[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"?
Arjen Lentz
arjen at lentz.com.au
Wed Mar 24 20:47:24 MDT 2010
Hi Steve
----- "steve jenkin" <sjenkin at canb.auug.org.au> wrote:
> Comments?
>
> <http://www.crypto.com/blog/spycerts/>
Not being naive, we can say "bound to happen", "predictable" - but it's very annoying.
What SSL cert authorities actually sell is "trust by proxy".
That is, I purchase an SSL cert from them so that my clients can trust me.
I'd prefer a system that does not rely on intrinsic trust in anybody - but we don't have that.
So now we have a problem, whereby I get pay regular or premium rates for an SSL cert of whatever nice fancy-stamp-for-client level, to potentially get screwed over anyhow.
All this in a mix of "(national?) security" justification and unsmart commercial enterprisy-ness.
That makes me very unhappy.
No trust from anyone to anyone, and I still have to pay for it. That's just grand.
Regards,
Arjen.
--
Arjen Lentz, Exec.Director @ Open Query (http://openquery.com)
Exceptional Services for MySQL at a fixed budget.
Follow our blog at http://openquery.com/blog/
OurDelta: packages for MySQL and MariaDB @ http://ourdelta.org
More information about the linux
mailing list