[Cryptography] "Trust in digital certificate ecosystem eroding"
Ray Dillinger
bear at sonic.net
Mon May 4 17:50:01 EDT 2015
On 05/01/2015 10:39 PM, Christian Huitema wrote:
>>> to solve a problem that wasn't obvious about 20 years
>>> ago when the system got introduced.
>>
>> I'm pretty sure this problem was obvious 20 years ago.
>
> There have been attacks that hacked or abused CA privileges. But most of the attacks follow a simpler path -- tricking or convincing the user to add a particular CA to the root store of their device, or browser. Many corporations do that -- add the local firewall's certificate to the root store of corporate-owned machines, so they can break the encryption and encrypt the traffic at the firewall. Many schools will force a certificate like that on the student's computer, as a condition for using the school's network. Some ISP and hot spots are rumored to do it.
>
Absolutely true. I worked for several years at a company
where all the machines on the local network had installed
versions of browsers etc that knew exactly one root CA -
which was managed by the company's firewall.
Literally all encrypted traffic was decrypted "for log
maintenance purposes" at the firewall, re-encrypted and
sent onward to the machines on the company network. All
requests for a certificate were intercepted at the firewall
and got a certificate auto-issued by the firewall's own CA,
which it would then use to re-encrypt that traffic.
All this of course was done in the name of "security..."
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150504/e421fb46/attachment.sig>
More information about the cryptography
mailing list