[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"?
steve jenkin
sjenkin at canb.auug.org.au
Wed Mar 24 20:21:26 MDT 2010
Comments?
<http://www.crypto.com/blog/spycerts/>
"They found turnkey surveillance products, marketed and sold to law
enforcement and intelligence agencies in the US and foreign countries,
designed to collect encrypted SSL traffic based on forged "look-alike"
certificates obtained from cooperative certificate authorities.
"The products (apparently available only to government agencies) appear
sophisticated, mature, and mass-produced, suggesting that "certified
man-in-the-middle" web surveillance is at least commonplace and
widespread enough to support an active vendor community."
"Wired's Ryan Singel reports in depth here."
<http://www.wired.com/threatlevel/2010/03/packet-forensics/>
"A paper published today by Chris Soghoian and Sid Stamm suggests that
the threat may be far more practical than previously thought."
<http://files.cloudprivacy.net/ssl-mitm.pdf>
--
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
More information about the linux
mailing list