[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"?

steve jenkin sjenkin at canb.auug.org.au
Wed Mar 24 20:21:26 MDT 2010


Comments?

<http://www.crypto.com/blog/spycerts/>

"They found turnkey surveillance products, marketed and sold to law
enforcement and intelligence agencies in the US and foreign countries,
designed to collect encrypted SSL traffic based on forged "look-alike"
certificates obtained from cooperative certificate authorities.

"The products (apparently available only to government agencies) appear
sophisticated, mature, and mass-produced, suggesting that "certified
man-in-the-middle" web surveillance is at least commonplace and
widespread enough to support an active vendor community."

"Wired's Ryan Singel reports in depth here."
<http://www.wired.com/threatlevel/2010/03/packet-forensics/>

"A paper published today by Chris Soghoian and Sid Stamm suggests that
the threat may be far more practical than previously thought."
<http://files.cloudprivacy.net/ssl-mitm.pdf>

-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin


More information about the linux mailing list