are routinely distributed to multinational secret
> > services to perform MITM session decryption on any form of
> > communication that derives its security from the CA PKI.
> >
> > How would this work, in practice?
>
> Suppose Mallory has access to the private keys of CAs which are in
> "the" browser list or otherwise widely-trusted.
>
> An on-path attack between Alice and Bob would allow Mallory to
> terminate Alice's TLS connection, presenting an
> opportunistically-generated server-side certificate with signatures
> that allow it to be trusted by Alice without pop-ups and warnings.
Note that the apparent attacks against Petrobras, SWIFT and others
disclosed a few days ago appear to have used precisely this attack.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list